Phpbb Sql Injection Password, disclosure Exploit #!/usr/bin/perl -w # # # phpBB password disclosure vuln. # - rick patel # # There is a sql injection vuln which exists in / file. The variable is $topic_id # which gets passed directly to sql server in query. Attacker could pass a special sql string which # can used to see md5 password hash for any user (!) for phpBB. This pass can be later used with # autologin or cracked using john. # # Details: # # this is checking done for $topic_id in : # # if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]). | Phpbb Sql Injection Password disclosure Exploit usr bin perl -w phpBB password disclosure vuln. - rick patel There is a sql injection vuln which exists in file. The variable is topic_id which gets passed directly to sql server in query. Attacker could pass a special sql string which can used to see md5 password hash for any user for phpBB. This pass can be later used with autologin or cracked using john. Details this is checking done for topic_id in if isset HTTP_GET_VARS POST_TOPIC_URL _ _ topic_id intval HTTP_GET_VARS POST_TOPIC_URL else if isset HTTP_GET_VARS topic _ topic_id intval HTTP_GET_VARS topic ok. no else statement at end now if GET view newest and GET sid is set this query gets executed sql SELECT FrOm . POSTS_TaBLE . p . SESSIONS_TABLE . s . USERS_TABLE . u WHERE session_id AND AND topic_id AND ORDER BY ASC LIMIT 1 topic_id gets passed directy to query. So how can we use this to do something important Well I decided to use union and create a second query will get us something useful. There were couple of problems i ran into. first phpBB only cares about the first row returned. second the select for first query is which is int so int becomes the type returned for any other query in union. third there is rest of junk at end AND . We tell mysql to ignore that by placing at end of our injected query. So what query can we make that returns only int this one select ord substring user_password index 1 from phpbb_users where user_id uid Then all we have to do is query 32 times which index from 1-32 and we get ord value of all chars of md5 hash password. I have only tested this with mysql 4 and pgsql . Mysql does not support unions so you would have to tweak the query to do anything useful. This script is for educational purpose only. Please dont use it to do .