phpBB forum hacking

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.

phpBB forum hacking

Postby Koppara » Thu Oct 08, 2015 2:54 pm

Hello,
is it nowadays possible to hack phpBB forums? I have searched a lot but I haven't found any working hack. Is it possible to get all the the topics that are locked for me (ex. i can see rank all topics to rank 2, but there are topics up to rank 9 etc.) and is it possible to hack others account in the forum, like getting pws etc.

If these are possible, could you guys please teach?

Thank you!
Koppara
Newbie..
Newbie..
 
Posts: 14
Joined: Thu Oct 30, 2014 3:19 pm

Re: phpBB forum hacking

Postby Koppara » Thu Oct 08, 2015 2:55 pm

Koppara
Newbie..
Newbie..
 
Posts: 14
Joined: Thu Oct 30, 2014 3:19 pm

Re: phpBB forum hacking

Postby XaneXXXX » Thu Oct 08, 2015 7:44 pm

Everything is possible, You just need to find a way.

I'm not good with website hacking at all. But i would try and find the admin panel (if it is there). Some websites has like blabla.com/Admin/phpmyadmin or similar.

Then just bruteforce the password using Hydra or another program. If i didn't find an admin panel i would launch burpsuite and try finding exploits.

You could also try with packet editing. I have no idea if it will work on that site. But worth a shot.
User avatar
XaneXXXX
Moderator
Moderator
 
Posts: 114
Joined: Sun May 08, 2011 11:19 pm
Location: Dark Zone

Re: phpBB forum hacking

Postby Sethioz » Fri Oct 09, 2015 3:29 am

Don't think there are any public exploits. i've been running phpbb myself for like 10 years and haven't had any issues, even tho kids try almost every day.
bruteforcing .. you can forget it. 99% of website systems will lock you out and over network it would take years to bruteforce a simple pass.

only way is to find exploit to get password hash and crack that, but i'm not aware of any.
however there's a vulnerability with session / cookies. you can easily take over other person's session if you get the session ID (shown in URL) and cookies.
i forgot what that method is called tho, but you need a web hosting, host a simple cookie stealer script (google for it) and host it there, then mask it inside some image or other URL, using the URL brackets.
So when admins click on the link, you get their cookie + session data.

then all you do is change your cookies with some cookie editor (check extensions / add-ons for your browser) to what admin has and voilaa, you're logged in as admin and will see all the hidden topics, most likely admins have permissions to see all.

As about level 1 - 9 topics, that's completely custom on each forum. you can have 1000 levels if you want, permissions are custom. Best way to understand these things, is to host your own and experiment on it.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: phpBB forum hacking

Postby Koppara » Fri Oct 09, 2015 2:57 pm

Does it matter when is the latest tutorial made? I watched this video: https://www.youtube.com/watch?v=yflhmp4VJy4 but it didn't work :p
Koppara
Newbie..
Newbie..
 
Posts: 14
Joined: Thu Oct 30, 2014 3:19 pm

Re: phpBB forum hacking

Postby Sethioz » Sat Oct 10, 2015 1:28 am

Ofcourse it matters, all public exploits are reported and fixed, this is what's so good about free website systems, so many use them and so many report bugs.

You can forget about any public exploits, they get patched the same day practically, but if you talking about specific methods, don't watch videos by some morons who put text on video and are too stupid to talk. 99% of them are crap made by some little script kids who don't even know what they are doing, they just copy that info off of other sources.
You need to start by understand what XSS is and what SQL injection is, once you understand how they work, then you will be able to tell if tutorial is crap or not.

it's hard to explain if you don't know any programming, well you don't need to know programming in order to reverse engineer things, you just have to understand how things work.
But in general, it doesn't really matter which tutorial you watch, if it's well explained, then the base of exploiting is always same.

I don't remmeber what they are exactly, but I pulled them from milw0rm back in the days, they should still work. I also have a cookie stealer that i wrote and it worked fine up to a point, but i never really tried to hack any sites with it. I just tested in my hosting and pulled the cookie just fine.
I attached 2 of the milw0rm .txt files about XSS and cookie stealing and my cookie stealer. maybe they're some help to you.

cookiez_working.rar
(371 Bytes) Downloaded 136 times

XSS.rar
(656 Bytes) Downloaded 134 times

Stealer1.rar
(428 Bytes) Downloaded 130 times
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: phpBB forum hacking

Postby Koppara » Sat Oct 10, 2015 12:51 pm

I managed to get it work somehow, but I don't get the cookie, I get the HTTP USER AGENT instead :D
Koppara
Newbie..
Newbie..
 
Posts: 14
Joined: Thu Oct 30, 2014 3:19 pm

Re: phpBB forum hacking

Postby Sethioz » Tue Oct 13, 2015 5:47 pm

cookie stealer only works if you re-direct and mask it through another website. You have to host it somewhere, then post a link here (for example) and if someone clicks on it, then it would log the cookie from this site. I used it only once, don't remember which one i used, maybe i used a combination of few, i'd have to go thru it myself in order to be able to tell you exact details.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown


Return to PC / Website / Console / Others > Hacking / Cracking / Exploits / Research

Who is online

Users browsing this forum: No registered users and 1 guest

cron