1=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 0 [x] Official Website: http://www.1337day.com 1 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 0 0 1 1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 0 0 I'm NuxbieCyber Member From Inj3ct0r TEAM 1 1 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx «««:»»» CMS MBB v-003 - Multiple Vulnerability «««:»»» xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ./Title Exploit : CMS MBB v-003 - Multiple Vulnerability ./CMS Version : MBB - Version 0.0.3 (Last Version). ./Software Link : http://sourceforge.net/projects/phpmbbcms/ ./Author Exploit: [ TheCyberNuxbie ] [ root@31337sec.com ] [ nux_exploit ] ./Security Risk : [ High Level ] ./Category XPL : [ WebApps/ZeroDay ] ./Time & Date : June, 01 2012. 07:05 PM. ./System Tested : Windows 7 Ultimate, Firefox 13.0.1, Xampp-win32-1.7.4 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ||| -=[ Use It At Your Risk ]=- ||| ||| This Was Written For Educational Purpos Only ||| ||| Author Will Be Not Responsible For Any Damage ||| xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ################################################################################# # # - Information Details: # MBB CMS Made In Indonesia, free open source PHP and database MySQL. # Simple, Fast and Easy to create website like portal and others. # You can use it without any worries. It is free for you. # Download modul from official website http://www.ckp.asia All free. # - Content Management System Developer: busroby@gmail.com # ################################################################################# # - POC: # 1.1 Exploit - SQL Injection. # 1.2 Exploit - CSRF (Add Admin). # 1.3 Exploit - Reflected XSS. ################################################################################# # # 1.1 Exploit - SQL Injection: # # - SQL injection is a code injection technique that exploits a security # vulnerability occurring in the database layer of an #application. # The vulnerability is present when user input is either incorrectly # filtered for string literal escape characters embedded in SQL #statements # or user input is not strongly typed and thereby unexpectedly executed. # # - Files Vuln: # H:\xampp\htdocs\mbbcms\site\search.php <--- Line 6. # H:\xampp\htdocs\mbbcms\modul\article\article.php <--- Line 4. # # - Affected items (SQLi): # http://mbbcms/?ref=search&q=' + [SQL Injection] # http://mbbcms/?mod=article&act=search&q=' + [SQL Injection] # # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # # 1.2 Exploit - CSRF (Add Admin). # # #
# #