**************************************************
IIIIIIII  RRRRRRRRRRRR        HHHHHHHH    HHHHHHHH
  IIII      RRRR    RRRR        HHHH        HHHH  
  IIII      RRRR      RRRR      HHHH        HHHH  
  IIII      RRRR      RRRR      HHHH        HHHH  
  IIII      RRRR    RRRR        HHHH        HHHH  
  IIII      RRRRRRRRRR          HHHHHHHHHHHHHHHH  
  IIII      RRRR  RRRR          HHHH        HHHH  
  IIII      RRRR  RRRR          HHHH        HHHH  
  IIII      RRRR    RRRR        HHHH        HHHH  
  IIII      RRRR      RRRR      HHHH        HHHH  
IIIIIIII  RRRRRRRR    RRRRRR  HHHHHHHH    HHHHHHHH
***************************************************

# Exploit Title: Mybb Plugin uploader 1.1.2 plugin Upload shell

# Date: 2014

# Exploit Author: IRH

# Tested on : 7,8

# version: 1.1.2

# Software Link: http://mods.mybb.com/download/plugin-uploader

# ScreenShot : http://uploaderx.persiangig.com/pluginuploader_upload.png


***************************************************

Exploit :


http://localhost/mybb/admin/index.php?module=config-plugins&action=pluginuploader


Info :


Put the shell into zip and upload plugin (zip) to plugin uploader 

in mybb admin panel , now files in zip Extract in inc/plugins directory 

u can load your shell to /inc/plugins/pluginName/sh3ll.php


***************************************************

Vulnerability code :

if($mybb->input['from_mods_site'] == 1)
			
{
				$plugin_temp_name = $mybb->input['plugin_name'];
				
$path = MYBB_ROOT . "inc/plugins/temp/" . $plugin_temp_name;
				$pathinfo = array('extension' => 'zip');
				
$file_path = MYBB_ROOT . "inc/plugins/temp/" . $plugin_temp_name . ".zip";
	
}

------------------------------

// try to open the zip
					if(!@$zip->open($file_path))
					{
						flash_message($lang->pluginuploader_error_upload, 'error');
						admin_redirect("index.php?module=config-plugins&action=pluginuploader");
					}
					
					// try to create a temporary directory for the files
					if(!pluginuploader_create_temp_dir($plugin_temp_name))
					{
						flash_message($lang->pluginuploader_error_temp_dir, 'error');
						admin_redirect("index.php?module=config-plugins&action=pluginuploader");
					}
					
					// try to extract the files to the temp directory
					if(!@$zip->extractTo($path))
					{
						flash_message($lang->pluginuploader_error_extract, 'error');
						admin_redirect("index.php?module=config-plugins&action=pluginuploader");
					}
					
					$zip->close();
					break;
				case "php":
					// try to create a temporary directory for the file
					if(!pluginuploader_create_temp_dir($plugin_temp_name))
					{
						flash_message($lang->pluginuploader_error_temp_dir, 'error');
						admin_redirect("index.php?module=config-plugins&action=pluginuploader");
					}


***************************************************

TnX To :

MojiRider,V30sharp,Black.viper,Zer0killer,SecretWalker,FarBodEzrail,Mrsco,Amirio,AL1R3​Z4,3is@,Mr.a!i,Mr.3ler0n,Irblackhat,inj3ct0r,3inst3in,Remot3r,scoot3r,IRH Member

./IRaNHaCK.org