|
|
|
|
|
|
IT Security and Insecurity Portal |
|
Posted: Thu Nov 03, 2005 9:32 pm |
|
|
WaterBird |
Active user |
|
|
Joined: May 16, 2005 |
Posts: 37 |
|
|
|
|
|
|
|
hahahah :} nice one shai-tan my master :} |
|
|
|
|
Posted: Fri Nov 04, 2005 1:28 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
lolz Whats a water bird btw?
Like a flying fish? |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Mon Nov 07, 2005 6:06 am |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
well well...
i reach a point that im too lazy to continue xDD
seems to be a little bit hard to make a Proof-Of-Concept...
obviously the first problem its to get a forum for testing pourpose and some ppl like waterbird make me one but the second and third problem its the facts that have to be for make the poc work..
the other two facts are, that the server has to be a PHP 5 and have register globals on, obviously the thrid one, its very easy, normally a hosting provider activate this option, but the second its hard since php 5 its under heavy development and i dont see any kind of hosting using i just see many PHP 4
so lets take a summarized and we have this problems to get the PoC's Work
-> PHP 5+
-> Register Globals On
-> A Working phpBB <= 2.0.17
so because why i'm too lazy, well just say that there is no online test forum in the internet so i have to install On my localhost phpBB + MySQL + PHP 5...
only for testing pourpose, so i have reach a point that i have to ask a ppl they have a hosting with at least two of three facts(obviosly the php 5, has to be) just for testing pourpose...
i cant expected that every webmaster leave to play with a test forum or his forums, but i think it is worth the trouble to try...
grettings from mexico all waraxe fellows |
|
|
|
|
|
|
|
|
Posted: Thu Nov 10, 2005 6:06 am |
|
|
Armageddon85 |
Regular user |
|
|
Joined: Jul 28, 2005 |
Posts: 7 |
|
|
|
|
|
|
|
Ok I will spend all year getting this to work but I just need to be pointed in the right direction.
Quote: | [1] In PHP5 <= 5.0.5 it is possible to register f.e. the global
variable $foobar by supplying a GET/POST/COOKIE variable
with the name 'foobar' but also by supplying a GPC variable
called 'GLOBALS[foobar]'. If the variable is supplied in
that way, the code above will not try to unset $foobar, but
$GLOBALS, which completely bypasses the protection. |
The board I go to is 2.0.17 but im pretty sure it php4 cuz the admin doesnt know much about php in general b/c he never upgrades unless i tell him that its time.
So the link says "PHP5 <= 5.0.5" so doesnt that mean that it could work on php4? or does that mean 5.0.4, 5.0.3 ect.?
Ok so if this could work on a php4 or he acidentally did get php5 what is the first step that I need to take - tutorials on making this kind of script or programs or text to get me started.
Basically this board has restricted parts of the forum that only specified users can see, and by the looks of it you can possible jack around with the login array - so I can get the hash of the admin ... right?
thanks for any help. |
|
|
|
|
|
|
|
|
Posted: Thu Nov 10, 2005 8:45 am |
|
|
Armageddon85 |
Regular user |
|
|
Joined: Jul 28, 2005 |
Posts: 7 |
|
|
|
|
|
|
|
OK here is what im basically trying to do.
The forum I browse has several sections that are not accessible unless you are a "privledged user"
I have no use in gaining admin rights other than to view the information that is in those sections. So what about downloading the database of the forum - how would I do that or is that even possible? Is there any other way to view these sections without being logged in as admin or one of the users?
I googled the hell out of the site but google can access those pages either. any help would be awesome. |
|
|
|
|
|
|
|
|
Posted: Thu Nov 10, 2005 11:56 pm |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
well at first time or first impression when i read the advisory, i think like you that can be explotaible in PHP5 <= 5.0.5, so i can make the exploit work in PHP4...
But the fact that you have to take, that PHP has two develop levels, stable (PHP4), unstable -under heavy developement- (PHP5), so as you see in the adv, it says clearly that have to be PHP5...
And obviously have to be register globals "on" and in the sql injection magic_quotes_gpc "off", so belive me it didnt work in phpBB 2.0.17 with PHP4, i have been try a lot of my experimentals pocs..
at the this time, i have been fully exploited de XSS Bugs, obviously i'm researching the SQL Injection and Remote Command Executation, so the xss is a minor glitch, and i announce a poc when i confirm this experimentals exploits are complete...
for you question...
dependes, if the lock is the phpBB lock, you have to login qith this accounts, because i dont know a method to bypass, than using a cookie poison and enter as admin an make a fake user for enter to this locked forums...
there is a XSS bug in phpBB that i think it works, so googling a while you can easly find, and exploit to get the admin cookie with a low level social enginnering...
grettings from mexico and pardon me the bad writing |
|
|
|
|
|
|
|
|
Posted: Fri Nov 11, 2005 2:26 am |
|
|
Armageddon85 |
Regular user |
|
|
Joined: Jul 28, 2005 |
Posts: 7 |
|
|
|
|
|
|
|
I believe your talking about the exploit where you use an avatar to pull cookies - only problem is that we dont have avatars on this site, and from what I read avatars is the only way to do it. Ill ask admin to see if he will let them in. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 2
Goto page Previous1, 2
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|