MyBB Like Plugin 3.0.0 – Cross-Site Scripting

Exploit Database
43 阅读

作者： 0xB9

日期： 2018-08-10
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/45179/

# Exploit Title: MyBB Like Plugin 3.0.0 - Cross-Site Scripting
# Date: 2018-08-01
# Author: 0xB9
# Twitter: @0xB9Sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=360
# Version: 3.0.0
# Tested on: Ubuntu 18.04
# CVE: N/A

# 1. Description:
# This plugin allows users to thank/like other users threads/posts. 
# In user profiles it shows your most liked post/thread, the post/thread 
# subjects aren't sanitized to user input.
 
# 2. Proof of Concept:

- Use the following as the post/thread subject<script>alert('XSS')</script>
- Get that post/thread liked by another user (or you)
- Visit your profile to see alert.

last Exploits
MyBB Like Plugin 3.0.0 – Cross-Site Scripting的更多信息

Smart PHP Poll – Authentication Bypass：
Mirage – SQL Injection：
UTStar WA3002G4 ADSL Broadband Modem – Authentication Bypass：
Altova MobileTogether Server 7.3 – XML External Entity Injection (XXE)：
WordPress Plugin Forum Server 1.6.5 – SQL Injection：
WordPress Plugin Dharma Booking 2.38.3 – Remote File Inclusion：
Joomla! Component mod_VisitorData 1.1 – Remote code Execution：
Netgear Wireless Cable Modem Gateway – Authentication Bypass / Cross-Site Request Forgery：