Multiple SQL injection on OpenBB forums

From: Albert Puigsech Galicia (ripe_at_7a69ezine.org)
Date: 04/25/03

  • Next message: Albert Puigsech Galicia: "Unauthorized reading files on phpSysInfo"
    To: bugtraq@securityfocus.com
    Date: Fri, 25 Apr 2003 09:22:48 +0200
    
    

    /-----------------------------------------------------------------------------\
    | 7 A 6 9 - A d v C: 008
    |-----------------------------------------------------------------------------|
    |
    | [ SQL injection on OpenBB forums ]
    |
    \-----------------------------------------------------------------------------/
                                                                    | 22/04/2003 |
                                                                    \------------/

    Data.
    -----

            + Typo: SQL injection

            + Software: OpenBB.

            + Verions: 1.1.0 (curent version).

            + Exploit: Yes.

            + Autor: Albert Puigsech Galicia

            + Contact: ripe@7a69ezine.org

    Introduction.
    -------------

            OpenBB is a complet forum writen in PHP language, that uses MySQL
    database. More information about this software can be readed on openBB oficial
    website; http://www.openbb.co.uk.

    Description.
    ------------

            There are multiple SQL injection vulnerabilities on OpenBB's current
    version.

            All PHP scripts that makes an SQL query, including numeric value
    introduced by web user allow to inject our own SQL code inside.

    Explotation.
    ------------

            Is posible, as in other similar cases of SQL injection, to extract
    information from database. If vulnerable host are using MySQL 3 we must to
    use LIKE method(*), but if MySQL's version 4 are used we are allowed to use
    UNION, that make exploit more easy.

            To exploit this vulnerability only need to add an space (or %20)
    behind the number, and next our SQL alteration.

            Some examples of this SQL injection on OpenBB may be this. The
    examples contains the url to exploit it and the SQL query done (look at
    '<something>', that it's our own SQL code):

            http://vulnerable/index.php?CID=1 <something>

            SELECT guest, forumid, title, lastthread, lastposter, lastposterid,
            lastthreadid, lastpost, moderators, description, type, postcount,
            threadcount, forumkey FROM obb_forum_display WHERE
            parent = 3 <something> ORDER BY displayorder

            http://vulnerable/board.php?FID=2 <something>

            SELECT title, threadcount, type, hidden_topics, forumkey FROM
            obb_forum_display WHERE forumid = 2 <something>

            http://vulnerable/member.php?action=profile&UID=1 <something>

            SELECT * FROM obb_customvalues v INNER JOIN obb_custompermis p ON
            p.fieldid = v.fieldid INNER JOIN obb_customfields f on
            f.fieldid=v.fieldid WHERE v.userid=1 <something> AND
            p.canviewothers='t' AND p.groupid='0'

    Patch.
    ------

            There is no a patch yet, but the problem is solved if you put inverted
    commas on every number variable included on SQL query or check if the variable
    is realy a number.

    --
    >====================================
    > Albert Puigsech Galicia (7a69)
    >
    > http://ripe.7a69ezine.org
    >====================================
    

  • Next message: Albert Puigsech Galicia: "Unauthorized reading files on phpSysInfo"

    Relevant Pages

    • Fixed
      ... I also found this article that gives the proper way to move system dbs in sql 2008: ... The model exists where the master states it exists. ... This is the error log prior to detaching the model database. ...
      (microsoft.public.sqlserver.server)
    • Re: CREATE AGGREGATE failed because type Concatenate does not conform to UDAGG specification due to
      ... Go to the Database tab and click on the browse button next to the connection string. ... In the New Database Reference dialog, enter the details for the database where you want to deploy the assembly and create the user defined aggregate. ... I'm trying to do some CLR integration with sql server 2005. ...
      (microsoft.public.sqlserver.programming)
    • CREATE AGGREGATE failed because type Concatenate does not conform to UDAGG specification due to meth
      ... Now register the assembly and the aggregate in the SQL Server database you want ... I'm trying to do some CLR integration with sql server 2005. ...
      (microsoft.public.sqlserver.programming)
    • Re: dbdebunk Quote of Week comment
      ... > a lot of really bad SQL programmers. ... But SQL does not have a pointer data type or the ... > being told to design a database. ... But why is little Cindy Lou Who employee ...
      (comp.databases.theory)
    • Re: DBMS and lisp, etc.
      ... Naively implemented with SQL, again for 10 ... (1 query for the initial orders, 1 query for each order for its ... soon as you upgrade to the SQL database. ... (eq (order-customer orderA) ...
      (comp.lang.lisp)