2011-04-09, 12:22 AM
I advise all users running this version of MyBB to IMMEDIATELY put your board offline to prevent search querys, and change your passwords.
---------------------------------------------------------------------------------------------------
# Author: Envy
# Website: www.leethackers.org/board/
# This is an MyBB 1.6.2 SQL Injection Exploit. The search.php is affected. The SQLi can be performed
and the username + password of admins and users stolen.
# Google Dork: intext:Powered by MyBB 1.6.2
---------------------------------------------------------------------------------------------------
Proof of Concept:
Find a forum that is powered by MyBB 1.6.2 using the dork I provided.
On most forums, you will need to register to use the search function. After you are there, enter this in the textbox:
' or ' or 1337'
Now hit Enter and you will see an error: You have an error in your SQL Syntax.
Now you can perform a SQL Injection Attack. This is nothing for newbies, so please do not ask how to inject it then. MyBB 1.6.1 is vulnerable also!
# www.leethackers.org