Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 8, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 276
Members: 0
Total: 276
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> 2 new Vulnerabilities 2.0.17 Goto page Previous  1, 2
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Thu Nov 03, 2005 9:32 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




hahahah :} nice one shai-tan my master :}
View user's profile Send private message
PostPosted: Fri Nov 04, 2005 1:28 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




lolz Whats a water bird btw?
Like a flying fish? Razz

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Mon Nov 07, 2005 6:06 am Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




well well...

i reach a point that im too lazy to continue xDD
seems to be a little bit hard to make a Proof-Of-Concept...

obviously the first problem its to get a forum for testing pourpose and some ppl like waterbird make me one but the second and third problem its the facts that have to be for make the poc work..

the other two facts are, that the server has to be a PHP 5 and have register globals on, obviously the thrid one, its very easy, normally a hosting provider activate this option, but the second its hard since php 5 its under heavy development and i dont see any kind of hosting using i just see many PHP 4

so lets take a summarized and we have this problems to get the PoC's Work

-> PHP 5+
-> Register Globals On
-> A Working phpBB <= 2.0.17

so because why i'm too lazy, well just say that there is no online test forum in the internet so i have to install On my localhost phpBB + MySQL + PHP 5...

only for testing pourpose, so i have reach a point that i have to ask a ppl they have a hosting with at least two of three facts(obviosly the php 5, has to be) just for testing pourpose...

i cant expected that every webmaster leave to play with a test forum or his forums, but i think it is worth the trouble to try...

grettings from mexico all waraxe fellows
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu Nov 10, 2005 6:06 am Reply with quote
Armageddon85
Regular user
Regular user
 
Joined: Jul 28, 2005
Posts: 7




Ok I will spend all year getting this to work but I just need to be pointed in the right direction.

Quote:
[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global

variable $foobar by supplying a GET/POST/COOKIE variable

with the name 'foobar' but also by supplying a GPC variable

called 'GLOBALS[foobar]'. If the variable is supplied in

that way, the code above will not try to unset $foobar, but

$GLOBALS, which completely bypasses the protection.


The board I go to is 2.0.17 but im pretty sure it php4 cuz the admin doesnt know much about php in general b/c he never upgrades unless i tell him that its time.

So the link says "PHP5 <= 5.0.5" so doesnt that mean that it could work on php4? or does that mean 5.0.4, 5.0.3 ect.?

Ok so if this could work on a php4 or he acidentally did get php5 what is the first step that I need to take - tutorials on making this kind of script or programs or text to get me started.

Basically this board has restricted parts of the forum that only specified users can see, and by the looks of it you can possible jack around with the login array - so I can get the hash of the admin ... right?

thanks for any help.
View user's profile Send private message
PostPosted: Thu Nov 10, 2005 8:45 am Reply with quote
Armageddon85
Regular user
Regular user
 
Joined: Jul 28, 2005
Posts: 7




OK here is what im basically trying to do.

The forum I browse has several sections that are not accessible unless you are a "privledged user"

I have no use in gaining admin rights other than to view the information that is in those sections. So what about downloading the database of the forum - how would I do that or is that even possible? Is there any other way to view these sections without being logged in as admin or one of the users?

I googled the hell out of the site but google can access those pages either. any help would be awesome.
View user's profile Send private message
PostPosted: Thu Nov 10, 2005 11:56 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




well at first time or first impression when i read the advisory, i think like you that can be explotaible in PHP5 <= 5.0.5, so i can make the exploit work in PHP4...

But the fact that you have to take, that PHP has two develop levels, stable (PHP4), unstable -under heavy developement- (PHP5), so as you see in the adv, it says clearly that have to be PHP5...

And obviously have to be register globals "on" and in the sql injection magic_quotes_gpc "off", so belive me it didnt work in phpBB 2.0.17 with PHP4, i have been try a lot of my experimentals pocs..

at the this time, i have been fully exploited de XSS Bugs, obviously i'm researching the SQL Injection and Remote Command Executation, so the xss is a minor glitch, and i announce a poc when i confirm this experimentals exploits are complete...

for you question...

dependes, if the lock is the phpBB lock, you have to login qith this accounts, because i dont know a method to bypass, than using a cookie poison and enter as admin an make a fake user for enter to this locked forums...

there is a XSS bug in phpBB that i think it works, so googling a while you can easly find, and exploit to get the admin cookie with a low level social enginnering...

grettings from mexico and pardon me the bad writing
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Fri Nov 11, 2005 2:26 am Reply with quote
Armageddon85
Regular user
Regular user
 
Joined: Jul 28, 2005
Posts: 7




I believe your talking about the exploit where you use an avatar to pull cookies - only problem is that we dont have avatars on this site, and from what I read avatars is the only way to do it. Ill ask admin to see if he will let them in.
View user's profile Send private message
2 new Vulnerabilities 2.0.17
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 2  
Goto page Previous  1, 2
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Book Opinions
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.085 Seconds