i know its 6mths old....but gives you an idea on how to protect your forum by such attacks like this by configuring .htaccess rules
| QUOTE |
================================================ XMB 1.6 FORUM EXPLOIT ANALYSIS By ComSec Date: 1/12/02 A few months ago, while searching google I came across a post about rumours of some xmb 1.6 forums exploits posted in some forum thread ,But left it until a few weeks ago when I got around to it again So a little investigation was required, also tools(if any) to work with the exploit. First details about the exploit First I did a search of google for:: powered by xmb 1.6 , resulted in many pages for me to target. Typical forum link as follows:: Example http://www.target.com/forum/index.php next the Exploit: Replace the...... index.php with: index_log.log ......like so http://www.target.com/forum/index_log.log if all went well you should now have a list of the log files with the xmbuser name and xmbpass Cookies. Example: xmbuser=Admin and xmbpass=gts5643hvi0356748886sp the password is hashed using md5 (a one way encryption algorithm, so you can't 'decrypt' it) but all you need to do is spoof the admin's cookie using this hash. if you really wanted to you could fire up JTR and brute force the password, this would be useful if you suspected the admin was a dummy and used the same password for everything (many do). .if you look around the site you will most likely find the admins name (usually the first member), also I found several references to two programs in forums that are used for this specific exploit ,one called Chigger and the other Chigpet, , I know the site they are on, but wont publish it... Sorry....its up to you to search for them.... Load the exploit url into Chigpet (ie) http://www.target.com/forum/index_log.log This will then reveal user name and pass cookies, your more likely to find the admins at the end of the file download so scroll down and search from the bottom up once the target has been found its time to run Chigger IMPORTANT Configure your IE browser proxy settings to 127.0.0.1 port 8080 or what ever your proxy runs on Chigger Tick the Impersonation Active! ....ok Admin`s Name :Admin Admin`s Pass: gts5643hvi0356748886sp Tick.... Use web proxy Proxy Address : 195.200.135.xxx (what ever) Proxy Port : 8080 (what ever) That's it....easy Now its time to reload the main forum page in Internet Explorer http://www.target.com/forum/index.php you should now be logged in as Admin with full Control of the forum.... PLEASE no ScriptKiddie Shit....please respect the owner and its members and help them or notify them of a FIX, you have proved a point, no need to mess things up HOW TO FIX: Open up Notepad and put the following in : <Files index_log.log> order allow,deny deny from all </Files> <Files cplogfile.log> order allow,deny deny from all </Files> When you go to save it, use All Files as the file type, not as a txt file. Save the file as .htaccess and upload it to your XMB main directory and you're set. Or alternatively: Choose a new filename that you will use for the logfiles. This has to remain consistant throughout the changes. Open the files index_add.php and rawlogs.php, then perform a search for index_log.log in these files, replacing each instance with the new filename you chose. Rename index_log.log on your server to this new name. Upload the new copies of index_add.php and rawlogs.php. Have all administrators and moderators change their passwords immediately, in case anyone has already obtained a copy of your index_log.log file. This will fix the problem until ....Something new turns up, lol Exploit Examples: NO DAMAGE was done to these sites , they were randomly selected ,,,just testing the theory , notified admins 3 attempts, 3 exploited, 100% to be added once they have fixed the problem, So as not to be targeted again by some of you web crushers ComSec aka... ZSL thanks to ST for the extra bits  |
