[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability

To: "full-disclosure"<full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability
From: "claepo.wang"<claepo.wang@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Mar 2014 10:46:24 +0800

<div style="font:14px/1.5 'Lucida Grande', '微软雅黑';color:#333;"><pre 
style="color: rgb(0, 0, 0); line-height: normal; margin: 0em;"><pre 
style="margin: 0em;">==========================</pre></pre><pre style="color: 
rgb(0, 0, 0); line-height: normal; margin: 0em;">Advisory: GNUboard SQL 
Injection Vulnerability
Author: claepo.wang@xxxxxxxxxxxxxxxxxxxx
Affected Version: GNUboard5(the latest version)
Vendor URL: <a href="http://sir.co.kr/";>http://sir.co.kr/</a>
Vendor Status: Unfixed(I know little about Korean，so i do not know how to 
describe this vul to the vendor.)</pre><pre style="margin: 0em;"><pre 
style="color: rgb(0, 0, 0); line-height: normal; margin: 0em;"><br></pre><pre 
style="color: rgb(0, 0, 0); line-height: normal; margin: 
0em;">==========================
Vulnerability Description
==========================

Recently, I found several vulnerabilities in the famous Korean forum program - 
the GNUboard.</pre><pre style="color: rgb(0, 0, 0); line-height: normal; 
margin: 0em;"><br></pre><pre style="color: rgb(0, 0, 0); line-height: normal; 
margin: 0em;">Vulnerable file: /bbs/ajax.autosave.php</pre><pre style="color: 
rgb(0, 0, 0); line-height: normal; margin: 0em;"><br></pre><pre style="color: 
rgb(0, 0, 0); line-height: normal; margin: 0em;">&lt;?php
include_once('./_common.php’);//global ‘filter' on 
$_GET,$_POST,$_COOKIE,$_REQUEST

if (!$is_member) die('0’);//member login

$uid     = trim($_REQUEST['uid']); //current user id
$subject = trim(stripslashes($_REQUEST['subject']));  //stripslashes ignores 
the global filter causes a SQL Inj.
$content = trim(stripslashes($_REQUEST['content']));  //same above

if ($subject &amp;&amp; $content) {
    $sql = " select count(*) as cnt from {$g5['autosave_table']} where mb_id = 
'{$member['mb_id']}' and as_subject = '$subject' and as_content = '$content' ";
    $row = sql_fetch($sql); //the bad str($<span style="font-family: 'Lucida 
Grande', 微软雅黑;">subject|$</span><span style="font-family: 'Lucida Grande', 
微软雅黑;">content</span><span style="font-family: 'Lucida Grande', 微软雅黑;">) insert 
into sql query</span></pre><pre style="color: rgb(0, 0, 0); line-height: 
normal; margin: 0em;">    if (!$row['cnt']) {
        $sql = " insert into {$g5['autosave_table']} set mb_id = 
'{$member['mb_id']}', as_uid = '{$uid}', as_subject = '$subject', as_content = 
'$content', as_datetime = '".G5_TIME_YMDHIS."' on duplicate key update 
as_subject = '$subject', as_content = '$content', as_datetime = 
'".G5_TIME_YMDHIS."' ";
        $result = sql_query($sql, false);  // database select

        echo autosave_count($member['mb_id']);
    }
}
?&gt;

==========================
POC &amp;&amp; EXP
==========================</pre><div style="color: rgb(0, 0, 0); line-height: 
normal;">
1. Login as a member</div><div><font color="#000000"><span style="line-height: 
normal;"><br></span></font></div><div><font color="#000000"><span 
style="line-height: normal;">2. GET&nbsp;</span></font><span 
style="line-height: normal; color: rgb(0, 0, 0); font-family: 'Lucida Grande', 
微软雅黑;">http://target/bbs/ajax.autosave.php?content=1&amp;subject=1[inj_exp] 
</span></div><div><span class="Apple-tab-span" style="white-space:pre">        
</span>{exp can be found on my server: 
http://pandas.pw/gnuboard.exp}</div><div><font color="#000000">3. Page returns 
</font><font color="#000000" face="Lucida Grande, 微软雅黑"><span 
style="line-height: normal;">1062 : Duplicate entry 
~admin~*FF6F916236F4FFEE8FADD21EC20216C5C3A04E50~1' for key 'group_key’ 
.</span></font></div><div><font color="#000000" face="Lucida Grande, 
微软雅黑"><span style="line-height: normal;"><br></span></font></div><div><font 
color="#000000" face="Lucida Grande, 微软雅黑"><span style="line-height: 
normal;">====================</span></font></div><div><font color="#000000" 
face="Lucida Grande, 微软雅黑"><span style="line-height: 
normal;"><br></span></font></div><div><font color="#000000" face="Lucida 
Grande, 微软雅黑"><span style="line-height: normal;">Done!  Thx a 
lot!</span></font></div><div><font color="#000000" face="Lucida Grande, 
微软雅黑"><span style="line-height: normal;"><br></span></font></div><div><font 
color="#000000" face="Lucida Grande, 微软雅黑"><span style="line-height: 
normal;"><br></span></font></div></pre></div>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Google vulnerabilities with PoC
Next by Date: [Full-disclosure] MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service
Previous by thread: [Full-disclosure] Webcast Reminder: Garage4Hackers Ranchoddas Series 2 on Reverse Engineering
Next by thread: [Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability
Index(es):
- Date
- Thread