TUCoPS :: Web BBS :: Frequently Exploited :: bx1561.htm

MyBB 1.2.11 SQL Injection
- Sql Injection in MyBB 1.2.11
- Sql Injection in MyBB 1.2.11



=0D
[waraxe-2008-SA#064] - Sql Injection in MyBB 1.2.11=0D
================================================================================0D
=0D
Author: Janek Vind "waraxe"=0D
Date: 21. January 2008=0D
Location: Estonia, Tartu=0D
Web: http://www.waraxe.us/advisory-64.html=0D 
=0D
=0D
Target software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
MyBB is a discussion board that has been around for a while; it has evolved=0D
from other bulletin boards into the forum package it is today. Therefore,=0D
it is a professional and efficient discussion board, developed by an active=0D
team of developers.=0D
=0D
Vulnerabilities discovered=0D
================================================================================0D
=0D
1. SQL Injection in "private.php"=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Preconditions:=0D
================0D
a) attacker must have logged in as registered user=0D
b) private message system must be enabled=0D
=0D
Caused by:=0D
================0D
Parameter "disablesmilies" is not sanitized properly before being used in=0D
INSERT sql query.=0D
=0D
Explanation:=0D
================0D
=0D
Let's try this little piece of html code as proof-of-concept:=0D
=0D
[--------------- PoC start -------------------------------------------------]=0D
=0D
action="http://localhost/mybb.1.2.11/private.php" method="post">=0D =0D =0D =0D =0D =0D =0D
=0D
=0D [------------- PoC end ----------------------------------------------------]=0D =0D NB! Parameter "to" must be valid username!=0D =0D As result of test we can see sql error message:=0D =0D MySQL error: 1136=0D Column count doesn't match value count at row 1=0D Query: INSERT INTO mybb_privatemessages (uid, toid, fromid, folder, subject,=0D icon, message, dateline, status, includesig, smilieoff, receipt, readtime)=0D VALUES ('1', '1', '1', '1', 'f00subject', '0', 'f00message', '1200579555',=0D '0', 'no', '',waraxe,'', '0', '0') =0D =0D So sql injection security hole exists in INSERT query and in case of mysql=0D version >= 4.1 by using subselects attacker can fetch arbitrary data from=0D database, including admin password hash.=0D =0D =0D How to fix:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Download new MyBB version 1.2.12=0D =0D Greetings:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, str0ke=0D and anyone else who know me!=0D Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!=0D =0D Contact:=0D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D =0D come2waraxe@yahoo.com=0D Janek Vind "waraxe"=0D =0D Homepage: http://www.janekvind.com/=0D Waraxe forum: http://www.waraxe.us/forums.html=0D =0D ---------------------------------- [ EOF ] --------------------------------=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH