lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 27 Apr 2006 08:01:19 -0000 From: o.y.6@...mail.com To: bugtraq@...urityfocus.com Subject: MyBB 1.1.1 Local SQL Injections MyBB Local SQL Injections .. [ This Local Injections Only For Admin ] * 1 * [code] adminfunctions.php , line 730 $db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".$querystring."','".$ipaddress."')"); $querystring = Not Filtered Exploit Exm. /admin/adminlogs.php?action=view&D3vil-0x1=[SQL]' Fix , Replace with $db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['action']."','".addslashes($querystring)."','".$ipaddress."')"); [/code] * 2 * [code] templates.php , lines 107 to 114 $newtemplate = array( "title" => addslashes($mybb->input['title']), "template" => addslashes($mybb->input['template']), "sid" => $mybb->input['setid'], "version" => $mybboard['vercode'], "status" => "", "dateline" => time() ); sid = Not Filtered Exploit Exm. /admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]' Fix Replace with $newtemplate = array( "title" => addslashes($mybb->input['title']), "template" => addslashes($mybb->input['template']), "sid" => addslashes($mybb->input['setid']), "version" => $mybboard['vercode'], "status" => "", "dateline" => time() ); [/code] * 3 * [code] templates.php , line 600 $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".$expand."'"); $expand = $mybb->input['expand']; = Not Filtered Exploit Exm. /admin/templates.php?expand=' UNION ALL SELECT 1,2/* Fix Replace With $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'"); [/code] * 4 * [code] templates.php , line 424 $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'"); $template1 = $db->fetch_array($query); $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'"); Exploit Exm. /admin/templates.php?action=diff&title=[SQL]' /admin/templates.php?action=diff&sid2=[SQL]' Fix Replace With $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes($mybb->input['title'])."' AND sid='".intval($mybb->input['sid1'])."'"); $template1 = $db->fetch_array($query); $query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'"); [/code] MyBB Has Many Local Bugs ,, Fix It s00n ;)
Powered by blists - more mailing lists