Bug: MyBB 1.1.1 Local SQL Injections (WLB-2006050005 Ascii Version)

	WLB2
Full List

Bugs

Bogus

Tricks

Exploits

	CVE MAP
Full List

Vendors

Products

	Tools
CWE Dictionary

Google Hacking

	Search
General

CVE

CWE

	RSS
Full List

Bugs

Exploits

Dorks

	Information
Our services

Add note

About



	Submit
To add a note, use this form or send email to submit@cxsecurity.com When contacting via email, we recommend coded messages. Get our PGP public key

Topic:	MyBB 1.1.1 Local SQL Injections
Credit:	o y 6 hotmail com
Date:	2006.05.01
CWE:	CWE-89 (Show similar)
CVE:	CVE-2006-2103 (Show details) Use CVE to see details like: - CVSS2, - Affected Software, - References

Risk	Local		Remote
Medium	Yes		Yes

MyBB Local SQL Injections ..

[ This Local Injections Only For Admin ]

* 1 *

[code]

adminfunctions.php , line 730

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog
(uid,dateline,scriptname,action,querystring,ipaddress) VALUES
('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['a
ction']."','".$querystring."','".$ipaddress."')");

$querystring = Not Filtered

Exploit Exm.

/admin/adminlogs.php?action=view&D3vil-0x1=[SQL]'

Fix , Replace with

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog
(uid,dateline,scriptname,action,querystring,ipaddress) VALUES
('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['a
ction']."','".addslashes($querystring)."','".$ipaddress."')");

[/code]

* 2 *

[code]

templates.php , lines 107 to 114

$newtemplate = array(

"title" => addslashes($mybb->input['title']),

"template" => addslashes($mybb->input['template']),

"sid" => $mybb->input['setid'],

"version" => $mybboard['vercode'],

"status" => "",

"dateline" => time()

);

sid = Not Filtered

Exploit Exm.

/admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]'

Fix Replace with

$newtemplate = array(

"title" => addslashes($mybb->input['title']),

"template" => addslashes($mybb->input['template']),

"sid" => addslashes($mybb->input['setid']),

"version" => $mybboard['vercode'],

"status" => "",

"dateline" => time()

);

[/code]

* 3 *

[code]

templates.php , line 600

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE
sid='".$expand."'");

$expand = $mybb->input['expand']; = Not Filtered

Exploit Exm.

/admin/templates.php?expand=' UNION ALL SELECT 1,2/*

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE
sid='".intval($expand)."'");

[/code]

* 4 *

[code]

templates.php , line 424

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE
title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'");

$template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE
title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'");

Exploit Exm.

/admin/templates.php?action=diff&title=[SQL]'

/admin/templates.php?action=diff&sid2=[SQL]'

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE
title='".addslashes($mybb->input['title'])."' AND
sid='".intval($mybb->input['sid1'])."'");

$template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE
title='".addslashes(($mybb->input['title'])."' AND
sid='".intval($mybb->input['sid2'])."'");

[/code]

MyBB Has Many Local Bugs ,, Fix It s00n ;)

[ ASCII VERSION ]

Bug: MyBB 1.1.1 Local SQL Injections (WLB-2006050005 Ascii Version)

use this form