Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 31
Guests Online: 22
Members Online: 9

Registered Members: 82902
Newest Member: kcutta77
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

phpBB Group

Mr_Cheese




Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 08-11-05 20:05
ok, lets say someone has admin access to a phpBB Group forum 2.0.11

how would one be able to:
- view database details
- upload a php file.

this someone has tried:
- viewtopic.php "highlight" exploit
- browsing around everywhere in the admin panel
- trying to inject php <script> into threads / admin panel

problem is, phpBB Group, doesnt allow attachments in the forums.

any help would be greatly appreciated.


http://www.hellboundhackers.org/
Author

RE: phpBB Group


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-11-05 20:17
Hmmm lol, I read somehting about this today i'll have a look ing my history *runs off to check*............................ ooo that was for vbulletion :s soz


Author

RE: RE:php


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-11-05 20:17
seams like u know this person very good he he how did u get all theese detales Pfft he he


Author

RE: phpBB Group


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-11-05 12:14
phpbb suxs... but try it this way.. make a database backup and try to open it up.. just a guess of it workingSmile


Author

RE: phpBB Group

Mr_Cheese




Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 09-11-05 17:11
this person has a database backup.

except in this, it doesnt have any database details. all the possible hashes have been cracked with a 200mb dictionary. Sadly the admins hashes havnt been cracked + they dont use the same pass for everything.

so, this person is still stuck, on how to get the database details, and more importantly, how to upload a file.


http://www.hellboundhackers.org/
Author

RE: phpBB Group


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-11-05 17:34
i think u should use export functions.. but i have never seen 2.0.11 admin panel... in 8 it does


Author

RE: phpBB Group

n3w7yp3
Member

Your avatar

Posts: 358
Location: USA
Joined: 19.03.05
Rank:
Moderate
Posted on 09-11-05 18:01
Mr_Cheese: well, i would recommend that this said person subscribe to bugtraq, vuln-dev and full disclosure. there were 2 recent exploits release for phpBB. the older one is an SQL injection that allows any user to become admin instantly. the other will let admins run commands on the server with the UID of the HTTPd (possibly Apache?).

anyways, i hope this person has a good hack Wink


"Root is a state of mind" -- K0resh
Author

RE: phpBB Group

Mr_Cheese




Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank:
Uber Elite
Posted on 09-11-05 18:21
n3w7yp3 wrote:
Mr_Cheese: one is an SQL injection that allows any user to become admin instantly.


not a problem, this person already has admin access. but i'll look into the running server commands one.


http://www.hellboundhackers.org/