Waraxe IT Security Portal

ketchup · Regular user

Hi all

Pls look at http://packetstormsecurity.org/0803-exploits/phpbb2023-hijack.txt

I have some questions about this.
Say I had a website, so I can find the referal to my image I posted in a
thread that got closed. Now with any luck I will have the admin session ID Twisted Evil

Now comes my question: can I use a URL like in the exploit
http://site.tld/phpBB2/modcp.php?t=1&mode=lock&sid=[session]
to ride on the session of the admin? Very Happy

Or do I have to construct a special cookie?

So my question is what can I do with the session ID?

Thx ketchup

gibbocool · Advanced user

I think you just log in with your own account, then edit the cookie and you will be the mod or admin.

But im not sure how you get the sid.

lenny · Valuable expert

You should clear your cookies and replace your session ID with the exploited session. Refresh the page and you *should* be logged in with the username of whoever closed the thread.

ketchup · Regular user

tested replacing de sid, but that doesnt work :/
can somebody tell me how I should edit the cookie, if e.g. the
sid=30c2791137336d65cd8c327f92f2e0fc.

lenny · Valuable expert

Remember, sessions time out after about 30 minutes - after which time they become useless. You need a fresh session for session hijacking to work.

I also noticed that the session ID "SID" has not been changed since you changed it. Make sure you get rid of "&sid=blablabla" in the URL before you refresh the page.

ketchup · Regular user

meh can't get it to work

I edit the cookie and make it just like it was, when I was logged in
as admin and still doesn't work. :/

The session is a few seconds old.

I don't get it.

lenny · Valuable expert

Hmmm.... well make sure you don't log out from admin before you try the exploit. If the admin logs out, then the session will be automatically invalidated Smile

best way to get around this when testing exploits like this is to use two different browsers - for example firefox and safari Smile

Use firefox as your pretend victim logged in as admin, and on safari dont login until you have the session Smile

ketchup · Regular user

jeeeeeeeeeeeej finally werx, thx dude Very Happy

This is gonna be tough to exploit .

If I would get the SID from an admin I would have to guess what his/her user ID is or is there a better way?

I would have to edit the user ID in this part of the cookie?
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

Also the referrer info is updated every hour on awardspace.com :/
So I think im gonna have to use my server at localhost, but I really dont like the idea of that!

ketchup · Regular user

ah found the user ID part
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

admin user ID in this case is 2

I made a new normal user and this is the cookie:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D

user ID is 3

ketchup · Regular user

found how to find the user ID:
http://startrekguide.com/community/viewtopic.php?f=62&t=6402

ketchup · Regular user

just one more question:

Is there a way to host a picture that doesnt get caches, like a broken or not existing image. Will you still get the referer info? Maybe some other trick?
Because if the picture gets cashed I wont get the referer info when its loaded?

ketchup · Regular user

Ive tested this, and its better to use a non existing image because
it cant be cached by the victims browser, giving you a bigger chance of succeeding

Exploit works great, only a little social engineering is needed Smile

ketchup · Regular user

For the people who may be interested, I have written a little C++ app.
that checks the apache access_log for SID's every 5 seconds and outputs
them the command line and writes them to a file.