[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability

To: "full-disclosure"<full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability
From: "claepo.wang"<claepo.wang@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Mar 2014 10:08:33 +0800

<div style="font:14px/1.5 'Lucida Grande', 
'微软雅黑';color:#333;"><div>==========================</div><div>Advisory: 
GNUboard SQL Injection Vulnerability</div><div>Author: 
claepo.wang@xxxxxxxxxxxxxxxxxxxx</div><div>Affected Version: GNUboard5(the 
latest version)</div><div>Vendor URL: http://sir.co.kr/</div><div>Vendor 
Status: Unfixed(I know little about Korean, so i do not know how to describe 
this vul to the 
vendor.)</div><div><br></div><div>==========================</div><div>Vulnerability
 
Description</div><div>==========================</div><div><br></div><div>Recently,
 I found several vulnerabilities in the famous Korean forum program - the 
GNUboard.</div><div><br></div><div>Vulnerable file: 
/bbs/ajax.autosave.php</div><div><br></div><div>&lt;?php</div><div>include_once('./_common.php');//global
 filter on $_GET,$_POST,$_COOKIE,$_REQUEST</div><div><br></div><div>if 
(!$is_member) die('0');//member login</div><div><br></div><div>$uid &nbsp; 
&nbsp; = trim($_REQUEST['uid']); //current user id</div><div>$subject = 
trim(stripslashes($_REQUEST['subject'])); &nbsp;//stripslashes ignores the 
global filter causes a SQL Inj.</div><div>$content = 
trim(stripslashes($_REQUEST['content'])); &nbsp;//same 
above</div><div><br></div><div>if ($subject &amp;&amp; $content) 
{</div><div>&nbsp; &nbsp; $sql = " select count(*) as cnt from 
{$g5['autosave_table']} where mb_id = '{$member['mb_id']}' and as_subject = 
'$subject' and as_content = '$content' ";</div><div>&nbsp; &nbsp; $row = 
sql_fetch($sql); //the bad str($subject|$content) insert into sql 
query</div><div>&nbsp; &nbsp; if (!$row['cnt']) {</div><div>&nbsp; &nbsp; 
&nbsp; &nbsp; $sql = " insert into {$g5['autosave_table']} set mb_id = 
'{$member['mb_id']}', as_uid = '{$uid}', as_subject = '$subject', as_content = 
'$content', as_datetime = '".G5_TIME_YMDHIS."' on duplicate key update 
as_subject = '$subject', as_content = '$content', as_datetime = 
'".G5_TIME_YMDHIS."' ";</div><div>&nbsp; &nbsp; &nbsp; &nbsp; $result = 
sql_query($sql, false); &nbsp;// database 
select</div><div><br></div><div>&nbsp; &nbsp; &nbsp; &nbsp; echo 
autosave_count($member['mb_id']);</div><div>&nbsp; &nbsp; 
}</div><div>}</div><div>?&gt;</div><div><br></div><div>==========================</div><div>POC
 &amp;&amp; 
EXP</div><div>==========================</div><div><br></div><div>1. Login as a 
member</div><div><br></div><div>2. GET 
http://target/bbs/ajax.autosave.php?content=1&amp;subject=1[inj_exp]&nbsp;</div><div><span
 class="Apple-tab-span" style="white-space:pre">      </span>{exp can be found 
on my server: http://pandas.pw/gnuboard.exp}</div><div>&nbsp; 
&nbsp;&nbsp;</div><div>3. Page returns 1062 : Duplicate entry 
~admin~*FF6F916236F4FFEE8FADD21EC20216C5C3A04E50~1' for key 
'group_key'.</div><div><br></div><div>====================</div><div><br></div></div>

Attachment: gnuboard-kr.txt
Description: Binary data

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Next by Date: Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
Previous by thread: [Full-disclosure] [CVE-2014-2339] GNUboard SQL Injection Vulnerability
Next by thread: [Full-disclosure] MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service
Index(es):
- Date
- Thread