# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS
# Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php
# Date: 1/3/2013
# Exploit Author: Ichi
# Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code
# Software Link: http://mods.mybb.com/download/profile-wii-friend-code
# Version: 1.0
# Tested on: Windows 7 64-bit
 
"Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS.
 
The vulnerable code lies here(in profilewfc.php):
 
<?php
function profilewfc_update($wfc)
{
  global $mybb;
 
  if (isset($mybb->input['wfc']))
   {
      $wfc->user_update_data['wfc'] = $mybb->input['wfc'];
   }
}
?>
 
As you can see the input is not sanitized in the least...
 
Persistent XSS:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. and at the "Wii Friend Code Wii Friend Code" box enter: <script>alert(1)</script> and then press submit
3. http://prntscr.com/o1x2p, submit, and http://prntscr.com/o1x69
 
SQL Injection:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='4
3. submit and now you belong to whatever usergroup to choice to belong to
 
PoC:
Before: http://prntscr.com/o1xkg
Exploit: http://prntscr.com/o1xnd
Aftermath(now an admin): http://prntscr.com/o1xoj
 
https://twitter.com/TeamDigi7al
~Ichi