Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 62
Members: 0
Total: 62
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> How to use gathered md5 hash? Step-by-step tutorial 4 n00bs Goto page 1, 2, 3, 4, 5Next
Post new topicReply to topic View previous topic :: View next topic
How to use gathered md5 hash? Step-by-step tutorial 4 n00bs
PostPosted: Mon May 17, 2004 6:04 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




How to use gathered phpBB admin password's md5 hash to get the admin rights

Step-by-step tutorial by waraxe


OK, first of all, we need some preparation work.

    1. Get target password's md5 hash - in this tutorial it's 098f4bcd4621d373caae4e832628b4f6


    2. You need to know target's "user_id". For this use the phpBB feature called "memberlist" and
    search for target's username and then look at his profile. In our example url to taget's profile
    is:

    http://localhost/phpbb206c/profile.php?mode=viewprofile&u=3

    As you can see, "u=3", so target has "user_id" equal to "3".

    3. You must have properly working Mozilla browser


Now, let's move further. I assume, you allready know, where are located Mozilla's cookies. I have
WindowsXP Home Edition and logged-in username "nobody", so cookie file is located in folder:

C:\Documents and Settings\nobody\Application Data\Mozilla\Profiles\[some subfolders]\cookies.txt

Cookie file manual editing is dangerous, so beware. I suggest to make the backup first.

Next, I assume, that you allready have account on target forum. Go to login page, enter your
username and password and check the checkbox named "Log me on automatically each visit:".
In this way you will force phpBB to store your pasword's md5 hash in your browser cookies.

Ok, you are logged in. Don't log out! And close Mozilla browser!! It's is very important!!!!!!!

Open "cookies.txt" and try to find cookie, which belongs to target server and named something like
"phpbb2mysql_data". Btw, phpbb configuration settings can override this name, so if you have probs
finding of the right cookie, then use Mozilla's Cookie Manager and remove ALL cookies. Now right
after the cookie cleanup login to target phpbb and you can see in cookie file your target cookie.

So, you see long textline similar to this:

www.target.com FALSE / FALSE 1114433252 phpbb2mysql_data
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2219dd1947a95454ccaf223a731c32db0c%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D

Hmm, this cookie's value seems to be complicated to understand, is'nt? Lets analize it a little bit.
First, after urldecode() we will get something like:

a:2:{s:11:"autologinid";s:32:"19dd1947a95454ccaf223a731c32db0c";s:6:"userid";s:1:"4";}

Wtf is this? This is stuff you get, if you use php's function "serialize()" on some array.
I don't want to get in details, because this is kinda offtopic right now. But i think, that you
can see in this string 2 known variables:

1. s:32:"19dd1947a95454ccaf223a731c32db0c"; --> 19dd1947a95454ccaf223a731c32db0c - this must be you password's md5 hash.
2. ";s:6:"userid";s:1:"4";} --> "4"- this is of course your "user_id".

Now, you remember target's user_id and password's md5 hash, don't you Wink
target's md5 - 098f4bcd4621d373caae4e832628b4f6
target's user_id - 3
So edit this cookie with notepad or wordpad and swap original values with target values.

In previous example we had cookie value like this:

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2219dd1947a95454ccaf223a731c32db0c%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D

and after editing we have cookie value like this:

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22098f4bcd4621d373caae4e832628b4f6%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D

If you compare those two strings, you an easily understand, where i was making the changes.

Finally, after cookiefile's editing and saving, open Mozilla and browse to target phpBB forum. If all went
perfectly, you have now "logged in" as target.

Mission complete! Cool

Remark: any feedback is welcome, post your opinion here!
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 18, 2004 4:43 pm Reply with quote
migo79
Regular user
Regular user
Joined: May 18, 2004
Posts: 17




hey
awesome as always
i'm one of the most readers of ur advisories it's good and straight to the point and also you mention the technicality in the exploit so u r awesome wondeful Wink

i tried to do that (modifieng the cookie of phpbb) a time before using an IE browser , but the damn browser after i save the modified cookie and when i hit the target server the damn IE delet the modified cookie immediately!!!!!!

i think it's the problem of the damn IE , is this true ?
i'm not home so i can't install Mozilla browser right now but i just wanna make sure of it
do i must have Mozilla browser ?
View user's profile Send private message
PostPosted: Tue May 18, 2004 8:29 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yep, Internet Explorer version 6.0 and maybe 5.5 too is protecting cookies from editing and if you change cookies for example with notepad, then IE just ignores it. So i have been testing various browsers and Mozilla seems to be best from cookie editing viewpoint.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue May 18, 2004 11:58 pm Reply with quote
pt44
Beginner
Beginner
Joined: May 17, 2004
Posts: 4




Thanks for the lil browser insight, I always wondered why this method never worked for me so decided to give Mozilla a try now cos that one browser havnt used yet so will see if it works now Smile
View user's profile Send private message AIM Address
PostPosted: Wed Jun 02, 2004 11:31 pm Reply with quote
TREY
Beginner
Beginner
Joined: Jun 02, 2004
Posts: 2




THIS STILL WORK FOR ANY1?
View user's profile Send private message
PostPosted: Thu Jun 03, 2004 11:26 am Reply with quote
emrag
Regular user
Regular user
Joined: Jun 03, 2004
Posts: 20
Location: TURKEY




i tried this tutorial at localhost
it worked but i gave my password's md5 hash in my db Smile
all right but how can i get for example www.xxxx.com 's admin's md5 hash ?
i dont know this Question Sad
how can i get it?
View user's profile Send private message MSN Messenger ICQ Number
PostPosted: Thu Jun 03, 2004 12:00 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




In the case of the unpatched phpbb version try this:

http://www.waraxe.us/?modname=sa&id=013
View user's profile Send private message Send e-mail Visit poster's website
c
PostPosted: Thu Jun 03, 2004 9:01 pm Reply with quote
SteX
Advanced user
Advanced user
Joined: May 18, 2004
Posts: 181
Location: Serbia




keep working Rolling Eyes

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
PostPosted: Sun Jun 06, 2004 2:00 pm Reply with quote
BCW
Regular user
Regular user
Joined: Jun 05, 2004
Posts: 5




is 5ebe2294ecd0e0f08eab7690d md5 hash?
i exploited a PHPBB 2.0.6 by real life exploit 013
and it gave me from : majors to:5ebe2294ecd0e0f08eab7690d
View user's profile Send private message
PostPosted: Sun Jun 06, 2004 5:51 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Its only 25 chars long, but must be as long as 32. It was my mistake, when i published advisory about phpbb, so that sploit works not corretctly. Somewhere in this forum i allready suggested right sploit query, which will give 32 char long md5 hash. So please do search in this forum and you will hopefully find the answer.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jun 07, 2004 6:07 am Reply with quote
BCW
Regular user
Regular user
Joined: Jun 05, 2004
Posts: 5




i found it :
http://www.waraxe.us/forum/viewtopic.php?p=286&highlight=phpbb#286

but i dont know php , explain more . if you can , give me a URL exploit , and if you cant np .
just explain more
View user's profile Send private message
PostPosted: Mon Jun 07, 2004 11:23 am Reply with quote
5y573m f41lur3
Regular user
Regular user
Joined: May 25, 2004
Posts: 9




mr,

I think that if you dont understand php you gotta learn first.... You cant learn to run before knowing to walk.... You would get more confuse then.
View user's profile Send private message
PostPosted: Mon Jun 07, 2004 12:33 pm Reply with quote
BCW
Regular user
Regular user
Joined: Jun 05, 2004
Posts: 5




ok
I cant say anymore , bye
View user's profile Send private message
PostPosted: Fri Jun 11, 2004 12:16 pm Reply with quote
dotcomBOT
Regular user
Regular user
Joined: Jun 11, 2004
Posts: 12




waraxe wrote:
Its only 25 chars long, but must be as long as 32. It was my mistake, when i published advisory about phpbb, so that sploit works not corretctly. Somewhere in this forum i allready suggested right sploit query, which will give 32 char long md5 hash. So please do search in this forum and you will hopefully find the answer.


m dot being able to find the post.

any 1 to help?
View user's profile Send private message Visit poster's website
PostPosted: Fri Jun 11, 2004 2:46 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Correct information can be found here:

http://www.waraxe.us/forum/viewtopic.php?t=63
View user's profile Send private message Send e-mail Visit poster's website
How to use gathered md5 hash? Step-by-step tutorial 4 n00bs
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 5
Goto page 1, 2, 3, 4, 5Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds