MyBB Profile Wii Friend Code - Multiple Vulnerabilities

EDB-ID:

23888

CVE:


Author:

Ichi

Type:

webapps

Platform:

PHP

Published:

2013-01-04

# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS
# Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php
# Date: 1/3/2013
# Exploit Author: Ichi
# Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code
# Software Link: http://mods.mybb.com/download/profile-wii-friend-code
# Version: 1.0
# Tested on: Windows 7 64-bit

"Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS.

The vulnerable code lies here(in profilewfc.php):

<?php
function profilewfc_update($wfc)
{
  global $mybb;

  if (isset($mybb->input['wfc']))
   {
      $wfc->user_update_data['wfc'] = $mybb->input['wfc'];
   }
}
?>

As you can see the input is not sanitized in the least...

Persistent XSS:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. and at the "Wii Friend Code Wii Friend Code" box enter: <script>alert(1)</script> and then press submit
3. http://prntscr.com/o1x2p, submit, and http://prntscr.com/o1x69

SQL Injection:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='4
3. submit and now you belong to whatever usergroup to choice to belong to

PoC:
Before: http://prntscr.com/o1xkg
Exploit: http://prntscr.com/o1xnd
Aftermath(now an admin): http://prntscr.com/o1xoj

https://twitter.com/TeamDigi7al
~Ichi