|
|
|
|
|
|
IT Security and Insecurity Portal |
|
Posted: Thu Jul 14, 2005 8:54 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Wow its good to be back with this little jem here to greet me. This XSS cracks me up. Teach those dick heads over at phpBB.com a lesson...... I've never liked them much for unknown reasons. I always like it when the people "who know best" dont know best even if it is threatening the security of thousands of forums. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Thu Jul 14, 2005 9:23 am |
|
|
funnay |
Beginner |
|
|
Joined: Nov 26, 2004 |
Posts: 3 |
|
|
|
|
|
|
|
An unofficial temporary fix (but already widely tested) is available in http://phpbb2.de since July 8.
Code: | #
#-----[ OPEN ]------------------------------------------
#
includes/bbcode.php
#
#-----[ FIND ]------------------------------------------
#
// matches a xxxx://www.phpbb.com code..
$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];
#
#-----[ REPLACE WITH ]------------------------------------------
#
// matches a xxxx://www.phpbb.com code..
$patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.(?![^ '`\"\n\r\t<]*?\[url)[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];
#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM
|
Cya |
|
|
|
|
|
|
|
|
Posted: Fri Jul 15, 2005 9:25 am |
|
|
_daemon_ |
Beginner |
|
|
Joined: Jul 13, 2005 |
Posts: 4 |
Location: Greece |
|
|
|
|
|
|
waraxe posted that b4 |
|
|
|
|
Posted: Fri Jul 15, 2005 12:52 pm |
|
|
_daemon_ |
Beginner |
|
|
Joined: Jul 13, 2005 |
Posts: 4 |
Location: Greece |
|
|
|
|
|
|
Finally i got a cookie
Cookie: ***_data=a:2:{s:11:\"autologinid\";s:32:\"7e9f300935b4247b0408bf4eded39148\";s:6:\"userid\";i:5075;}; ***_sid=6ee05a04b68b344fa9037971ee2b5b16;
so 7e9f300935b4247b0408bf4eded39148 is the md5 hash.
anyone knows why the cookie came up with slashes? the others above were clear... anyway i'm trying to crack it atm.
Edit: BTW, apart from cracking the hash cant someone use serialize() and use the cookie instead?
Edit 2: ***_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:4:\"2251\";}; ***_sid=96cce388d9d33160d6cdbbf348113538;
How is it possible to have a blank autologinid value although the exploit was inside a PM |
|
|
|
|
|
|
|
|
Posted: Fri Jul 15, 2005 3:01 pm |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
you can try with cookie poison for login as the admnistrator...
just you have to got the userid and his md5-hash of his pass..
regards |
|
|
|
|
Posted: Tue Jul 19, 2005 1:32 pm |
|
|
dnegel666 |
Beginner |
|
|
Joined: Jul 19, 2005 |
Posts: 3 |
|
|
|
|
|
|
|
But, why this exploit doesn't work with mozilla ? only with IE ? |
|
|
|
|
Posted: Tue Jul 19, 2005 4:02 pm |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
simply...
like its says on the original advisory, its because:
IE takes ` at his equivalent " so thats for only execute in IE and not with others engines like mozilla/gecko
regards |
|
|
|
|
Posted: Wed Jul 20, 2005 2:21 am |
|
|
funnay |
Beginner |
|
|
Joined: Nov 26, 2004 |
Posts: 3 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Wed Jul 20, 2005 9:21 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Lolz I went on phpbb.com forums the other day and complained why those dicks hadnt brought out 2.0.17 and saying how there was XSS out there for 2.0.16, a few people got a look before it was deleted. :p |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Fri Jul 22, 2005 12:08 am |
|
|
kizkur |
Regular user |
|
|
Joined: Dec 04, 2004 |
Posts: 11 |
|
|
|
|
|
|
|
i have a problem
I obtain the cookie but his not this his hash
Code: | Cookie: phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:1:\"2\";}; phpbb2mysql_sid=0263b9415347120d90d0d001bad83e00; phpbb2mysql_t=a:6:{i:106;i:1121962541;i:120;i:1121962667;i:115;i:1121962734;i:121;i:1121962781;i:116;i:1121962817;i:117;i:1121962844;}<br> IP: xx.xxx.x.xxx<br> Date and Time: 21 July, 2005, 7:50 pm<br> Referer: http://www.site.com/privmsg.php?folder=inbox&mode=read&p=19<br><br><br> |
why not this his hash???
thx |
|
|
|
|
Posted: Fri Jul 22, 2005 8:40 am |
|
|
dnegel666 |
Beginner |
|
|
Joined: Jul 19, 2005 |
Posts: 3 |
|
|
|
|
|
|
|
Because he the doesn't active "Autologin next time", then the MD5 password doesn't write on a cookie. |
|
|
|
|
|
md5 hash... |
|
Posted: Fri Jul 22, 2005 1:25 pm |
|
|
Twist |
Regular user |
|
|
Joined: Jul 22, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
i did all of the below perfect but then when i get to this, it seems really hard i cant crack this md5 hash...
3449e7927568c3eb60f4e4ca44047220
can anyone get it for me? thanks.. |
|
|
|
|
|
Re: md5 hash... |
|
Posted: Fri Jul 22, 2005 2:38 pm |
|
|
str0ke |
Beginner |
|
|
Joined: Jul 07, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
Twist wrote: | i did all of the below perfect but then when i get to this, it seems really hard i cant crack this md5 hash...
3449e7927568c3eb60f4e4ca44047220
can anyone get it for me? thanks.. |
3449e7927568c3eb60f4e4ca44047220 Vikbil
/str0ke |
|
|
|
|
Posted: Fri Jul 22, 2005 2:52 pm |
|
|
Twist |
Regular user |
|
|
Joined: Jul 22, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
how did u do it so fast? it had been cracking on my computer for 2 hours.... |
|
|
|
|
Posted: Fri Jul 22, 2005 3:04 pm |
|
|
Twist |
Regular user |
|
|
Joined: Jul 22, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
if u dont mind can u do this one for me too?
4350cb13dd7edc683a58c9ddcedf3ca4
Thanks bro.. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 4 of 8
Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|