KingChat MyBB plugin SQL Injection 0day

vendor:

KingChat MyBB plugin

by:

Red_Hat

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: KingChat MyBB plugin

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux

2012

KingChat MyBB plugin SQL Injection 0day

The 'username' parameter in the 'kingchat.php' file of the KingChat MyBB plugin is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting malicious SQL code into the 'username' parameter, which is not properly sanitized.

Mitigation:

To mitigate this vulnerability, the developer should properly sanitize the input received through the 'username' parameter before using it in SQL queries. This can be done by using prepared statements or parameterized queries.

Source

Exploit-DB raw data:

# Exploit Title: KingChat MyBB plugin SQL Injection 0day
# Google Dork: inurl:"kingchat.php"
# Date: 13.10.2012
# Exploit Author: Red_Hat [NullSec]
# Software Link: http://mods.mybb.com/view/kingchat
# Tested on: Windows & Linux.

Vulnerable code :

<?php
	$username=$_GET['username'];
	$uid=$_GET['uid'];
	$text=$_GET['text'];

					$users=$db->query("SELECT * FROM ".TABLE_PREFIX."users WHERE username='$username'");
					$users_info=$db->fetch_array($users);
					$users_num=$db->num_rows($users);
					$fusername=$users_info['uid'];
?>

The variable '$username' remains unsanitized.

Usage : http://www.site.com/kingchat.php?send=Red_Hat&username=[SQLi]

Shoutout to Zixem <3 & NullSec :3