TUCoPS :: Web BBS :: etc

TUCoPS :: Web BBS :: etc :: b06-2234.htm
YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability

YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability


=0D
Title : YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability=0D
=0D
------------------------------------------=0D
Author : x90c(Kyong Joo, Jung)=0D
Published : 2006.5.16=0D
E-mail : geinblues [at] gmail.com=0D
Site : http://www.chollian.net/~jyj9782=0D 
------------------------------------------=0D
=0D
0x01 Summary=0D
=0D
 YapBB is a OpenSource Web Forum written in php.=0D
(http://sourceforge.net/projects/yapbb)=0D 
=0D
 This web program is vulnerable to sql injection attack. =0D
 So malicious attacker can get Every nicknames(id), passwords for this YapBB.=0D
=0D
 Let's see the codes ~!=0D
=0D
=0D
0x02 Testbed=0D
=0D
	- Fedora Core 2=0D
	- MySQL-Server 5.0.19-log=0D
	- Php5 ( magic_quotes_gpc = On )=0D
=0D
=0D
0x03 Codes=0D
=0D
~/YapBB-1.2-Beta2/YapBB/find.php:=0D
-=0D
..=0D
34: $userBool = $HTTP_POST_VARS["choice"]=="user";  // if choice == 'user'=0D
36: $userpostBool = !empty($HTTP_GET_VARS["userID"]); // userID == '[inject sql]'=0D
..=0D
119: else if ($userpostBool)=0D
120: {=0D
128:	$postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " . =0D
        $cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . =0D
	$cfgDatabase['user'] . " AS u WHERE t.id = p.topicid AND p.posterid = $userID AND =0D
	u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50");   // execute sql!=0D
-=0D
=0D
	No words.=0D
=0D
=0D
I wrote a exploit for getting all YapBB user's nicknames and passwords.=0D
Sorry i can't put exploit in this advisory =)=0D
=0D
=0D
0x04 Exploit=0D
=0D
[x90c@hackzen testbed]$ whoami=0D
x90c=0D
[x90c@hackzen testbed]$=0D
=0D
=0D
0x05 Patch=0D
=0D
~/YapBB-1.2-Beta2/YapBB/find.php:=0D
..=0D
128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " . =0D
     $cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . $cfgDatabase['user'] . =0D
     " AS u WHERE t.id = p.topicid AND p.posterid = '" . addslashes($userID) . =0D
     "' AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50");       // x90c patch!=0D
..=0D
=0D
=0D
=0D
=0D
Thanks!=0D
=0D
=0D
- Blu3h4t Team in korea=0D
=0D
=0D
=0D
=0D
=0D
=0D