Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
July 9, 2020
 Members List
 IRC chat
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 Sql Char Encoder
 y3dips ITsec
 Md5 Cracker
 User Manuals
 Recommend Us
 Your Account

User Info
Welcome, Anonymous

Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 254
Members: 0
Total: 254
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> Phpbb 2.0.21 hackability?
Post new topic  Reply to topic View previous topic :: View next topic 
Phpbb 2.0.21 hackability?
PostPosted: Sat Apr 26, 2008 10:27 am Reply with quote
Joined: Apr 26, 2008
Posts: 1
Location: Guantanamo Bay, Cuba

"Php Bulletin Board - one of the most secure freeware bulletin boards. Written with security in mind and with good style."

Oh, great. Sad

Harro, I'm new to this php stuff. I've targeted a forum that has html enabled (if this has any significance). My aim is to either gain admin or deface the site. A quick glance at the checklog revealed that the site is running v2.0.21, which I hear has few public vulnerabilities at the moment. I've tried the cookie grab method and a few SLQ injections, but to no avail. Is there a cross-site scripting method where I could place code in a thread which would record the cookies of users who visit it and then have the data emailed to me? This way I could get their MD5 hash for the painstaking process of decoding, or just use their cookie to emulate an admin login? I've tried many lame attempts to "probe" the site, but without knowing much practical php knowledge...I can't really plan any 'attack vectors' or come up with theoretical concepts (effectively making me a script kiddie).

Now I'm going to lather on the nooberosity with this question:

I hear tell of a method by which one can seek out vulnerabilities of a target by searching out and analyzing other sites who share the same host? Are we talking network vulnerabilities or what? How does it relate to say gaining admin access on a forum?

Thanks. Cool
View user's profile Send private message
PostPosted: Sat Apr 26, 2008 12:38 pm Reply with quote
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu

Phpbb new versions are hard targets. So if target website is located on shared hosting (most of the real world websites are), then determine targte's IP address and search for "neighbors". Examples from my personal experience - i wanted to get access to VBulletin-based website, so i searched neighbors and found PhpNuke installation with some old Local File Inclusion bug. Then i registered as user there, uploaded specially crafted jpeg file as avatar. Using that jpeg file (which contained php code in commment section) and LFI i was able to get php code execution level access to server. Fortunately that hosting server was not very secure and so i was able to read main target's config file with database credentials and then feched all user data from database about main target. Mission complete! Second example - main target was phpbb. I was searching for neighbors and found Wordpress installation with not-yet-patched sql injection flaw. Within 10 minutes gathered admins' md5 hash and then used it to manual cookie crafting (no need for cracking!). So i was able to get Wordpress installation admin level and from that it's trivial to move to php level. Specifically - first i modified ".htaccess" file with help of wordpress admin interface. In this way i declared, that ".txt" files will be parsed as php files. Then uploaded backdoor txt file with useful php code inside - using wordpess admin interface again. After getting php level it was painfully difficult to read main target phpbb config file, but still i succeeded (using some tricks). And after getting main target's DB credentials, mission was basically complete.
Conclusions - i got unauthorized access to phpbb and Vbulletin installations. Both of them were fully pathed with no known security holes. Still i was getting what i wanted Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 28, 2008 1:07 pm Reply with quote
Active user
Active user
Joined: Apr 14, 2008
Posts: 25

I did that a couple of times too !

sometimes is just simple as

print readfile("/www/docs/victim.com/public_html/config.php");

but other times is difficult as hell ..
View user's profile Send private message
PostPosted: Mon Apr 28, 2008 1:17 pm Reply with quote
Advanced user
Advanced user
Joined: Apr 13, 2005
Posts: 52

And nice way finding neighboors:)))

View user's profile Send private message
PostPosted: Tue Apr 29, 2008 4:58 am Reply with quote
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria

oxygenne wrote:
And nice way finding neighboors:)))


Thank you for this http://gagspace.com/ip2vhost/ new for me.
View user's profile Send private message
PostPosted: Sun May 11, 2008 11:09 am Reply with quote
Active user
Active user
Joined: May 11, 2008
Posts: 37

Hi, noob here (fantastic place - well done). Very useful tools. The don't show shared sites running on the same IIS6 server mind you, Is there some other tool for that?
View user's profile Send private message
Phpbb 2.0.21 hackability?
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

 Post new topic  Reply to topic  

Powered by phpBB 2001-2008 phpBB Group

It book reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.078 Seconds