|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 113
Members: 0
Total: 113
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
best/easiest exploit to gain admin on phpbb 2.0.17 |
|
Posted: Tue Aug 12, 2008 9:20 pm |
|
|
annelid |
Beginner |
|
|
Joined: Aug 13, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
Hi,
I don't believe they have
register_globals=On
magic_quotes off
set unless they are the defaults so those won't work. What would the best way to check be?
at any rate, is there a really slick exploit that effects this version? |
|
|
|
|
Posted: Fri Aug 15, 2008 8:14 pm |
|
|
annelid |
Beginner |
|
|
Joined: Aug 13, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
ok so I set up the cookie grabber NP and the forum has HTML on however I don't know/think its on by default for individual users
IS there some workaround that forces them to see it? (or rather not see it) |
|
|
|
|
Posted: Sat Aug 16, 2008 12:09 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Wed Sep 24, 2008 10:17 pm |
|
|
annelid |
Beginner |
|
|
Joined: Aug 13, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
That is the first exploit I tried; it did nothing. I don't believe they have the required magic_quotes or register_globals settings. I already Googled to find exploits. I already Googled to find exploits. I tried literally every single exploit on milw0rm for phpBB versions 2.0.17 to 2.0.22 and couldn't get a single one of them to work. The only thing I have successfully set up is the cookie grabber. I tried using the "suntzu" exploit script or whatever using the admin's sid, but that didn't work. I even made sure to change the userid '2' in the script to the admin's userid '4' (let me know if I did so somethign wrong there). The only thing I have actually gained from the cookie grabber is the ability to log in as other users by modifying my autologinid cookie to match another user's, but I have yet to find an admin that uses autologin. I'd like to try the cookie grab on as few people as possible in case they have their HTML disabled. |
|
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|