|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 77
Members: 0
Total: 77
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpBB 2.0.19 |
|
Posted: Wed Sep 05, 2007 8:23 pm |
|
|
itsnotatumor |
Regular user |
|
|
Joined: Sep 05, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
I've googled and read through most of these topics and tried a few cookie changes etc, but I cant seem to bypass the login page. I am reading through the source code and am new to php (only proficient in .NET and html).
I know how to write SQL but dont know where to execute the statements besides the userid and psswd boxes. (which have been of no use)
Are the inputs being sanitized?
A link or a push in the right direction would be appreciated. |
|
|
|
|
Posted: Thu Sep 06, 2007 2:34 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Phpbb 2.0.19 is written with security in mind and I dont know any serious sql injection exploits against it. Maybe there are some insecure MOD-s in target installation, which can offer security holes |
|
|
|
|
Posted: Thu Sep 06, 2007 5:59 pm |
|
|
itsnotatumor |
Regular user |
|
|
Joined: Sep 05, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
Darn! Ok Thanks.
I would like to host the site (a raw phpbb2.0.19) on my machine and try to kind of run it in debug. to at least follow along to get my own understanding of what its doing. What would be the best prgram or IDE for this? I downloaded dreamweaver but I am still getting used to it and the fan in my computer goes insane every time I open it. |
|
|
|
|
|
|
|
|
Posted: Fri Sep 07, 2007 5:15 pm |
|
|
ToXiC |
Moderator |
|
|
Joined: Dec 01, 2004 |
Posts: 181 |
Location: Cyprus |
|
|
|
|
|
|
itsnotatumor wrote: | Darn! Ok Thanks.
I would like to host the site (a raw phpbb2.0.19) on my machine and try to kind of run it in debug. to at least follow along to get my own understanding of what its doing. What would be the best prgram or IDE for this? I downloaded dreamweaver but I am still getting used to it and the fan in my computer goes insane every time I open it. |
what you actually need is a Stand Alone server .. I quess you are using windows right ?
Instead of installing anything like php mysql apache etc it is better to use Xampp ... from
Quote: | http://www.apachefriends.org/en/xampp.html |
It has everything you need for installing phpbb locally and test it if you want.
but on the other hand .. i see that you are a bit confused on basic things like using dreamweaver to install phpbb ?!?!@#? and when you use it .. your fun in your computer goes crazy ?
so to start from somewhere ..
install xampp ..
then read how to install phpbb locally.
then play with phpbb on your computer ..
i suggest you to use a simple editor for your tests instead of using dreamweaver. like notepad++ |
|
_________________ who|grep -i blonde|talk; cd~;wine;talk;touch;unzip;touch; strip;gasp;finger;gasp;mount; fsck; more; yes; gasp; umount; make clean; sleep;wakeup;goto http://www.md5this.com |
|
|
|
|
|
|
|
Posted: Fri Sep 07, 2007 5:32 pm |
|
|
itsnotatumor |
Regular user |
|
|
Joined: Sep 05, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
will do thanks! Yeah Dreamwaever makes my box start buzzing. lol! This is my first attempt at anything bigger than malicious html and javascript so I appreciate the help fellas! |
|
|
|
|
Posted: Fri Sep 07, 2007 7:42 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
I am using Dreamweaver 2004 on my home computer and it is useful, when analyzing 5000-line php script
Yes, it is resource hungry
I am sure, that there are good open-source and free php IDE-s, just don't have time to look for them. |
|
|
|
|
Posted: Fri Sep 07, 2007 8:58 pm |
|
|
ToXiC |
Moderator |
|
|
Joined: Dec 01, 2004 |
Posts: 181 |
Location: Cyprus |
|
|
|
|
|
|
waraxe wrote: | I am using Dreamweaver 2004 on my home computer and it is useful, when analyzing 5000-line php script
Yes, it is resource hungry
I am sure, that there are good open-source and free php IDE-s, just don't have time to look for them. |
notepad++ !!! support open source and free software those that are given to us for free and we don't have to "buy" them |
|
_________________ who|grep -i blonde|talk; cd~;wine;talk;touch;unzip;touch; strip;gasp;finger;gasp;mount; fsck; more; yes; gasp; umount; make clean; sleep;wakeup;goto http://www.md5this.com |
|
|
|
Posted: Sat Sep 08, 2007 7:14 pm |
|
|
itsnotatumor |
Regular user |
|
|
Joined: Sep 05, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
I just really really want to view some freakin topics. I dont even want to mess them up... just read the dang topics. There has got to be a way around this junk... There always is. |
|
|
|
|
|
|
|
|
Posted: Sat Sep 08, 2007 7:59 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
itsnotatumor wrote: | I just really really want to view some freakin topics. I dont even want to mess them up... just read the dang topics. There has got to be a way around this junk... There always is. |
Still, phpbb 2.0.19 is hard target. But there are other attack possibilites.
For example - if that website is using virtual hosting and many domains are pointed to the same physical server, then you have chance to compromise some other website on that shared server and then use it to attack main target.
Here is what you can do:
1. find your target webserver ip address
2. use msn for reveal colocated websites.
Random example:
We are interested in http://www.car-vs-car.de/forum/
So domain is: www.car-vs-car.de
IP address: 85.13.129.192
Let's try IP:
http://85.13.129.192/
Oops, 403 forbidden. So it seems to be shared hosting.
Now let's use msn:
http://search.msn.com/results.aspx?q=ip%3A85.13.129.192&FORM=MSNH
And we get 2 more websites on that server:
http://www.hans-schneider.de/
http://www.deskmania.de/
There are better tools to search colocates webites, than msn, so be creative |
|
|
|
|
|
|
|
|
Posted: Wed Sep 12, 2007 4:37 pm |
|
|
itsnotatumor |
Regular user |
|
|
Joined: Sep 05, 2007 |
Posts: 5 |
|
|
|
|
|
|
|
I had done that before and gotten the IP address of their server, but I didnt know what to do with it. Thanks again for another step in the right direction. I'll see what some of my friends and I can pool together. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|