# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS # Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php # Date: 1/3/2013 # Exploit Author: Ichi # Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code # Software Link: http://mods.mybb.com/download/profile-wii-friend-code # Version: 1.0 # Tested on: Windows 7 64-bit "Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS. The vulnerable code lies here(in profilewfc.php): <?php function profilewfc_update($wfc) { global $mybb; if (isset($mybb->input['wfc'])) { $wfc->user_update_data['wfc'] = $mybb->input['wfc']; } } ?> As you can see the input is not sanitized in the least... Persistent XSS: 1. Go to your user cp and edit your profile - usercp.php?action=profile 2. and at the "Wii Friend Code Wii Friend Code" box enter: <script>alert(1)</script> and then press submit 3. http://prntscr.com/o1x2p, submit, and http://prntscr.com/o1x69 SQL Injection: 1. Go to your user cp and edit your profile - usercp.php?action=profile 2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='4 3. submit and now you belong to whatever usergroup to choice to belong to PoC: Before: http://prntscr.com/o1xkg Exploit: http://prntscr.com/o1xnd Aftermath(now an admin): http://prntscr.com/o1xoj https://twitter.com/TeamDigi7al ~Ichi