|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 54
Members: 0
Total: 54
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Phpbb 2.0.21 hackability? |
|
Posted: Sat Apr 26, 2008 10:27 am |
|
|
siv0ph |
Beginner |
|
|
Joined: Apr 26, 2008 |
Posts: 1 |
Location: Guantanamo Bay, Cuba |
|
|
|
|
|
|
"Php Bulletin Board - one of the most secure freeware bulletin boards. Written with security in mind and with good style."
Oh, great.
Harro, I'm new to this php stuff. I've targeted a forum that has html enabled (if this has any significance). My aim is to either gain admin or deface the site. A quick glance at the checklog revealed that the site is running v2.0.21, which I hear has few public vulnerabilities at the moment. I've tried the cookie grab method and a few SLQ injections, but to no avail. Is there a cross-site scripting method where I could place code in a thread which would record the cookies of users who visit it and then have the data emailed to me? This way I could get their MD5 hash for the painstaking process of decoding, or just use their cookie to emulate an admin login? I've tried many lame attempts to "probe" the site, but without knowing much practical php knowledge...I can't really plan any 'attack vectors' or come up with theoretical concepts (effectively making me a script kiddie).
Now I'm going to lather on the nooberosity with this question:
I hear tell of a method by which one can seek out vulnerabilities of a target by searching out and analyzing other sites who share the same host? Are we talking network vulnerabilities or what? How does it relate to say gaining admin access on a forum?
Thanks. |
|
|
|
|
|
|
|
|
Posted: Sat Apr 26, 2008 12:38 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Phpbb new versions are hard targets. So if target website is located on shared hosting (most of the real world websites are), then determine targte's IP address and search for "neighbors". Examples from my personal experience - i wanted to get access to VBulletin-based website, so i searched neighbors and found PhpNuke installation with some old Local File Inclusion bug. Then i registered as user there, uploaded specially crafted jpeg file as avatar. Using that jpeg file (which contained php code in commment section) and LFI i was able to get php code execution level access to server. Fortunately that hosting server was not very secure and so i was able to read main target's config file with database credentials and then feched all user data from database about main target. Mission complete! Second example - main target was phpbb. I was searching for neighbors and found Wordpress installation with not-yet-patched sql injection flaw. Within 10 minutes gathered admins' md5 hash and then used it to manual cookie crafting (no need for cracking!). So i was able to get Wordpress installation admin level and from that it's trivial to move to php level. Specifically - first i modified ".htaccess" file with help of wordpress admin interface. In this way i declared, that ".txt" files will be parsed as php files. Then uploaded backdoor txt file with useful php code inside - using wordpess admin interface again. After getting php level it was painfully difficult to read main target phpbb config file, but still i succeeded (using some tricks). And after getting main target's DB credentials, mission was basically complete.
Conclusions - i got unauthorized access to phpbb and Vbulletin installations. Both of them were fully pathed with no known security holes. Still i was getting what i wanted |
|
|
|
|
|
|
|
|
Posted: Mon Apr 28, 2008 1:07 pm |
|
|
Snap |
Active user |
|
|
Joined: Apr 14, 2008 |
Posts: 25 |
|
|
|
|
|
|
|
I did that a couple of times too !
sometimes is just simple as
Code: | print readfile("/www/docs/victim.com/public_html/config.php"); |
but other times is difficult as hell .. |
|
|
|
|
Posted: Mon Apr 28, 2008 1:17 pm |
|
|
oxygenne |
Advanced user |
|
|
Joined: Apr 13, 2005 |
Posts: 52 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Apr 29, 2008 4:58 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
Posted: Sun May 11, 2008 11:09 am |
|
|
tinman |
Active user |
|
|
Joined: May 11, 2008 |
Posts: 37 |
|
|
|
|
|
|
|
Hi, noob here (fantastic place - well done). Very useful tools. The don't show shared sites running on the same IIS6 server mind you, Is there some other tool for that? |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|