Profile Albums MyBB plugin SQL Injection 0day

vendor:

Profile Albums

by:

Zixem

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Profile Albums

Affected Version From: 0.9

Affected Version To: 0.9

Patch Exists: YES

Related CWE: N/A

CPE: mybb:profilealbums

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2012

Profile Albums MyBB plugin SQL Injection 0day

The vulnerabillity exist within albums.php, where the user input is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious SQL statement to the vulnerable script. This can be used to bypass authentication, access, modify and delete data in the back-end database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries that are executed against the database.

Source

Exploit-DB raw data:

# Exploit Title: Profile Albums MyBB plugin SQL Injection 0day
# Google Dork: inurl:albums.php intext:"powered by Mybb"
# Date: 14.10.2012
# Exploit Author: Zixem
# Software Link: http://mods.mybb.com/view/profilealbums
# Version: 0.9
# Tested on: Linux.
----------------------------------------------

The vulnerabillity exist within albums.php :

	<?
		/*Line 69*/	$aid = $mybb->input['album']; 
		/*Line 86*/	$query_add_breadcrumb = $db->simple_select("albums", "*", "aid='".$aid."'");
	?>

/albums.php?action=editimage&image=[Vaild_ID]&album=[Vaild_album_ID][SQLi]

(You need to create a new account && upload album and images)
----------------------------------------------
Image : http://i.imgur.com/yeAx0.png


Follow: https://twitter.com/PonyBlaze