|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 87
Members: 0
Total: 87
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpBB atleast 2.0.20 (help getting the Hash or using XSS) |
|
Posted: Tue Nov 25, 2008 11:55 pm |
|
|
SCr0ss |
Beginner |
|
|
Joined: Nov 26, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
Hello there.
I need help with getting into a forum (either giving admin permissions or getting the hash from the admin) for testing purposes.
I tried out some XSS and exploits but noone of them worked.
I think most of the exploits are fixed, making me think that the version is atleast 2.0.20. The hash is not saved into the Cookies, so Cookies are kinda useless here.
I know about basic programming languages and some XSS.
Can someone help me out a bit? Atleast a hint? |
|
|
|
|
Posted: Wed Nov 26, 2008 3:23 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Phpbb >=2.0.20 is not easy to hack. And XSS is not helping you much, maybe only with XSRF. Your best option is to look at possible neighbour websites on same shared webserver. If target is located at dedicated server, then you are out of luck
And of course look for other attack vectors. Run port scan. Look for other service besides http. |
|
|
|
|
Posted: Wed Nov 26, 2008 4:03 pm |
|
|
SCr0ss |
Beginner |
|
|
Joined: Nov 26, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
Thank you very much for your reply.
If you use automatic login though it would be possible to get the hash with a cookie stealer right? |
|
|
|
|
Posted: Wed Nov 26, 2008 4:50 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
From phpbb 2.0.20 source code:
Code: |
if ( !empty($key_sql) )
{
$auto_login_key = dss_rand() . dss_rand();
$current_time = time();
$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . "
SET last_ip = '$user_ip', key_id = '" . md5($auto_login_key) . "', last_login = $current_time
WHERE key_id = '" . md5($userdata['session_key']) . "'";
|
So it's obvious, that autologin feature is using random tokens. |
|
|
|
|
|
|
|
|
Posted: Wed Nov 26, 2008 5:10 pm |
|
|
SCr0ss |
Beginner |
|
|
Joined: Nov 26, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
waraxe wrote: | From phpbb 2.0.20 source code:
Code: |
if ( !empty($key_sql) )
{
$auto_login_key = dss_rand() . dss_rand();
$current_time = time();
$sql = 'UPDATE ' . SESSIONS_KEYS_TABLE . "
SET last_ip = '$user_ip', key_id = '" . md5($auto_login_key) . "', last_login = $current_time
WHERE key_id = '" . md5($userdata['session_key']) . "'";
|
So it's obvious, that autologin feature is using random tokens. |
Yes I see, thank you.
No secruity holes then
The only one left seems to be "forget password" (it uses the server time as far as I know to generate a random key). |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|