MyBB KingChat Plugin - Persistent Cross-Site Scripting

EDB-ID:

23249

CVE:



Author:

VipVince

Type:

webapps


Platform:

PHP

Date:

2012-12-09


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Exploit Title: MyBB 'kingchat' chat-box plugin.
Google Dork: inurl:/kingchat.php?
Date: 8/12/12
Author: VipVince
Vendor Homepage: http://mods.mybb.com/
Software LinK: http://mods.mybb.com/view/kingchat
Tested on: Windows

Using the dork  inurl:/kingchat.php? you will see multiple forums running this chat plugin.

Note *Registration on the forums is required* for persistent XSS to work.

Now click a random forum with this plugin installed and you will see this:

http://vulnforum.com/kingchat.php?notic

Remove 'notic' at the end of the URL and add "chat=2&1=2" to our query so it becomes:

http://server/kingchat.php?chat=2&l=2

You will see the vulnerable chat box :). Submit your XSS for instance <script>alert("vipvince")</script>

Now to see our saved JavaScript alert go to:

http://server/kingchat.php?chat=2&l=2&message=

Your persistant XSS will be stored here.

Enjoy ;). VipVince.