Waraxe IT Security Portal
Login or Register
December 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 132
Members: 0
Total: 132
Full disclosure
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> Phpbb 2.0.21 hackability?
Post new topicReply to topic View previous topic :: View next topic
Phpbb 2.0.21 hackability?
PostPosted: Sat Apr 26, 2008 10:27 am Reply with quote
siv0ph
Beginner
Beginner
Joined: Apr 26, 2008
Posts: 1
Location: Guantanamo Bay, Cuba




"Php Bulletin Board - one of the most secure freeware bulletin boards. Written with security in mind and with good style."

Oh, great. Sad


Harro, I'm new to this php stuff. I've targeted a forum that has html enabled (if this has any significance). My aim is to either gain admin or deface the site. A quick glance at the checklog revealed that the site is running v2.0.21, which I hear has few public vulnerabilities at the moment. I've tried the cookie grab method and a few SLQ injections, but to no avail. Is there a cross-site scripting method where I could place code in a thread which would record the cookies of users who visit it and then have the data emailed to me? This way I could get their MD5 hash for the painstaking process of decoding, or just use their cookie to emulate an admin login? I've tried many lame attempts to "probe" the site, but without knowing much practical php knowledge...I can't really plan any 'attack vectors' or come up with theoretical concepts (effectively making me a script kiddie).


Now I'm going to lather on the nooberosity with this question:

I hear tell of a method by which one can seek out vulnerabilities of a target by searching out and analyzing other sites who share the same host? Are we talking network vulnerabilities or what? How does it relate to say gaining admin access on a forum?

Thanks. Cool
View user's profile Send private message
PostPosted: Sat Apr 26, 2008 12:38 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Phpbb new versions are hard targets. So if target website is located on shared hosting (most of the real world websites are), then determine targte's IP address and search for "neighbors". Examples from my personal experience - i wanted to get access to VBulletin-based website, so i searched neighbors and found PhpNuke installation with some old Local File Inclusion bug. Then i registered as user there, uploaded specially crafted jpeg file as avatar. Using that jpeg file (which contained php code in commment section) and LFI i was able to get php code execution level access to server. Fortunately that hosting server was not very secure and so i was able to read main target's config file with database credentials and then feched all user data from database about main target. Mission complete! Second example - main target was phpbb. I was searching for neighbors and found Wordpress installation with not-yet-patched sql injection flaw. Within 10 minutes gathered admins' md5 hash and then used it to manual cookie crafting (no need for cracking!). So i was able to get Wordpress installation admin level and from that it's trivial to move to php level. Specifically - first i modified ".htaccess" file with help of wordpress admin interface. In this way i declared, that ".txt" files will be parsed as php files. Then uploaded backdoor txt file with useful php code inside - using wordpess admin interface again. After getting php level it was painfully difficult to read main target phpbb config file, but still i succeeded (using some tricks). And after getting main target's DB credentials, mission was basically complete.
Conclusions - i got unauthorized access to phpbb and Vbulletin installations. Both of them were fully pathed with no known security holes. Still i was getting what i wanted Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 28, 2008 1:07 pm Reply with quote
Snap
Active user
Active user
Joined: Apr 14, 2008
Posts: 25




I did that a couple of times too !

sometimes is just simple as

Code:
print readfile("/www/docs/victim.com/public_html/config.php");


but other times is difficult as hell ..
View user's profile Send private message
PostPosted: Mon Apr 28, 2008 1:17 pm Reply with quote
oxygenne
Advanced user
Advanced user
Joined: Apr 13, 2005
Posts: 52




And nice way finding neighboors:)))

http://gagspace.com/ip2vhost/
http://www.dnsdigger.com/
View user's profile Send private message
PostPosted: Tue Apr 29, 2008 4:58 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




oxygenne wrote:
And nice way finding neighboors:)))

http://gagspace.com/ip2vhost/
http://www.dnsdigger.com/


Thank you for this http://gagspace.com/ip2vhost/ new for me.
View user's profile Send private message
PostPosted: Sun May 11, 2008 11:09 am Reply with quote
tinman
Active user
Active user
Joined: May 11, 2008
Posts: 37




Hi, noob here (fantastic place - well done). Very useful tools. The don't show shared sites running on the same IIS6 server mind you, Is there some other tool for that?
View user's profile Send private message
Phpbb 2.0.21 hackability?
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.049 Seconds