Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 02-23-2002, 04:48 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok, today i helped ptbyjason to take control again over his hacked board.
https://vborg.vbsupport.ru/showthrea...threadid=35339

while playing, i discovered a way to add myself as admin to any VB board, if i'm able to call the path from the server. FireFly, i want to email you the php file i made. email me so i can send you the file and you can look at it.

the solution is to change the permissions for the admin folder in a way that if any file is called from outside of the server, to display a show_nopermission error message.

UPDATE:
in /admin/config.php add this code, at the top:
PHP Code:
if(!strstr("$_SERVER[PATH_TRANSLATED]""$_SERVER[DOCUMENT_ROOT]")) {
  die();

that should prevent to run a script from outside your server. thanks PPN.
Reply With Quote
  #2  
Old 02-23-2002, 08:55 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

try this:

make a info.php file with the code listed below and place it in your root:
PHP Code:
<?php

phpinfo
();

?>
i wonder if it is extremly easy to find out what is someone's path and manipulate his(her) board. what i can do, is make a directory for dynamic content (let's call it "dynamic"), and put in an .htaccess file that has the line:
PHP Code:
ForceType application/x-httpd-php 
in it. this will force all accesses from that directory to be processed as a PHP script. then I can just write a PHP script called, say, script (note, not script.php, just script), so if i call the path:
PHP Code:
http://domain.com/dynamic/script/this/is/all/fake/path/ 
after i call that path, i can check the variable $REQUEST_URI in PHP and strip off everything after /dynamic/script/, and that is the information i want...

you know what? all this info i found it on google.com.
Reply With Quote
  #3  
Old 02-23-2002, 09:33 AM
Scott MacVicar Scott MacVicar is offline
 
Join Date: Oct 2001
Location: Glasgow, Scotland
Posts: 1,199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

nakkid, email it to me and I'll look at it straight away. I don't think you can do this without FTP access though, and if mysql is setup correctly you shouldn't be able to access it via another server.
Reply With Quote
  #4  
Old 02-23-2002, 09:34 AM
Lesane's Avatar
Lesane Lesane is offline
 
Join Date: Oct 2001
Location: The Netherlands
Posts: 1,149
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I also think that this is not possible without uploading a file into that ftp account.....
Reply With Quote
  #5  
Old 02-23-2002, 09:40 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

hmm how do you explain the problem ptbyjason had? the hacker didnt have access as admin to his board.. he did it from another server!! we need to change the permissions.. is a fact. read the post where i helped jason...
Reply With Quote
  #6  
Old 02-23-2002, 09:51 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok, i emailed you the script PPN... do you know a way to don't let any file be called from outside of /admin dir? let me know. i'm not good with permissions.
Reply With Quote
  #7  
Old 02-23-2002, 09:55 AM
Scott MacVicar Scott MacVicar is offline
 
Join Date: Oct 2001
Location: Glasgow, Scotland
Posts: 1,199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If he had access on the server, if it was a shared server? Then yes this happens, there is nothing that can be done about this if the permissions are not set correctly by the host then other users can read other users files.
Reply With Quote
  #8  
Old 02-23-2002, 09:58 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i know i read somewhere about this type of permission, not to let call a script from outside the domain. that's where i need to focus on.. this is where the problem resides..
Reply With Quote
  #9  
Old 02-23-2002, 10:00 AM
Scott MacVicar Scott MacVicar is offline
 
Join Date: Oct 2001
Location: Glasgow, Scotland
Posts: 1,199
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Simpliest way to do something like this is use

PHP Code:
if(!strstr("$_SERVER[PATH_TRANSLATED]""$_SERVER[DOCUMENT_ROOT]")) {
die();

If the document root path is not found in the script filename path then exit the script. This means the script would have to had been executed above the users document root, so if you have /home/username/public_html then the script would have had to be executed in any of these folders. You can add this to the top of config.php but I don't see a point personally.
Reply With Quote
  #10  
Old 02-23-2002, 10:07 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok. can you make a quick hack? so we all can add it to the /admin folder? thanks.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:59 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04257 seconds
  • Memory Usage 2,260KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete