扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
# Exploit Title: MyBB Profile Blog plugin multiple vulnerabilities. # Google Dork: inurl:member.php intext:"Profile Blogs" for MyBB # Date: 12.9.2012 # Exploit Author: Zixem # Vendor Homepage: http://fklar.pl/ # Software Link: http://mods.mybb.com/view/profile-blogs # Version: 1.2+ # Tested on: Linux. MyBB Profile Blogs plugin suffers from SQL Injection && Stored XSS. The vulnerabilities exist withing profileblogs.php which located in /plugins/ folder. #################################### SQLi #################################### Instructions: 1. Create a new post in your profile blog. 2. Edit it. 3. Inject in edit GET parameter. Vulnerable part: <?php /*Line 253*/ $pid = $mybb->input['edit']; /*Line 259*/ $db->query("UPDATE <code>".TABLE_PREFIX."blogposts</code> SET <code>subject</code> = '".$subject."', <code>message</code> = '".$message."' WHERE <code>pid</code> = '".$pid."'"); ?> How to exploit it: member.php?action=profile&uid=2&blogpage=1&edit=[VAILD_ID]'[SQLi] PoC: http://i.imgur.com/HY60R.png +----------------------------------------------------------------------------------------+ #################################### Stored-XSS #################################### The post subject is stored in the database without XSS protection, like this: <?php $subject = addslashes($mybb->input['subject']); $db->query("INSERT INTO <code>".TABLE_PREFIX."blogposts</code> VALUES (NULL, '".$uid."', '".$dateline."', '".$subject."', '".$message."', '".$ipaddress."')"); ?> And also comes out without XSS protection: <?php /*328*/ while($post = $db->fetch_array($query)) { /*333*/ $blog .= "<strong style=\"float: left;\">".$post['subject']."</strong><br />"; ?> As a result, we're getting Stored-XSS. How to exploit that: http://i.imgur.com/OTIRa.png PoC: http://i.imgur.com/2Hv9J.png Follow: http://twitter.com/z1xem |
体验盒子
