MyBB 1.6.9 – ‘editpost.php?posthash’ Blind SQL Injection

• Exploit Database
• 11 阅读

• 作者： Joshua Rogers
  日期： 2012-12-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/23781/

• MyBB <1.6.9 is vulnerable to Stored, Error based, SQL Injection.
  
  Vulnerable code:
  
  /editpost.php
  
  ===
  Line 398
  ===
  $posthash_query = "posthash='{$posthash}' OR ";
  ===
  
  
  It can be done by using Tamper Data(Or Live HTTP Headers), and when
  submitting a post, edit the 'posthash' POST parameter to your payload,
  submitting, then going to edit your post.
  
  
  Small "HOWTO" in picture: http://imgur.com/a/JxfEI
  
  This bug was not found by me, but afaik, I am the first one to release it.
  
  
  -- 
  *Joshua Rogers* - Retro Game Collector && IT Security Specialist
  gpg pubkey <http://www.internot.info/docs/gpg_pubkey.asc.gpg>