Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Got SQLi'd?
#1
Someone gave me a list of all my users in a format like....




I want to know how he was able to do this. The plugin I am using is..

mysql> SELECT username,email,password,salt FROM mybb_users
+---------------------------------------------------------------------+
<snip>

Admin Directory PIN (1.0)
Admin CP Honeypot (1.0)
Contact Form (3.1)
Default Avatar (1.0)
Donation Page (2.1)
Easy Refer (2.0)
ezTrader (1.0.2)
Forum Icons (2.1)
Last/First Post Avatar (1.0.2)
Goodbye Spammer (1.0)
Help Center (1.5)
IP Login History (1.1)
Javascript Logout Confirmation (1.0)
Last Visitors in Profile (1.1)
MetaTags Plugin (1.0)
Multiple Registrations Detector (1.1)
My Awards (2.3)
My Advertisements (2.0.3)
MySubscriptions (1.1)
NewPoints (1.9.6)
Online 24 (2.2)
Template Conditionals (1.7)
Profile Groups (1.0)
ProStats /proʊˈstæts/ (1.9.4)
Quick Reply PM (1.3)
Registration Security Question (1.2)
SEO Titles (1.5)
Tabbed Menu (2.0.2)
Username History (1.4.1a)
XThreads v1.62,

My board is http://runetools.com
#2
I recommend to remove your user's emails and passwords. They probably don't like to get spammed...
[Image: banner.png]
#3
OP, posting your username, email, password hash and salt is a very insecure thing to do. Considering you're concerned about your forum security, I highly advise you don't give your login information away on a public forum.

I found a vulnerability within NewPoints the other day. You should make sure all of your plugins are up to date.
No longer involved in the MyBB project.
#4
Upgrade New Points to the latest version if you haven't already, previous versions contain a vulnerability.
#5
Username and stuff was removed but it was in the format of..

join:[email protected]:md5hashasdflkjasdf32r2r3:salt

Also, I see newpoints 1.9.7 just came out today.
#6
(2013-01-12, 11:20 AM)vEconomy Wrote: Username and stuff was removed but it was in the format of..

join:[email protected]:md5hashasdflkjasdf32r2r3:salt

By posting the hash and salt, people can bruteforce it to obtain the plain text password. Being only MD5, it wouldn't take that long to crack even with a salt.
No longer involved in the MyBB project.
#7
Aside from the plugins. Is there any other way they can penetrate sql?
#8
This user has been denied support. This user has been denied support.
By the way, you might want to check in with your mods because my site was also SQLI'd through the newpoints plugin recently and someone from MyBB told me that the SQLI in the newpoints plugin can be performed through moderation only so it's most likely a Mod on your forum that did it.


Forum Jump:


Users browsing this thread: 1 Guest(s)