|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Getting 2.0.23 vuln to work |
|
Posted: Thu Jul 31, 2008 11:54 am |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
|
Last edited by ketchup on Mon Aug 18, 2008 1:54 am; edited 1 time in total |
|
|
|
Posted: Thu Jul 31, 2008 1:18 pm |
|
|
gibbocool |
Advanced user |
|
|
Joined: Jan 22, 2008 |
Posts: 208 |
|
|
|
|
|
|
|
I think you just log in with your own account, then edit the cookie and you will be the mod or admin.
But im not sure how you get the sid. |
|
|
|
|
Posted: Thu Jul 31, 2008 1:54 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
You should clear your cookies and replace your session ID with the exploited session. Refresh the page and you *should* be logged in with the username of whoever closed the thread. |
|
|
|
|
Posted: Thu Jul 31, 2008 8:33 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
tested replacing de sid, but that doesnt work :/
can somebody tell me how I should edit the cookie, if e.g. the
sid=30c2791137336d65cd8c327f92f2e0fc.
|
|
|
|
|
Posted: Thu Jul 31, 2008 9:02 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
Remember, sessions time out after about 30 minutes - after which time they become useless. You need a fresh session for session hijacking to work.
I also noticed that the session ID "SID" has not been changed since you changed it. Make sure you get rid of "&sid=blablabla" in the URL before you refresh the page. |
|
|
|
|
Posted: Thu Jul 31, 2008 9:33 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
meh can't get it to work
I edit the cookie and make it just like it was, when I was logged in
as admin and still doesn't work. :/
The session is a few seconds old.
I don't get it. |
|
|
|
|
Posted: Thu Jul 31, 2008 9:56 pm |
|
|
lenny |
Valuable expert |
|
|
Joined: May 15, 2008 |
Posts: 275 |
|
|
|
|
|
|
|
Hmmm.... well make sure you don't log out from admin before you try the exploit. If the admin logs out, then the session will be automatically invalidated
best way to get around this when testing exploits like this is to use two different browsers - for example firefox and safari Use firefox as your pretend victim logged in as admin, and on safari dont login until you have the session |
|
|
|
|
|
|
|
|
Posted: Thu Jul 31, 2008 10:22 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
jeeeeeeeeeeeej finally werx, thx dude
This is gonna be tough to exploit .
If I would get the SID from an admin I would have to guess what his/her user ID is or is there a better way?
I would have to edit the user ID in this part of the cookie?
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
Also the referrer info is updated every hour on awardspace.com :/
So I think im gonna have to use my server at localhost, but I really dont like the idea of that! |
|
|
|
|
|
|
|
|
Posted: Thu Jul 31, 2008 10:44 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
ah found the user ID part
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
admin user ID in this case is 2
I made a new normal user and this is the cookie:
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D
user ID is 3 |
|
|
|
|
Posted: Thu Jul 31, 2008 11:03 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
|
|
|
|
Posted: Fri Aug 01, 2008 3:28 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
just one more question:
Is there a way to host a picture that doesnt get caches, like a broken or not existing image. Will you still get the referer info? Maybe some other trick?
Because if the picture gets cashed I wont get the referer info when its loaded? |
|
|
|
|
Posted: Mon Aug 18, 2008 1:59 am |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
Ive tested this, and its better to use a non existing image because
it cant be cached by the victims browser, giving you a bigger chance of succeeding
Exploit works great, only a little social engineering is needed |
|
|
|
|
Posted: Fri Aug 22, 2008 12:53 pm |
|
|
ketchup |
Regular user |
|
|
Joined: May 16, 2006 |
Posts: 23 |
Location: no |
|
|
|
|
|
|
For the people who may be interested, I have written a little C++ app.
that checks the apache access_log for SID's every 5 seconds and outputs
them the command line and writes them to a file. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|