Waraxe IT Security Portal
Login or Register
October 14, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 83
Members: 0
Total: 83
Full disclosure
SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Thu Jul 14, 2005 8:54 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Wow its good to be back with this little jem here to greet me. This XSS cracks me up. Teach those dick heads over at phpBB.com a lesson...... I've never liked them much for unknown reasons. Wink I always like it when the people "who know best" dont know best even if it is threatening the security of thousands of forums.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Thu Jul 14, 2005 9:23 am Reply with quote
funnay
Beginner
Beginner
Joined: Nov 26, 2004
Posts: 3




An unofficial temporary fix (but already widely tested) is available in http://phpbb2.de since July 8.

Code:
#
#-----[ OPEN ]------------------------------------------
#
includes/bbcode.php


#
#-----[ FIND ]------------------------------------------
#
// matches a xxxx://www.phpbb.com code..
$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];

// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];

// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];

// code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];


#
#-----[ REPLACE WITH ]------------------------------------------
#
// matches a xxxx://www.phpbb.com code..
$patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];

// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.(?![^ '`\"\n\r\t<]*?\[url)[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];

// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];

// code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];



#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM

Cya
View user's profile Send private message
PostPosted: Fri Jul 15, 2005 9:25 am Reply with quote
_daemon_
Beginner
Beginner
Joined: Jul 13, 2005
Posts: 4
Location: Greece




waraxe posted that b4 Rolling Eyes
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Fri Jul 15, 2005 12:52 pm Reply with quote
_daemon_
Beginner
Beginner
Joined: Jul 13, 2005
Posts: 4
Location: Greece




Finally i got a cookie Smile
Cookie: ***_data=a:2:{s:11:\"autologinid\";s:32:\"7e9f300935b4247b0408bf4eded39148\";s:6:\"userid\";i:5075;}; ***_sid=6ee05a04b68b344fa9037971ee2b5b16;
so 7e9f300935b4247b0408bf4eded39148 is the md5 hash.
anyone knows why the cookie came up with slashes? the others above were clear... anyway i'm trying to crack it atm.

Edit: BTW, apart from cracking the hash cant someone use serialize() and use the cookie instead?

Edit 2: ***_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:4:\"2251\";}; ***_sid=96cce388d9d33160d6cdbbf348113538;
How is it possible to have a blank autologinid value although the exploit was inside a PM Shocked
View user's profile Send private message Send e-mail MSN Messenger
PostPosted: Fri Jul 15, 2005 3:01 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




you can try with cookie poison for login as the admnistrator...
just you have to got the userid and his md5-hash of his pass..

regards
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Jul 19, 2005 1:32 pm Reply with quote
dnegel666
Beginner
Beginner
Joined: Jul 19, 2005
Posts: 3




But, why this exploit doesn't work with mozilla ? only with IE ?
View user's profile Send private message
PostPosted: Tue Jul 19, 2005 4:02 pm Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




simply...

like its says on the original advisory, its because:
IE takes ` at his equivalent " so thats for only execute in IE and not with others engines like mozilla/gecko

regards
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Wed Jul 20, 2005 2:21 am Reply with quote
funnay
Beginner
Beginner
Joined: Nov 26, 2004
Posts: 3




phpBB 2.0.17 released.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=308490
View user's profile Send private message
PostPosted: Wed Jul 20, 2005 9:21 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Lolz I went on phpbb.com forums the other day and complained why those dicks hadnt brought out 2.0.17 and saying how there was XSS out there for 2.0.16, a few people got a look before it was deleted. :p

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Jul 22, 2005 12:08 am Reply with quote
kizkur
Regular user
Regular user
Joined: Dec 04, 2004
Posts: 11




i have a problem

I obtain the cookie but his not this his hash

Code:
Cookie: phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:1:\"2\";}; phpbb2mysql_sid=0263b9415347120d90d0d001bad83e00; phpbb2mysql_t=a:6:{i:106;i:1121962541;i:120;i:1121962667;i:115;i:1121962734;i:121;i:1121962781;i:116;i:1121962817;i:117;i:1121962844;}<br> IP: xx.xxx.x.xxx<br> Date and Time: 21 July, 2005, 7:50 pm<br> Referer: http://www.site.com/privmsg.php?folder=inbox&mode=read&p=19<br><br><br>


why not this his hash???

thx
View user's profile Send private message
PostPosted: Fri Jul 22, 2005 8:40 am Reply with quote
dnegel666
Beginner
Beginner
Joined: Jul 19, 2005
Posts: 3




Because he the doesn't active "Autologin next time", then the MD5 password doesn't write on a cookie.
View user's profile Send private message
md5 hash...
PostPosted: Fri Jul 22, 2005 1:25 pm Reply with quote
Twist
Regular user
Regular user
Joined: Jul 22, 2005
Posts: 6




i did all of the below perfect but then when i get to this, it seems really hard i cant crack this md5 hash...

3449e7927568c3eb60f4e4ca44047220

can anyone get it for me? thanks.. Cool
View user's profile Send private message
Re: md5 hash...
PostPosted: Fri Jul 22, 2005 2:38 pm Reply with quote
str0ke
Beginner
Beginner
Joined: Jul 07, 2005
Posts: 4




Twist wrote:
i did all of the below perfect but then when i get to this, it seems really hard i cant crack this md5 hash...

3449e7927568c3eb60f4e4ca44047220

can anyone get it for me? thanks.. Cool


3449e7927568c3eb60f4e4ca44047220 Vikbil

/str0ke
View user's profile Send private message Visit poster's website
PostPosted: Fri Jul 22, 2005 2:52 pm Reply with quote
Twist
Regular user
Regular user
Joined: Jul 22, 2005
Posts: 6




how did u do it so fast? it had been cracking on my computer for 2 hours.... Sad
View user's profile Send private message
PostPosted: Fri Jul 22, 2005 3:04 pm Reply with quote
Twist
Regular user
Regular user
Joined: Jul 22, 2005
Posts: 6




if u dont mind can u do this one for me too?

4350cb13dd7edc683a58c9ddcedf3ca4

Thanks bro.. Wink
View user's profile Send private message
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 4 of 8
Goto page Previous1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.038 Seconds