Waraxe IT Security Portal

716 · Regular user

hi,

i have the admin pass (and some users') to a phpbb forum (2017).
i was wondering if i could get the FTP pass to the server... the forum has "easy mod" installed and i backed up database to obtain some password hashes and found in there the hash of the FTP pass (stored in there by EM)... first i thought its some weird algorythm, thats why it looks that bad, but then i realized that smth is wrong with it (on another forum, with EM, the FTP pass hash looked normal)

here's how the so-called hash looks like: WI;¿ÝÝG:+/
¢^.ÞéÜ\0

well, anyway, any ideas/suggestions what i could do next? or how i could upload a php and execute it?

thanks a lot in advance Wink

waraxe · Site admin

Peeking at easymod source code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

// look in the config table to get the EM settings
function get_em_settings($filename, $path, $em_pass, $preview = false)
{
global $db, $phpbb_root_path;

//
// grab the EM settings
//
$sql = "SELECT *
FROM " . CONFIG_TABLE . "
WHERE config_name LIKE 'EM_%'";
if( !$result = $db->sql_query($sql) )
{
message_die(GENERAL_ERROR, $lang['EM_err_config_info'], '', __LINE__, __FILE__, $sql);
}

// loop through all the settings and assign the EM ones as appropriate
while ($row = $db->sql_fetchrow($result))
{
if ($row['config_name'] == 'EM_read')
{
$read = $row['config_value'];
}
else if ($row['config_name'] == 'EM_write')
{
$write = $row['config_value'];
}
else if ($row['config_name'] == 'EM_move')
{
$move = $row['config_value'];
}
else if ($row['config_name'] == 'EM_ftp_dir')
{
$ftp_dir = $row['config_value'];
}
else if ($row['config_name'] == 'EM_ftp_user')
{
$ftp_user = $row['config_value'];
}
else if ($row['config_name'] == 'EM_ftp_pass')
{
$ftp_pass = crypt_ftp_pass(EM_DECRYPT, $row['config_value'], $em_pass);
}
else if ($row['config_name'] == 'EM_ftp_host')
{
$ftp_host = $row['config_value'];

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You see "$ftp_pass = crypt_ftp_pass(EM_DECRYPT, $row['config_value'], $em_pass)".
So ftp password is encrypted with blowfish algorithm and key for decryption is in
variable "$em_pass".

By crawling deeper in code we see, that "$em_pass" is md5 hash of the admin's password.
And this md5 hash is stored in sql database!!!
From source code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

// get the access password to EM
function get_em_pw()
{
global $db, $lang ;

// look up the actual password in the db
$sql = "SELECT *
FROM " . CONFIG_TABLE . "
WHERE config_name = 'EM_password'" ;
if( !$result = $db->sql_query($sql) )
{
message_die(GENERAL_ERROR, $lang['EM_config_info'], '', __LINE__, __FILE__, $sql);
}
$row = $db->sql_fetchrow($result) ;

return $row['config_value'] ;
}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So here is what you try to do:

1. get md5 hash (named 'EM_password') from sql table
2. use original php code from easymod to decrypt ftp pass hash

716 · Regular user

yepp, this is exactly what i did... and it gave me some weird pass... smth similar to the hashed pass... Confused