lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040328185905.2126.qmail@www.securityfocus.com>
Date: 28 Mar 2004 18:59:05 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: phpBB 2.0.8 Exploit




Hi guys,

 After playing around with the private message SQL injection issue on a forum that I admin I noticed that the exploit code posted in the authors post doesn't work correctly. Here is why:

Both the TO and FROM fields hold the username and md5 hash in his exploit. The problem is each field only is able to hold 25 bytes at most (at least on the forums I tested it, they were all 2.0.8). Well, MD5 hash is 32 bytes, so you may get what looks like a valid hash @ first glance, but it doesn't work as it is an incomplete hash. Below is an example that stores the username in the SUBJECT of the PM and the MD5 hash in the BODY of the PM. It was tested on a few versions with working results. Of course the user_id=2 can be replaced with whatever user_id someone wants.

/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*

Hope this helps :)

JeiAr


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ