Waraxe IT Security Portal
Login or Register
December 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 112
Members: 0
Total: 112
Full disclosure
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> 2 new Vulnerabilities 2.0.17 Goto page Previous1, 2
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Thu Nov 03, 2005 9:32 pm Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




hahahah :} nice one shai-tan my master :}
View user's profile Send private message
PostPosted: Fri Nov 04, 2005 1:28 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




lolz Whats a water bird btw?
Like a flying fish? Razz

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Mon Nov 07, 2005 6:06 am Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




well well...

i reach a point that im too lazy to continue xDD
seems to be a little bit hard to make a Proof-Of-Concept...

obviously the first problem its to get a forum for testing pourpose and some ppl like waterbird make me one but the second and third problem its the facts that have to be for make the poc work..

the other two facts are, that the server has to be a PHP 5 and have register globals on, obviously the thrid one, its very easy, normally a hosting provider activate this option, but the second its hard since php 5 its under heavy development and i dont see any kind of hosting using i just see many PHP 4

so lets take a summarized and we have this problems to get the PoC's Work

-> PHP 5+
-> Register Globals On
-> A Working phpBB <= 2.0.17

so because why i'm too lazy, well just say that there is no online test forum in the internet so i have to install On my localhost phpBB + MySQL + PHP 5...

only for testing pourpose, so i have reach a point that i have to ask a ppl they have a hosting with at least two of three facts(obviosly the php 5, has to be) just for testing pourpose...

i cant expected that every webmaster leave to play with a test forum or his forums, but i think it is worth the trouble to try...

grettings from mexico all waraxe fellows
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu Nov 10, 2005 6:06 am Reply with quote
Armageddon85
Regular user
Regular user
Joined: Jul 28, 2005
Posts: 7




Ok I will spend all year getting this to work but I just need to be pointed in the right direction.

Quote:
[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global

variable $foobar by supplying a GET/POST/COOKIE variable

with the name 'foobar' but also by supplying a GPC variable

called 'GLOBALS[foobar]'. If the variable is supplied in

that way, the code above will not try to unset $foobar, but

$GLOBALS, which completely bypasses the protection.


The board I go to is 2.0.17 but im pretty sure it php4 cuz the admin doesnt know much about php in general b/c he never upgrades unless i tell him that its time.

So the link says "PHP5 <= 5.0.5" so doesnt that mean that it could work on php4? or does that mean 5.0.4, 5.0.3 ect.?

Ok so if this could work on a php4 or he acidentally did get php5 what is the first step that I need to take - tutorials on making this kind of script or programs or text to get me started.

Basically this board has restricted parts of the forum that only specified users can see, and by the looks of it you can possible jack around with the login array - so I can get the hash of the admin ... right?

thanks for any help.
View user's profile Send private message
PostPosted: Thu Nov 10, 2005 8:45 am Reply with quote
Armageddon85
Regular user
Regular user
Joined: Jul 28, 2005
Posts: 7




OK here is what im basically trying to do.

The forum I browse has several sections that are not accessible unless you are a "privledged user"

I have no use in gaining admin rights other than to view the information that is in those sections. So what about downloading the database of the forum - how would I do that or is that even possible? Is there any other way to view these sections without being logged in as admin or one of the users?

I googled the hell out of the site but google can access those pages either. any help would be awesome.
View user's profile Send private message
PostPosted: Thu Nov 10, 2005 11:56 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




well at first time or first impression when i read the advisory, i think like you that can be explotaible in PHP5 <= 5.0.5, so i can make the exploit work in PHP4...

But the fact that you have to take, that PHP has two develop levels, stable (PHP4), unstable -under heavy developement- (PHP5), so as you see in the adv, it says clearly that have to be PHP5...

And obviously have to be register globals "on" and in the sql injection magic_quotes_gpc "off", so belive me it didnt work in phpBB 2.0.17 with PHP4, i have been try a lot of my experimentals pocs..

at the this time, i have been fully exploited de XSS Bugs, obviously i'm researching the SQL Injection and Remote Command Executation, so the xss is a minor glitch, and i announce a poc when i confirm this experimentals exploits are complete...

for you question...

dependes, if the lock is the phpBB lock, you have to login qith this accounts, because i dont know a method to bypass, than using a cookie poison and enter as admin an make a fake user for enter to this locked forums...

there is a XSS bug in phpBB that i think it works, so googling a while you can easly find, and exploit to get the admin cookie with a low level social enginnering...

grettings from mexico and pardon me the bad writing
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Nov 11, 2005 2:26 am Reply with quote
Armageddon85
Regular user
Regular user
Joined: Jul 28, 2005
Posts: 7




I believe your talking about the exploit where you use an avatar to pull cookies - only problem is that we dont have avatars on this site, and from what I read avatars is the only way to do it. Ill ask admin to see if he will let them in.
View user's profile Send private message
2 new Vulnerabilities 2.0.17
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 2
Goto page Previous1, 2
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds