MyBB1.1.1.txt

2006-04-29T00:00:00
ID PACKETSTORM:45926
Type packetstorm
Reporter D3vil-0x1
Modified 2006-04-29T00:00:00

Description

                                        
                                            `MyBB Local SQL Injections ..  
  
[ This Local Injections Only For Admin ]  
  
* 1 *  
[code]  
adminfunctions.php , line 730  
  
$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".$querystring."','".$ipaddress."')");  
  
$querystring = Not Filtered  
  
Exploit Exm.  
/admin/adminlogs.php?action=view&D3vil-0x1=[SQL]'  
  
Fix , Replace with  
  
$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".addslashes($querystring)."','".$ipaddress."')");  
[/code]  
  
* 2 *  
[code]  
templates.php , lines 107 to 114  
  
$newtemplate = array(  
"title" => addslashes($mybb->input['title']),  
"template" => addslashes($mybb->input['template']),  
"sid" => $mybb->input['setid'],  
"version" => $mybboard['vercode'],  
"status" => "",  
"dateline" => time()  
);  
  
sid = Not Filtered  
  
Exploit Exm.  
/admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]'  
  
Fix Replace with  
  
$newtemplate = array(  
"title" => addslashes($mybb->input['title']),  
"template" => addslashes($mybb->input['template']),  
"sid" => addslashes($mybb->input['setid']),  
"version" => $mybboard['vercode'],  
"status" => "",  
"dateline" => time()  
);  
[/code]  
  
* 3 *  
[code]  
templates.php , line 600  
  
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".$expand."'");  
  
$expand = $mybb->input['expand']; = Not Filtered  
  
Exploit Exm.  
/admin/templates.php?expand=' UNION ALL SELECT 1,2/*  
  
Fix Replace With  
  
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'");  
[/code]  
  
* 4 *  
[code]  
templates.php , line 424  
  
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'");  
$template1 = $db->fetch_array($query);  
  
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'");  
  
Exploit Exm.  
/admin/templates.php?action=diff&title=[SQL]'  
/admin/templates.php?action=diff&sid2=[SQL]'  
  
Fix Replace With  
  
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes($mybb->input['title'])."' AND sid='".intval($mybb->input['sid1'])."'");  
$template1 = $db->fetch_array($query);  
  
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'");  
[/code]  
  
MyBB Has Many Local Bugs ,, Fix It s00n ;)  
  
  
  
`