MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > SQL Injection for v1.6.2
Full Version: SQL Injection for v1.6.2
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

envision

2011-04-09, 12:22 AM
I advise all users running this version of MyBB to IMMEDIATELY put your board offline to prevent search querys, and change your passwords.
---------------------------------------------------------------------------------------------------

# Author: Envy
# Website: www.leethackers.org/board/
# This is an MyBB 1.6.2 SQL Injection Exploit. The search.php is affected. The SQLi can be performed
  and the username + password of admins and users stolen.
# Google Dork: intext:Powered by MyBB 1.6.2

---------------------------------------------------------------------------------------------------

Proof of Concept:


Find a forum that is powered by MyBB 1.6.2 using the dork I provided.

On most forums, you will need to register to use the search function. After you are there, enter this in the textbox:

' or ' or 1337'

Now hit Enter and you will see an error: You have an error in your SQL Syntax. 

Now you can perform a SQL Injection Attack. This is nothing for newbies, so please do not ask how to inject it then. MyBB 1.6.1 is vulnerable also! 

# www.leethackers.org

Matt

2011-04-09, 12:27 AM
This isn't an SQL injection vulnerability as far as I'm aware, it just produces an error, which has been fixed for the next release. If you look at the error message it gives, this is why it fails:

AND ( or LOWER(t.subject) LIKE '%1337%')

It's because the first thing in the brackets is 'or', and that's not valid SQL, thus the error, it's not that the quotes themselves are breaking the query because they're not being escaped.

envision

2011-04-09, 12:29 AM
It can be crafted to perform the vulnerability.

Anyways, is there a temporary fix for this that'll redirect this error page to the main site?

Matt

2011-04-09, 12:32 AM
Unless you can provide an actual proof of concept to a developer that this can be used for SQL injection then there is no vulnerability. This is just a failure in building the query structure.

I don't think the fix for the badly formed SQL is available yet.

envision

2011-04-09, 12:34 AM
If I knew exactly what line this effects (says line 3 when I test on my site).
I could fix this myself.

Sajuuk

2011-04-09, 08:55 AM
You shouldn't even post security vulnerabilities in the public forums anyway.

Tomm M

2011-04-09, 09:46 AM
(2011-04-09, 12:32 AM)MattRogowski Wrote: [ -> ]Unless you can provide an actual proof of concept to a developer that this can be used for SQL injection then there is no vulnerability. This is just a failure in building the query structure.

This is correct. At the moment, we haven't had any reports with a POC (proof of concept) where you can manipulate the database through a malformed search keyword. It's very much just an exposure of system information.

Zikry.Z.Azhar

2011-05-27, 03:36 PM
Give me an example of the MyBB forum that injection vuln.

Nathan Malcolm

2011-05-27, 03:54 PM
(2011-05-27, 03:36 PM)Zikry.Z.Azhar Wrote: [ -> ]Give me an example of the MyBB forum that injection vuln.

It isn't a vuln.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > SQL Injection for v1.6.2