 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Trying to get administrator access in phpbb 2.0.21 |
 |
 Posted: Wed Jul 23, 2008 9:31 pm |
 |
|
| Flamestrike |
| Regular user |
 |
|
| Joined: Jul 24, 2008 |
| Posts: 6 |
|
|
|
 |
|
 |
|
Hi, I've been lurking for a while but yet I couldn't find what I need.
I'm trying to gain administrator access in any way in a phpbb 2.0.21 board, I tried seeking sql injections and well every kinds of exploits but it seems 2.0.21 is hella secure.
Also tried to enter from a backdoor, but all sites from the same IP seem patched or safe, at least to my limited knowledge in the area.
What could I do? From what I read I think some of you could access really easy. I also got the ftp server but no user/pass. Should I try a brute force attack?
All I know is PHP and MySQL, thanks in advance for any help you can provide me! |
|
|
|
|
|
|
|
|
| Posted: Wed Jul 23, 2008 9:34 pm |
|
|
| lenny |
| Valuable expert |
 |
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
Closest I can find is a poison null byte exploit... but it involves avatars, image alteration and EXIF data which adds up to a complicated exploit.
Other than that you don't really have many options... Brute forcing FTP is difficult, time consuming, high chance of failure and is BLATANT from the server logs. What about other software on the same virtual host? |
|
Last edited by lenny on Wed Jul 23, 2008 9:42 pm; edited 1 time in total |
|
|
|
| Posted: Wed Jul 23, 2008 9:42 pm |
|
|
| Flamestrike |
| Regular user |
|
|
| Joined: Jul 24, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
avatar upload is not enabled  |
|
|
|
|
| Posted: Wed Jul 23, 2008 11:21 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
| phpBB2.0.21 is relatively new... and there have been very few changes to the code since. It is pretty secure. I suggest finding other installed php scripts on the same website. |
|
|
|
|
| Posted: Thu Jul 24, 2008 7:50 am |
|
|
| Flamestrike |
| Regular user |
|
|
| Joined: Jul 24, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
| I already tried finding one, but the whole host is just for the phpbb board, so I though it would be easier to sneak into another neighbour, or perhaps brute force attacks on ftp or mysql :S Either needs lots of time :/ |
|
|
|
|
| Posted: Mon Jul 28, 2008 7:46 pm |
|
|
| Flamestrike |
| Regular user |
|
|
| Joined: Jul 24, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
| Nevermind the old post, phpbb 2.0.21 with avatars upload enabled. Edited image with php script in EXIF data would work, or it requires extra net work? |
|
|
|
|
| Posted: Mon Jul 28, 2008 8:20 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
| Well it should be possible, editing EXIF had me confused for a long while - the best way is to download a piece of software called "edjpgcom" - its free and plain works. |
|
|
|
|
| Posted: Mon Jul 28, 2008 8:26 pm |
|
|
| Flamestrike |
| Regular user |
|
|
| Joined: Jul 24, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
Thanks, will try it now.
I will use a code as follows inside EXIF data:
| Code: |
include('../../config.php');
echo $dbms;
echo $dbhost;
echo $dbport;
echo $dbname;
echo $dbuser;
echo $dbpasswd;
echo $table_prefix;
echo $acm_type;
|
and file name would be as code.php%00code.jpg
would work? |
|
|
|
|
| Posted: Mon Jul 28, 2008 9:47 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
| Sounds good to me (a shell would be better), although if you use "obclean();" in the php script then you should be able to plain include the image and it will execute. |
|
|
|
|
| Posted: Tue Jul 29, 2008 5:59 pm |
|
|
| Flamestrike |
| Regular user |
|
|
| Joined: Jul 24, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
The image uploaded with its image content and a name randomly generated.
I guess that means the exploit has been solved in that board? No code was executed :/ |
|
|
|
|
| Posted: Sun Sep 14, 2008 1:37 am |
|
|
| judge-dredd |
| Beginner |
|
|
| Joined: Sep 13, 2008 |
| Posts: 3 |
|
|
|
|
|
|
|
Hello,
Usually, what happend after you upload this .jpg ? |
|
|
|
|
| Posted: Sun Sep 14, 2008 3:56 pm |
|
|
| Cablekid |
| Advanced user |
|
|
| Joined: Jul 14, 2007 |
| Posts: 85 |
|
|
|
|
|
|
|
Quick Question!
After you add that to the image, do you save it as filename.php
then when you go to upload you put in %00filename.jpg in the input field.
And since everything after the %00 is ignored it gets upload as filename.php?
Correct? Then you would just have to navagate to sitename.com/Avatar/filename.php?
Or am i totally worng. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 63
Members: 0
Total: 63
