[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MyBB Profile Wii Friend Code Multiple Vulnerabilities

Author
Ichi
Risk
[
Security Risk High
]
0day-ID
0day-ID-20093
Category
web applications
Date add
04-01-2013
Platform
php
# Exploit Title: MyBB Profile Wii Friend Code SQLi/Persistent XSS
# Dork: intitle:"Profile of" intext:"Wii Friend Code" inurl:member.php
# Date: 1/3/2013
# Exploit Author: Ichi
# Vendor Homepage: http://mods.mybb.com/view/profile-wii-friend-code
# Software Link: http://mods.mybb.com/download/profile-wii-friend-code
# Version: 1.0
# Tested on: Windows 7 64-bit
 
"Profile Wii Friend Code" MyBB plugin is vulnerable to SQL UPDATE Injection and Persistent XSS.
 
The vulnerable code lies here(in profilewfc.php):
 
<?php
function profilewfc_update($wfc)
{
  global $mybb;
 
  if (isset($mybb->input['wfc']))
   {
      $wfc->user_update_data['wfc'] = $mybb->input['wfc'];
   }
}
?>
 
As you can see the input is not sanitized in the least...
 
Persistent XSS:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. and at the "Wii Friend Code Wii Friend Code" box enter: <script>alert(1)</script> and then press submit
3. http://prntscr.com/o1x2p, submit, and http://prntscr.com/o1x69
 
SQL Injection:
1. Go to your user cp and edit your profile - usercp.php?action=profile
2. Enter this into the Wii Friend Code field as you would do with the 1st vulnerability: x', usergroup='4
3. submit and now you belong to whatever usergroup to choice to belong to
 
PoC:
Before: http://prntscr.com/o1xkg
Exploit: http://prntscr.com/o1xnd
Aftermath(now an admin): http://prntscr.com/o1xoj
 
https://twitter.com/TeamDigi7al
~Ichi

#  0day.today [2024-12-25]  #