[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040328185905.2126.qmail@www.securityfocus.com>
Date: 28 Mar 2004 18:59:05 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: phpBB 2.0.8 Exploit
Hi guys,
After playing around with the private message SQL injection issue on a forum that I admin I noticed that the exploit code posted in the authors post doesn't work correctly. Here is why:
Both the TO and FROM fields hold the username and md5 hash in his exploit. The problem is each field only is able to hold 25 bytes at most (at least on the forums I tested it, they were all 2.0.8). Well, MD5 hash is 32 bytes, so you may get what looks like a valid hash @ first glance, but it doesn't work as it is an incomplete hash. Below is an example that stores the username in the SUBJECT of the PM and the MD5 hash in the BODY of the PM. It was tested on a few versions with working results. Of course the user_id=2 can be replaced with whatever user_id someone wants.
/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*
Hope this helps :)
JeiAr
Powered by blists - more mailing lists