MyBB Profile Wii Friend Code 1.0 Cross Site Scripting / SQL Injection

`# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS  
# Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php  
# Date: 1/3/2013  
# Exploit Author: Ichi  
# Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code  
# Software Link: http://mods.mybb.com/download/profile-wii-friend-code  
# Version: 1.0  
# Tested on: Windows 7 64-bit  
  
"Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS.  
  
The vulnerable code lies here(in profilewfc.php):  
  
<?php  
function profilewfc_update($wfc)  
{  
global $mybb;  
  
if (isset($mybb->input['wfc']))  
{  
$wfc->user_update_data['wfc'] = $mybb->input['wfc'];  
}  
}  
?>  
  
As you can see the input is not sanitized in the least...  
  
Persistent XSS:  
1. Go to your user cp and edit your profile - usercp.php?action=profile  
2. and at the "Wii Friend Code Wii Friend Code" box enter: <script>alert(1)</script> and then press submit  
3. http://prntscr.com/o1x2p, submit, and http://prntscr.com/o1x69  
  
SQL Injection:  
1. Go to your user cp and edit your profile - usercp.php?action=profile  
2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='4  
3. submit and now you belong to whatever usergroup to choice to belong to  
  
PoC:  
Before: http://prntscr.com/o1xkg  
Exploit: http://prntscr.com/o1xnd  
Aftermath(now an admin): http://prntscr.com/o1xoj  
  
https://twitter.com/TeamDigi7al  
~Ichi  
  
  
`