MyBB 1.1.1 Local SQL Injections
Date: 27 Apr 2006 08:01:19 -0000
From: [email protected]
To: [email protected]
Subject: MyBB 1.1.1 Local SQL Injections
X-Virus-Scanned: antivirus-gw at tyumen.ru
MyBB Local SQL Injections ..
[ This Local Injections Only For Admin ]
* 1 *
* 1 *
adminfunctions.php , line 730
$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".$querystring."','".$ipaddress."')");
$querystring = Not Filtered
Exploit Exm.
/admin/adminlogs.php?action=view&D3vil-0x1=[SQL]'
Fix , Replace with
$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".addslashes($querystring)."','".$ipaddress."')");
$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".addslashes($querystring)."','".$ipaddress."')");
* 2 *
* 2 *
templates.php , lines 107 to 114
$newtemplate = array(
"title" => addslashes($mybb->input['title']),
"template" => addslashes($mybb->input['template']),
"sid" => $mybb->input['setid'],
"version" => $mybboard['vercode'],
"status" => "",
"dateline" => time()
);
sid = Not Filtered
Exploit Exm.
/admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]'
Fix Replace with
$newtemplate = array(
"title" => addslashes($mybb->input['title']),
"template" => addslashes($mybb->input['template']),
"sid" => addslashes($mybb->input['setid']),
"version" => $mybboard['vercode'],
"status" => "",
"dateline" => time()
);
);
* 3 *
* 3 *
templates.php , line 600
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".$expand."'");
$expand = $mybb->input['expand']; = Not Filtered
Exploit Exm.
/admin/templates.php?expand=' UNION ALL SELECT 1,2/*
Fix Replace With
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'");
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'");
* 4 *
* 4 *
templates.php , line 424
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'");
$template1 = $db->fetch_array($query);
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'");
Exploit Exm.
/admin/templates.php?action=diff&title=[SQL]'
/admin/templates.php?action=diff&sid2=[SQL]'
Fix Replace With
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes($mybb->input['title'])."' AND sid='".intval($mybb->input['sid1'])."'");
$template1 = $db->fetch_array($query);
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'");
$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'");
MyBB Has Many Local Bugs ,, Fix It s00n ;)
