MyBB 1.1.1 Local SQL Injections

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MyBB 1.1.1 Local SQL Injections
From: o.y.6@xxxxxxxxxxx
Date: 27 Apr 2006 08:01:19 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

MyBB Local SQL Injections ..

        [ This Local Injections Only For Admin ]

* 1 *
[code]
        adminfunctions.php , line 730

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog 
(uid,dateline,scriptname,action,querystring,ipaddress) VALUES 
('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".$querystring."','".$ipaddress."')");

$querystring = Not Filtered

        Exploit Exm.
        /admin/adminlogs.php?action=view&D3vil-0x1=[SQL]'

Fix , Replace with

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog 
(uid,dateline,scriptname,action,querystring,ipaddress) VALUES 
('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".addslashes($querystring)."','".$ipaddress."')");
[/code]

* 2 *
[code]
        templates.php , lines 107 to 114

$newtemplate = array(
        "title" => addslashes($mybb->input['title']),
        "template" => addslashes($mybb->input['template']),
        "sid" => $mybb->input['setid'],
        "version" => $mybboard['vercode'],
        "status" => "",
        "dateline" => time()
);

sid = Not Filtered

        Exploit Exm.
        /admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]'

Fix Replace with

$newtemplate = array(
                "title" => addslashes($mybb->input['title']),
                "template" => addslashes($mybb->input['template']),
                "sid" => addslashes($mybb->input['setid']),
                "version" => $mybboard['vercode'],
                "status" => "",
                "dateline" => time()
);
[/code]

* 3 *
[code]
        templates.php , line 600

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE 
sid='".$expand."'");

$expand = $mybb->input['expand']; = Not Filtered

        Exploit Exm.
        /admin/templates.php?expand=' UNION ALL SELECT 1,2/*

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE 
sid='".intval($expand)."'");
[/code]

* 4 *
[code]
        templates.php , line 424

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE 
title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'");
        $template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE 
title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'");

        Exploit Exm.
        /admin/templates.php?action=diff&title=[SQL]'
        /admin/templates.php?action=diff&sid2=[SQL]'

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE 
title='".addslashes($mybb->input['title'])."' AND 
sid='".intval($mybb->input['sid1'])."'");
        $template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE 
title='".addslashes(($mybb->input['title'])."' AND 
sid='".intval($mybb->input['sid2'])."'");
[/code]

MyBB Has Many Local Bugs ,, Fix It s00n ;)

Prev by Date: Re: Invision Vulnerabilities, including remote code execution
Next by Date:
Previous by thread: [EEYEB-20060227] Juniper Networks SSL-VPN Client Buffer Overflow
Next by thread:
Index(es):
- Date
- Thread