[take care..]
AssalamoAlaikum all.
First, we must make some posting to the guestbook or forum (PhpBB is integrated to PhpNuke and in most cases is active module). And besides usual text we use BBcode for adding "image" with url like that:
admin.php?op=AddAuthor&add_aid=attacker&add_name=God&add_pwd=coolpass&add_email=kala_at_hot.ee&add_radminsuper=1
For example in forum:
Now, after posting, we can see "broken" picture, added to our post. And when person with superadmin rights will browse forum and read this post, then new superadmin account will be created "automatically". One more way to attack - send u2u message directly to admin and use described method for message. When admin reads the u2u message - attacker get's superadmin account.
Now, this is of course most simple method to exploit this weakness. If attacker wants to hide the true meaning of the "image", then lets consider something like this:
Is this somehow suspicious picture url? Nop ;) But wise attacker will use Apache webserver's advanced features and if client's browser will request picture from attacker's server, then server just redirects the browser to new, "bad" url ;)
tc all.
Allah Hafiz
easy way to get superadmin rights in PhpNuke ..
easy way to get superadmin rights in PhpNuke ..
Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous