==========================Advisory: GNUboard SQL Injection Vulnerability Author: claepo.wang@dbappsecurity.com.cn Affected Version: GNUboard5(the latest version) Vendor URL: http://sir.co.kr/"]http://sir.co.kr/ Vendor Status: Unfixed(I know little about Korean,so i do not know how to describe this vul to the vendor.)
========================== Vulnerability Description ========================== Recently, I found several vulnerabilities in the famous Korean forum program - the GNUboard.
Vulnerable file: /bbs/ajax.autosave.php
<?php include_once('./_common.php’);//global ‘filter' on $_GET,$_POST,$_COOKIE,$_REQUEST if (!$is_member) die('0’);//member login $uid = trim($_REQUEST['uid']); //current user id $subject = trim(stripslashes($_REQUEST['subject'])); //stripslashes ignores the global filter causes a SQL Inj. $content = trim(stripslashes($_REQUEST['content'])); //same above if ($subject && $content) { $sql = " select count(*) as cnt from {$g5['autosave_table']} where mb_id = '{$member['mb_id']}' and as_subject = '$subject' and as_content = '$content' "; $row = sql_fetch($sql); //the bad str($subject|$content) insert into sql query if (!$row['cnt']) { $sql = " insert into {$g5['autosave_table']} set mb_id = '{$member['mb_id']}', as_uid = '{$uid}', as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' on duplicate key update as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' "; $result = sql_query($sql, false); // database select echo autosave_count($member['mb_id']); } } ?> ========================== POC && EXP ========================== 1. Login as a member
2. GET http://target/bbs/ajax.autosave.php?content=1&subject=1[inj_exp] {exp can be found on my server: http://pandas.pw/gnuboard.exp}3. Page returns 1062 : Duplicate entry ~admin~*FF6F916236F4FFEE8FADD21EC20216C5C3A04E50~1' for key 'group_key’ .
====================
Done! Thx a lot!
========================== Vulnerability Description ========================== Recently, I found several vulnerabilities in the famous Korean forum program - the GNUboard.
Vulnerable file: /bbs/ajax.autosave.php
<?php include_once('./_common.php’);//global ‘filter' on $_GET,$_POST,$_COOKIE,$_REQUEST if (!$is_member) die('0’);//member login $uid = trim($_REQUEST['uid']); //current user id $subject = trim(stripslashes($_REQUEST['subject'])); //stripslashes ignores the global filter causes a SQL Inj. $content = trim(stripslashes($_REQUEST['content'])); //same above if ($subject && $content) { $sql = " select count(*) as cnt from {$g5['autosave_table']} where mb_id = '{$member['mb_id']}' and as_subject = '$subject' and as_content = '$content' "; $row = sql_fetch($sql); //the bad str($subject|$content) insert into sql query if (!$row['cnt']) { $sql = " insert into {$g5['autosave_table']} set mb_id = '{$member['mb_id']}', as_uid = '{$uid}', as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' on duplicate key update as_subject = '$subject', as_content = '$content', as_datetime = '".G5_TIME_YMDHIS."' "; $result = sql_query($sql, false); // database select echo autosave_count($member['mb_id']); } } ?> ========================== POC && EXP ========================== 1. Login as a member
2. GET http://target/bbs/ajax.autosave.php?content=1&subject=1[inj_exp] {exp can be found on my server: http://pandas.pw/gnuboard.exp}3. Page returns 1062 : Duplicate entry ~admin~*FF6F916236F4FFEE8FADD21EC20216C5C3A04E50~1' for key 'group_key’ .
====================
Done! Thx a lot!
