Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE_Request/gnuboard5 mul vuls before v5.3.2.8/
CVE_Request/gnuboard5 mul vuls before v5.3.2.8/
This branch is 2 commits ahead, 1 commit behind rm.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

gnuboard5-5.3.2.8 mul vuls


limited Reflective xss in bbs/login.php

in bbs/login.php parameter $url only single quotes and double quotes are transferred.

and in function check_url_host, if url without start with http or https, the url parameter will be treated as a path without any fiiter.

image.png-48.9kB

in functio0n goto_url

function goto_url($url)
{
    $url = str_replace("&", "&", $url);
    //echo "<script> location.replace('$url'); </script>";

    if (!headers_sent())
        header('Location: '.$url);
    else {
        echo '<script>';
        echo 'location.replace("'.$url.'");';
        echo '</script>';
        echo '<noscript>';
        echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';
        echo '</noscript>';
    }
    exit;
}

when headers_sent() return True,the parameter url will be directly spliced into javascript.

Although we can't use double quotes, we can escape directly with </script>

/bbs/login.php?url=www.baidu.com</script><script>alert(1)</script>

image.png-15.6kB

Reflective xss in bbs/move_update.php

image.png-140.1kB

parameter $act input from common.php only single quotes and double quotes are transferred.

we can escape directly with </script>

act=12<%2fscript><script>alert(1)<%2fscript>

image.png-63.7kB

SQL injection in install_db.php

parameter $table_prefix input from POST in install_db.php line 25

$table_prefix= safe_install_string_check($_POST['table_prefix']);

$table_prefix only be filtered by function safe_install_string_check. but function safe_install_string_check filter data without evil keyword which will lead to sql injection.

image.png-276.2kB

parameter $table_prefix will be inject into sql from gnuboard5.sql, we can use backquotes to close last sql. and inject a new sql to do anythings.

image.png-247.4kB

payload

mysql_host=localhost&mysql_user=root&mysql_pass=&mysql_db=g5&table_prefix=123`; select sleep(5)#

and then will sleep 5 secords.

image.png-75.5kB