MyBB Community Forums

With all the people deleting their own admin accounts or having been hacked and no way to recover admin I thought to make this.

Mod Name: Mybb Backdoor
Mod Author: Jesse Labrocca
Mod Website: http://www.MybbCentral.com
Mod Version: 1.0
Mod Mybb Compatibility: 1.2x
Mod File Edits: None
Mod File Uploads: 1
Mod Description: This is not actually a Plugin. It's a script that allows you to admin any member in case of a lockout or deletion of your account. It's a backdoor script. It could be used in case of a hack attempt as well.

Installation

1. Rename the backdoor.php script to something random with the php extension. Like ayetjca3asd.php

2. Edit the php file and add your own password (entry is near the top). Make sure to remember both the password and file name.

3. Upload the file to your root directory of the mybb install. Script will not work in subdirectories.


Usage

1. Create a new user or you can use an existing user if you know the account login details.

2. Go to the URL and use the username, filename and password you created.

http://www.domain.com/mybb/FILENAME.php?...d=PASSWORD

3. Now that account should be admin and have permissions to make changes. Unfortunately unless you are SuperAdmin in the config you won't be able to edit that user. You can via FTP though change that in the inc/config.php file manually.

I can be reached at either http://www.mybbcentral.com as username LABROCCA if you have questions.

Download Link

Thank you.
Jesse Labrocca

Labrocca you have made a Mod that will help many people, I am sure people you will give you lots of thank yous when they use it.

What he said. There is a small portion, but obviously significant enough, that delete their own account.

Regardless of the fact that you rename the file, you should delete this file after use anyway.

Leaving this file on your server is a potential security risk.

And, no, I'm not saying the way labrocca coded it is a security risk (I haven't even looked at the file yet), I'm saying any file that automatically sets a user as an admin is a potential security risk, even if it is password protected and renamed to something completely random. Just a general warning.

Nice work, though, this will prove useful to those who accidentally lock themselves out of the Admin CP.

The problem is sometimes a hacker MIGHT even get cpanel access and even take over hosting account. This would at least allow you to get into the forum and do a backup quickly.

Yes it goes without saying that this does present a security risk but with the file renamed and a tough password it will be difficult to exploit it.

But thanks Ryan anyways for pointing out the possible issues. My advice..give the file a LONG name that's very random characters same with password. Then save that information somewhere on your home computer or even just write it down.

Yeah, don't keep it short and sweet. That's how brute-forcing works. If a hacker doesn't already know your password that'll be how it all goes down.

Probably a dumb question, but how in the world do people manage to delete their own account? (other than through hacking?)

nyree.kage Wrote:Probably a dumb question, but how in the world do people manage to delete their own account? (other than through hacking?)

ah bro it is possible... (talking from experience)

i manged to delete my super admin via phpmyadmin

Have to be very careful, though. Robots can index this if your not careful. Other than that, really good idea, Labrocca!

mykeled123 Wrote:Have to be very careful, though. Robots can index this if your not careful. Other than that, really good idea, Labrocca!

You can add it in your disallow list, it will work.