Waraxe IT Security Portal

mercato · Beginner

This exploit does not work on later versions of phpBB.

One thing you also need to do is edit the value in the cookie for the length of the userid. Admin is usually id number 2, so the length is 1.

If your userid is 1111, then the length will be 4 etc....

This does seem to wotrk on versions prior to 2.0.12 from what I can tell.

howitzer · Regular user

Hello i was wondering how u guys know the admin md5 hash password... i supouse that u have their cookie or what ?
How do u get their hash ?

10x forward

oxygenne · Advanced user

You can get admin hash using some sort of sql injection or XSS.I was wondering if anyone have a clue how should i prepare cookie for the latest WordPress bug.I managed to get the user and pass hash which is MD5 encrypted

howitzer · Regular user

10x oxygenne , but there is no SQL Injection for phpbb 2.0.15 yet Confused

or there is Question

oxygenne · Advanced user

yes but i thing there is a XSS in that version

kidron · Beginner

is phpbb 2.0.7 and 2.0.15(.16 and 1.7) still vulnerable to cookie stilling?

because, when i look to my cookies.txt it doesn't look like this:

raydog2k · Regular user

can some1 plz tell me how to change the cookie info gathered from using exploit for 2.0.12 and got this

Cookie: user=MTMyOnAycDo2ZjRjNWM1ZjUzYzJiMWQ2OWU0NDllMjdiYzQ1ZDQ3YjoxMDo6MDowOjA6MDo6NDA5Ng==; phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:3:\"132\";}; admin=cDJwOjBlMmM4OGRmMWU4YWZhZGI5ZTZhYjUzNThhNGM0ZGU5Og==; phpbb2mysql_sid=ee3589a62be690e2946448c626aba523; phpbb2mysql_t=a:1:{i:406;i:1129266078;}

raydog2k · Regular user

i've figured it out but this cookie stuff doesnt seem to work....

ianmac · Regular user

sljyro · Advanced user

hi all, new here. ive been following many threads here, so i thought i should join up.

i have got the md5 hash, user id, and everything else. changed the phpbb2mysql_data cookie succesfully (so i hope, looked easy). but everytime i try it, it just logs me out and doesnt log me in as the target.

ive tried with mozilla, firefox, opera, and all the same outcome.

could there be something i missed?

any help appreciated,

SL jyro

Aryan-Husky · Active user

I have tried this on a phpBB version 2.0.15 using Firefox and it doesn't seem to work? Can anybody else shed more light on this?

Could you maybe have to use a specific version of Firefox or Mozilla?

I am using version 1.5.0.1 of Firefox.

SicKn3sS · Regular user

I dont think this works anymore, i tried it exactly how you said it on my account and it wont work. I just wanna log in with the admin panel isnt there a way to do it with live http headers?

lazarus · Beginner

I have a big problem.

I tried to use the exploit with the picture (for phpbb 2.0.1 Cool

- the exploit works just fine and puts the cookie string into my log.txt file.

BUT:

I dont get the hash with the pass!

Here is what I got:

http://www.sitenameblabla.org/posting.php Cookie: as_phpbb2mysql_data=a:2:{s:6:\"userid\";s:3:\"353\";s:11:\"autologinid\";s:0:\"\";}; as_phpbb2mysql_sid=591bca2dcds72c9db708c5bbse245bc7

As you can see all I get is "sid" - no hash after "autologinid" - does it mean that the site is secured or I'm just so stupid that I'm missing something?

sljyro · Advanced user

that might mean that the target user does not have autologin enabled for their account. so that is why the md5 hash isnt stored in their cookie.

blamara · Beginner

I was serching something usefull ho to replace cookies in some browser and part of that task is completed tanks to this tutorial.

Also have noticed that MD5 hash is same length like PHPSESSID maybe it has something to do with it.

The problem I have is next:

I have found exploit to collect users data:
url: ... index.php?session=0b89193aca12
cookie: ... PHPSESSID=28118779305cbba8473fd7ca19dd068c ...

also have stumbled to cookies like this one:
FRQSTR=18909969x113247:1:1440|18909969|18909969|18909969|18909969;

still trying to figure it out what it is, but it must be something. I will use exploit to send me targets client, to see is this value connected to targets client.
---

Now what I want is to enter target url returned to me with session data sent to me, not sure will it work I will try later using this tutorial.

But I was thinking something in my back days I made proxy server to exploit cookies bug on some server, where my cookies were dinamically changed when access denied to switch to next user. I am thinking to use same technique, but I wonder is there on net some usefull tool like proxy where you can add filter for url and to change request dinamically ???

Any ideas ???
Or to write again my own tool,
it's borring to write tool when there must be one on web q=)