HACKING phpbb FORUMS

Hacking Phpbb Forums

Let's go directly to our main purpose here, first of all, we need some preparation work.


1. Get target password's md5 hash - in this tutorial it's 098f4bcd4621d373caae4e832628b4f6


2. You need to know target's "user_id". For this use the phpBB feature called "memberlist" and
search for target's username and then look at his profile. In our example url to taget's profile
is:

http://localhost/phpbb206c/profile.php?mode=viewprofile&u=3

As you can see, "u=3", so target has "user_id" equal to "3".

3. You must have properly working Mozilla browser


Now, let's move further. I assume, you allready know, where are located Mozilla's cookies. I have
WindowsXP Home Edition and logged-in username "nobody", so cookie file is located in folder:

C:Documents and Settings
obodyApplication DataMozillaProfiles[some subfolders]cookies.txt

Cookie file manual editing is dangerous, so beware. I suggest to make the backup first.

Next, I assume, that you allready have account on target forum. Go to login page, enter your
username and password and check the checkbox named "Log me on automatically each visit:".
In this way you will force phpBB to store your pasword's md5 hash in your browser cookies.

Ok, you are logged in. Don't log out! And close Mozilla browser!! It's is very important!!!!!!!

Open "cookies.txt" and try to find cookie, which belongs to target server and named something like
"phpbb2mysql_data". Btw, phpbb configuration settings can override this name, so if you have probs
finding of the right cookie, then use Mozilla's Cookie Manager and remove ALL cookies. Now right
after the cookie cleanup login to target phpbb and you can see in cookie file your target cookie.

So, you see long textline similar to this:

www.target.com FALSE / FALSE 1114433252 phpbb2mysql_data
a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2219dd1947a95454c
caf223a731c32db0c%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D

Hmm, this cookie's value seems to be complicated to understand, is'nt? Lets analize it a little bit.
First, after urldecode() we will get something like:

a:2:{s:11:"autologinid";s:32:"19dd1947a95454ccaf223a731c32db0c";s:6:"userid";s:1:"4";}

Wtf is this? This is stuff you get, if you use php's function "serialize()" on some array.
I don't want to get in details, because this is kinda offtopic right now. But i think, that you
can see in this string 2 known variables:

1. s:32:"19dd1947a95454ccaf223a731c32db0c"; --> 19dd1947a95454ccaf223a731c32db0c - this must be you password's md5 hash.
2. ";s:6:"userid";s:1:"4";} --> "4"- this is of course your "user_id".

Now, you remember target's user_id and password's md5 hash, don't you
target's md5 - 098f4bcd4621d373caae4e832628b4f6
target's user_id - 3
So edit this cookie with notepad or wordpad and swap original values with target values.

In previous example we had cookie value like this:

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%2219dd1947
a95454ccaf223a731c32db0c%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D

and after editing we have cookie value like this:

a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A32%3A%22098f
4bcd4621d373caae4e832628b4f6%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D

If you compare those two strings, you an easily understand, where i was making the changes.

Finally, after cookiefile's editing and saving, open Mozilla and browse to target phpBB forum. If all went
perfectly, you have now "logged in" as target.

Mission complete!