Waraxe IT Security Portal

waraxe · Site admin

How to use gathered phpBB admin password's md5 hash to get the admin rights

Step-by-step tutorial by waraxe

OK, first of all, we need some preparation work.

http://localhost/phpbb206c/profile.php?mode=viewprofile&u=3

Now, let's move further. I assume, you allready know, where are located Mozilla's cookies. I have
WindowsXP Home Edition and logged-in username "nobody", so cookie file is located in folder:

C:\Documents and Settings\nobody\Application Data\Mozilla\Profiles\[some subfolders]\cookies.txt

Cookie file manual editing is dangerous, so beware. I suggest to make the backup first.

Next, I assume, that you allready have account on target forum. Go to login page, enter your
username and password and check the checkbox named "Log me on automatically each visit:".
In this way you will force phpBB to store your pasword's md5 hash in your browser cookies.

Ok, you are logged in. Don't log out! And close Mozilla browser!! It's is very important!!!!!!!

Open "cookies.txt" and try to find cookie, which belongs to target server and named something like
"phpbb2mysql_data". Btw, phpbb configuration settings can override this name, so if you have probs
finding of the right cookie, then use Mozilla's Cookie Manager and remove ALL cookies. Now right
after the cookie cleanup login to target phpbb and you can see in cookie file your target cookie.

So, you see long textline similar to this:

www.target.com FALSE / FALSE 1114433252 phpbb2mysql_data
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2219dd1947a95454ccaf223a731c32db0c%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D

Hmm, this cookie's value seems to be complicated to understand, is'nt? Lets analize it a little bit.
First, after urldecode() we will get something like:

a:2:{s:11:"autologinid";s:32:"19dd1947a95454ccaf223a731c32db0c";s:6:"userid";s:1:"4";}

Wtf is this? This is stuff you get, if you use php's function "serialize()" on some array.
I don't want to get in details, because this is kinda offtopic right now. But i think, that you
can see in this string 2 known variables:

1. s:32:"19dd1947a95454ccaf223a731c32db0c"; --> 19dd1947a95454ccaf223a731c32db0c - this must be you password's md5 hash.
2. ";s:6:"userid";s:1:"4";} --> "4"- this is of course your "user_id".

Now, you remember target's user_id and password's md5 hash, don't you Wink

target's md5 - 098f4bcd4621d373caae4e832628b4f6
target's user_id - 3
So edit this cookie with notepad or wordpad and swap original values with target values.

In previous example we had cookie value like this:

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2219dd1947a95454ccaf223a731c32db0c%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D

and after editing we have cookie value like this:

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22098f4bcd4621d373caae4e832628b4f6%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D

If you compare those two strings, you an easily understand, where i was making the changes.

Finally, after cookiefile's editing and saving, open Mozilla and browse to target phpBB forum. If all went
perfectly, you have now "logged in" as target.

Mission complete! Cool

Remark: any feedback is welcome, post your opinion here!

migo79 · Regular user

hey
awesome as always
i'm one of the most readers of ur advisories it's good and straight to the point and also you mention the technicality in the exploit so u r awesome wondeful Wink

i tried to do that (modifieng the cookie of phpbb) a time before using an IE browser , but the damn browser after i save the modified cookie and when i hit the target server the damn IE delet the modified cookie immediately!!!!!!

i think it's the problem of the damn IE , is this true ?
i'm not home so i can't install Mozilla browser right now but i just wanna make sure of it
do i must have Mozilla browser ?

waraxe · Site admin

Yep, Internet Explorer version 6.0 and maybe 5.5 too is protecting cookies from editing and if you change cookies for example with notepad, then IE just ignores it. So i have been testing various browsers and Mozilla seems to be best from cookie editing viewpoint.

pt44 · Beginner

Thanks for the lil browser insight, I always wondered why this method never worked for me so decided to give Mozilla a try now cos that one browser havnt used yet so will see if it works now Smile

TREY · Beginner

THIS STILL WORK FOR ANY1?

emrag · Regular user

i tried this tutorial at localhost
it worked but i gave my password's md5 hash in my db Smile

all right but how can i get for example www.xxxx.com 's admin's md5 hash ?
i dont know this Question

how can i get it?

waraxe · Site admin

In the case of the unpatched phpbb version try this:

http://www.waraxe.us/?modname=sa&id=013

SteX · Advanced user

keep working Rolling Eyes

BCW · Regular user

is 5ebe2294ecd0e0f08eab7690d md5 hash?
i exploited a PHPBB 2.0.6 by real life exploit 013
and it gave me from : majors to:5ebe2294ecd0e0f08eab7690d

waraxe · Site admin

Its only 25 chars long, but must be as long as 32. It was my mistake, when i published advisory about phpbb, so that sploit works not corretctly. Somewhere in this forum i allready suggested right sploit query, which will give 32 char long md5 hash. So please do search in this forum and you will hopefully find the answer.

BCW · Regular user

i found it :
http://www.waraxe.us/forum/viewtopic.php?p=286&highlight=phpbb#286

but i dont know php , explain more . if you can , give me a URL exploit , and if you cant np .
just explain more

5y573m f41lur3 · Regular user

mr,

I think that if you dont understand php you gotta learn first.... You cant learn to run before knowing to walk.... You would get more confuse then.

BCW · Regular user

ok
I cant say anymore , bye

dotcomBOT · Regular user

waraxe · Site admin

Correct information can be found here:

http://www.waraxe.us/forum/viewtopic.php?t=63