MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Got SQLi'd?
Full Version: Got SQLi'd?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

vEconomy

2013-01-12, 11:06 AM
Someone gave me a list of all my users in a format like....




I want to know how he was able to do this. The plugin I am using is..

mysql> SELECT username,email,password,salt FROM mybb_users
+---------------------------------------------------------------------+
<snip>

Admin Directory PIN (1.0)
Admin CP Honeypot (1.0)
Contact Form (3.1)
Default Avatar (1.0)
Donation Page (2.1)
Easy Refer (2.0)
ezTrader (1.0.2)
Forum Icons (2.1)
Last/First Post Avatar (1.0.2)
Goodbye Spammer (1.0)
Help Center (1.5)
IP Login History (1.1)
Javascript Logout Confirmation (1.0)
Last Visitors in Profile (1.1)
MetaTags Plugin (1.0)
Multiple Registrations Detector (1.1)
My Awards (2.3)
My Advertisements (2.0.3)
MySubscriptions (1.1)
NewPoints (1.9.6)
Online 24 (2.2)
Template Conditionals (1.7)
Profile Groups (1.0)
ProStats /proʊˈstæts/ (1.9.4)
Quick Reply PM (1.3)
Registration Security Question (1.2)
SEO Titles (1.5)
Tabbed Menu (2.0.2)
Username History (1.4.1a)
XThreads v1.62,

My board is http://runetools.com

StefanT

2013-01-12, 11:11 AM
I recommend to remove your user's emails and passwords. They probably don't like to get spammed...

Nathan Malcolm

2013-01-12, 11:15 AM
OP, posting your username, email, password hash and salt is a very insecure thing to do. Considering you're concerned about your forum security, I highly advise you don't give your login information away on a public forum.

I found a vulnerability within NewPoints the other day. You should make sure all of your plugins are up to date.

Alan S.

2013-01-12, 11:18 AM
Upgrade New Points to the latest version if you haven't already, previous versions contain a vulnerability.

vEconomy

2013-01-12, 11:20 AM
Username and stuff was removed but it was in the format of..

join:[email protected]:md5hashasdflkjasdf32r2r3:salt

Also, I see newpoints 1.9.7 just came out today.

Nathan Malcolm

2013-01-12, 11:24 AM
(2013-01-12, 11:20 AM)vEconomy Wrote: [ -> ]Username and stuff was removed but it was in the format of..

join:[email protected]:md5hashasdflkjasdf32r2r3:salt

By posting the hash and salt, people can bruteforce it to obtain the plain text password. Being only MD5, it wouldn't take that long to crack even with a salt.

vEconomy

2013-01-12, 12:06 PM
Aside from the plugins. Is there any other way they can penetrate sql?

Adobe

2013-01-13, 02:59 AM
By the way, you might want to check in with your mods because my site was also SQLI'd through the newpoints plugin recently and someone from MyBB told me that the SQLI in the newpoints plugin can be performed through moderation only so it's most likely a Mod on your forum that did it.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Got SQLi'd?