Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 7, 2023
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 413
Members: 0
Total: 413
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Thu Jul 14, 2005 8:54 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Wow its good to be back with this little jem here to greet me. This XSS cracks me up. Teach those dick heads over at phpBB.com a lesson...... I've never liked them much for unknown reasons. Wink I always like it when the people "who know best" dont know best even if it is threatening the security of thousands of forums.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Jul 14, 2005 9:23 am Reply with quote
funnay
Beginner
Beginner
 
Joined: Nov 26, 2004
Posts: 3




An unofficial temporary fix (but already widely tested) is available in http://phpbb2.de since July 8.

Code:
#
#-----[ OPEN ]------------------------------------------
#
includes/bbcode.php


#
#-----[ FIND ]------------------------------------------
#
    // matches a xxxx://www.phpbb.com code..
    $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url1'];

    // www.phpbb.com code.. (no xxxx:// prefix).
    $patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url2'];

    // phpBB code..
    $patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url3'];

    // code.. (no xxxx:// prefix).
    $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url4'];
   

#
#-----[ REPLACE WITH ]------------------------------------------
#
    // matches a xxxx://www.phpbb.com code..
    $patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url1'];

    // www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.(?![^ '`\"\n\r\t<]*?\[url)[^ \"\n\r\t<]*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url2'];

    // phpBB code..
    $patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url3'];

    // code.. (no xxxx:// prefix).
    $patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    $replacements[] = $bbcode_tpl['url4'];
       
       

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM

Cya
View user's profile Send private message
PostPosted: Fri Jul 15, 2005 9:25 am Reply with quote
_daemon_
Beginner
Beginner
 
Joined: Jul 13, 2005
Posts: 4
Location: Greece




waraxe posted that b4 Rolling Eyes
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Fri Jul 15, 2005 12:52 pm Reply with quote
_daemon_
Beginner
Beginner
 
Joined: Jul 13, 2005
Posts: 4
Location: Greece




Finally i got a cookie Smile
Cookie: ***_data=a:2:{s:11:\"autologinid\";s:32:\"7e9f300935b4247b0408bf4eded39148\";s:6:\"userid\";i:5075;}; ***_sid=6ee05a04b68b344fa9037971ee2b5b16;
so 7e9f300935b4247b0408bf4eded39148 is the md5 hash.
anyone knows why the cookie came up with slashes? the others above were clear... anyway i'm trying to crack it atm.

Edit: BTW, apart from cracking the hash cant someone use serialize() and use the cookie instead?

Edit 2: ***_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:4:\"2251\";}; ***_sid=96cce388d9d33160d6cdbbf348113538;
How is it possible to have a blank autologinid value although the exploit was inside a PM Shocked
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Fri Jul 15, 2005 3:01 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




you can try with cookie poison for login as the admnistrator...
just you have to got the userid and his md5-hash of his pass..

regards
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Jul 19, 2005 1:32 pm Reply with quote
dnegel666
Beginner
Beginner
 
Joined: Jul 19, 2005
Posts: 3




But, why this exploit doesn't work with mozilla ? only with IE ?
View user's profile Send private message
PostPosted: Tue Jul 19, 2005 4:02 pm Reply with quote
g30rg3_x
Active user
Active user
 
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




simply...

like its says on the original advisory, its because:
IE takes ` at his equivalent " so thats for only execute in IE and not with others engines like mozilla/gecko

regards
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Wed Jul 20, 2005 2:21 am Reply with quote
funnay
Beginner
Beginner
 
Joined: Nov 26, 2004
Posts: 3




phpBB 2.0.17 released.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=308490
View user's profile Send private message
PostPosted: Wed Jul 20, 2005 9:21 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Lolz I went on phpbb.com forums the other day and complained why those dicks hadnt brought out 2.0.17 and saying how there was XSS out there for 2.0.16, a few people got a look before it was deleted. :p

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Jul 22, 2005 12:08 am Reply with quote
kizkur
Regular user
Regular user
 
Joined: Dec 04, 2004
Posts: 11




i have a problem

I obtain the cookie but his not this his hash

Code:
Cookie: phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:1:\"2\";}; phpbb2mysql_sid=0263b9415347120d90d0d001bad83e00; phpbb2mysql_t=a:6:{i:106;i:1121962541;i:120;i:1121962667;i:115;i:1121962734;i:121;i:1121962781;i:116;i:1121962817;i:117;i:1121962844;}<br> IP: xx.xxx.x.xxx<br> Date and Time: 21 July, 2005, 7:50 pm<br> Referer: http://www.site.com/privmsg.php?folder=inbox&mode=read&p=19<br><br><br>


why not this his hash???

thx
View user's profile Send private message
PostPosted: Fri Jul 22, 2005 8:40 am Reply with quote
dnegel666
Beginner
Beginner
 
Joined: Jul 19, 2005
Posts: 3




Because he the doesn't active "Autologin next time", then the MD5 password doesn't write on a cookie.
View user's profile Send private message
md5 hash...
PostPosted: Fri Jul 22, 2005 1:25 pm Reply with quote
Twist
Regular user
Regular user
 
Joined: Jul 22, 2005
Posts: 6




i did all of the below perfect but then when i get to this, it seems really hard i cant crack this md5 hash...

3449e7927568c3eb60f4e4ca44047220

can anyone get it for me? thanks.. Cool
View user's profile Send private message
Re: md5 hash...
PostPosted: Fri Jul 22, 2005 2:38 pm Reply with quote
str0ke
Beginner
Beginner
 
Joined: Jul 07, 2005
Posts: 4




Twist wrote:
i did all of the below perfect but then when i get to this, it seems really hard i cant crack this md5 hash...

3449e7927568c3eb60f4e4ca44047220

can anyone get it for me? thanks.. Cool


3449e7927568c3eb60f4e4ca44047220 Vikbil

/str0ke
View user's profile Send private message Visit poster's website
PostPosted: Fri Jul 22, 2005 2:52 pm Reply with quote
Twist
Regular user
Regular user
 
Joined: Jul 22, 2005
Posts: 6




how did u do it so fast? it had been cracking on my computer for 2 hours.... Sad
View user's profile Send private message
PostPosted: Fri Jul 22, 2005 3:04 pm Reply with quote
Twist
Regular user
Regular user
 
Joined: Jul 22, 2005
Posts: 6




if u dont mind can u do this one for me too?

4350cb13dd7edc683a58c9ddcedf3ca4

Thanks bro.. Wink
View user's profile Send private message
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 4 of 8  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.139 Seconds