I tried this exploit on a lot of websites, I'd say I hit about a 50% success rate in getting the admin hash.
Note that this was discovered in November of last year, but still a lot of sites are open to it.
The phpBB Search SQL injection notes:
http://www.securityfocus.com/archive/1/345937
you can test if you site is vuln by typing in <your url>/forum/search.php?search_id=1 OR blah=blah. If this raises an SQL error your site may be vuln. A patched version should return with "there were no results to your search".
Special note for anyone trying this out: The hex chars actually build the SQL table queries. It by default uses the first post on the site, which could have been deleted. I had much more success changing the 33rd character (after copying the string from the word "search.php" onward), to 50 or 51, to get the second or third post. (So you would have 34,50,34. or 34,51,34 in ascii). So just because it doesnt seem to work out of the box doesn't mean u aren't vuln.
so far I've got a list of 5 websites that were vuln. Just search google for "phpBB". I found that most phpBB 2.0.4 thru 2.0.6 are all vuln, unless they have a older mySQL database. On 3 of the sites I managed to crack the password hash with JTR in conjunction with KMD5. On the others I still was able to log in by enabling autologin and editing my cookie file.
Here is the link to the fix:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=153818
-niko
