Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Phpbb Sql Injection Exploit

Started by boshcash , Nov 11 2003 06:40 AM

Please log in to reply

10 replies to this topic

#1 boshcash

Staff Sergeant

Sergeant Major
461 posts

Posted 11 November 2003 - 06:40 AM

Vulnerable Systems:
* phpBB version 2.0.5 and prior

Immune Systems:
* phpBB version 2.0.6

phpBB has a list of registered users, when you click on a member of this list, you request data from the database.

Example:
http://www.example.c...viewprofile&u=2

This URL shows the information for the user with the uid = 2 (the uid is a number assigned to users in phpBB). The content of the 'u' variable isn't filtered for malicious contents.

An attacker could inject arbitrary SQL commands into the system's database.

Example:
http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]

Vendor Status:
Upgrade to version 2.0.6 of phpBB, as the version is immune to this issue.

Back to top

#2 Guest_aspfreakout_*

Guests

Posted 11 November 2003 - 11:33 AM

Seems to be limited to 25 characters

Couldn't think of any good sql code in less than 25 characters, but maybe that's because I got this huge headache :ph34r:

Back to top

#3 ganz2

Private First Class

Members
67 posts

Posted 19 December 2003 - 09:44 PM

cool exploit

Back to top

#4 JaG

Sergeant

Sergeant Major
209 posts

Posted 19 December 2003 - 11:39 PM

nice.......but does anyone have a examples of commands that can be used?

Back to top

#5 Guest_Armani_*

Guests

Posted 20 December 2003 - 12:18 PM

hmm, if it wouldn't be limited to 25 characters, it would be a cool exploit

Back to top

#6 Guest_KillerLoo_*

Guests

Posted 26 February 2004 - 11:52 PM

I try it. Take a /etc/passwd. Give it 2 JTR. And have a shell from 1 user

)) After small sniffering have a root

))) But this extremmly rare! I think its just a wonder
Love this small Japaneese admin

))

Back to top

#7 kyriakosnicola

Private

Members
19 posts

Posted 25 April 2004 - 04:18 AM

there's a cool script that can be injected in such a way that can retrieve you any member's password on that forum. it can even retrieve admin's password giving the attacker full access to the control panel of the forum.

i have had such an attack on my forum and the malicious attacker changed my passwords etc locking me out of my own forum.

the only good solution that exists in protecting your forum from such attacks is to get the newer version of phpbb or just moving on to a better script like invision boards like the one GSO uses.

Back to top

#8 Guest_eckan_*

Guests

Posted 13 June 2004 - 09:02 AM

Thats really sloppy coding from the phpbb team :/
they must of lost alot of respect for this one.

select * from users; would give you the hash of the password, no?

Back to top

#9 MasterWeb

Private First Class

Members
28 posts

Posted 23 June 2004 - 01:29 PM

does anyone have a examples of commands that can be used on this version ?! :ph34r:

Back to top

#10 [R]

Specialist

Members
101 posts

Posted 25 June 2004 - 05:42 AM

yeah this sploit is very coool but i need an example too :lol:

so, please help me :rolleyes:

Back to top

#11 Guest_slipped_*

Guests

Posted 26 June 2004 - 12:11 PM

http://www.governmen...wtopic=9437&hl=

I posted this in the trial member forum I think. It is a different sql injection exploit and works with newer version.

I have provided example sql injection statements in that post.