YapBB Find.PHP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194947 漏洞类型 SQL注入
发布时间 2006-05-19 更新时间 2006-05-22
CVE编号 CVE-2006-2486 CNNVD-ID CNNVD-200605-375
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050117
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-375
|漏洞详情
YapBB1.2Beta2及之前版本的find.php中存在SQL注入漏洞。远程攻击者可以借助userID参数执行任意SQL指令。
|漏洞EXP

Title : YapBB <= 1.2 Beta2 'find.php' SQL Injection Vulnerability

------------------------------------------

Author : x90c(Kyong Joo, Jung)

Published : 2006.5.16

E-mail : geinblues [at] gmail.com

Site : http://www.chollian.net/~jyj9782

------------------------------------------

0x01 Summary

YapBB is a OpenSource Web Forum written in php.

(http://sourceforge.net/projects/yapbb)

This web program is vulnerable to sql injection attack.

So malicious attacker can get Every nicknames(id), passwords for this YapBB.

Let's see the codes ~!

0x02 Testbed

- Fedora Core 2

- MySQL-Server 5.0.19-log

- Php5 ( magic_quotes_gpc = On )

0x03 Codes

~/YapBB-1.2-Beta2/YapBB/find.php:

-

..

34: $userBool = $HTTP_POST_VARS["choice"]=="user";  // if choice == 'user'

36: $userpostBool = !empty($HTTP_GET_VARS["userID"]); // userID == '[inject sql]'

..

119: else if ($userpostBool)

120: {

128:	$postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " .

$cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " .

$cfgDatabase['user'] . " AS u WHERE t.id = p.topicid AND p.posterid = $userID AND

u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50");   // execute sql!

-

No words.

I wrote a exploit for getting all YapBB user's nicknames and passwords.

Sorry i can't put exploit in this advisory =)

0x04 Exploit

[x90c@hackzen testbed]$ whoami

x90c

[x90c@hackzen testbed]$

0x05 Patch

~/YapBB-1.2-Beta2/YapBB/find.php:

..

128: $postRes = $postQuery->select("SELECT p.date, t.id, t.description, u.nickname FROM " .

$cfgDatabase['post'] . " AS p, " . $cfgDatabase['topic'] . " AS t, " . $cfgDatabase['user'] .

" AS u WHERE t.id = p.topicid AND p.posterid = '" . addslashes($userID) .

"' AND u.id = p.posterid GROUP BY p.topicid ORDER BY p.date DESC LIMIT 50");       // x90c patch!

..

Thanks!

- Blu3h4t Team in korea
|参考资料

来源:BID
名称:17988
链接:http://www.securityfocus.com/bid/17988
来源:BUGTRAQ
名称:20060515YapBB<=1.2Beta2'find.php'SQLInjectionVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/434039/100/0/threaded
来源:XF
名称:yapbb-find-sql-injection(26456)
链接:http://xforce.iss.net/xforce/xfdb/26456
来源:SREASON
名称:923
链接:http://securityreason.com/securityalert/923