XMB 1.6 FORUM EXPLOIT ANALYSIS
By
ComSec
Date: 1/12/02
A few months ago, while searching google I came across a post about rumours of some xmb 1.6 forums exploits posted in some forum thread ,But left it until a few weeks ago when I got around to it again
So a little investigation was required, also tools(if any) to work with the exploit. First details about the exploit
First I did a search of google for:: powered by xmb 1.6 , resulted in many pages for me to target.
Typical forum link as follows:: Example
http://www.target.com/forum/index.php
next the Exploit: Replace the...... index.php
with: index_log.log ......like so
http://www.target.co...m/index_log.log
if all went well you should now have a list of the log files with the xmbuser name and xmbpass Cookies.
Example:
xmbuser=Admin and xmbpass=gts5643hvi0356748886sp
the password is hashed using md5 (a one way encryption algorithm, so you can't 'decrypt' it) but all you need to do is spoof the admin's cookie using this hash.
if you really wanted to you could fire up JTR and brute force the password, this would be useful if you suspected the admin was a dummy and used the same password for everything (many do).
.if you look around the site you will most likely find the admins name (usually the first member), also I found several references to two programs in forums that are used for this specific exploit ,one called Chigger and the other Chigpet, , I know the site they are on, but wont publish it... Sorry....its up to you to search for them....
Load the exploit url into Chigpet (ie)
http://www.target.co...m/index_log.log
This will then reveal user name and pass cookies, your more likely to find the admins at the end of the file download so scroll down and search from the bottom up once the target has been found its time to run Chigger
IMPORTANT
Configure your IE browser proxy settings to 127.0.0.1 port 8080 or what ever your proxy runs on
Chigger
Tick the Impersonation Active! ....ok
Admin`s Name :Admin
Admin`s Pass: gts5643hvi0356748886sp
Tick.... Use web proxy
Proxy Address : 195.200.135.xxx (what ever)
Proxy Port : 8080 (what ever)
That's it....easy
Now its time to reload the main forum page in Internet Explorer
http://www.target.com/forum/index.php
you should now be logged in as Admin with full Control of the forum....
PLEASE no ScriptKiddie Shit....please respect the owner and its members and help them or notify them of a FIX, you have proved a point, no need to mess things up
HOW TO FIX:
Open up Notepad and put the following in :
<Files index_log.log>
order allow,deny
deny from all
</Files>
<Files cplogfile.log>
order allow,deny
deny from all
</Files>
When you go to save it, use All Files as the file type, not as a txt file. Save the file as .htaccess and upload it to your XMB main directory and you're set.
Or alternatively:
Choose a new filename that you will use for the logfiles. This has to remain consistant throughout the changes.
Open the files index_add.php and rawlogs.php, then perform a search for index_log.log in these files, replacing each instance with the new filename you chose.
Rename index_log.log on your server to this new name.
Upload the new copies of index_add.php and rawlogs.php.
Have all administrators and moderators change their passwords immediately, in case anyone has already obtained a copy of your index_log.log file.
This will fix the problem until ....Something new turns up, lol
Exploit Examples:
NO DAMAGE was done to these sites , they were randomly selected ,,,just testing the theory , notified admins
3 attempts, 3 exploited, 100%
to be added once they have fixed the problem, So as not to be targeted again by some of you web crushers
ComSec aka...
thanks to ST for the extra bits ;)
Sign In
Register
Help
This topic is locked
MultiQuote
