[0DAY] BitBreach.org MyBB SQLi Vuln

A

Aldes

Lurker
Member
Joined
Threads
5
Posts
12
Yo, skids and elites, got a fresh 0day for ya. Found a nasty SQL injection in
You do not have permission to view the link please Log in or Register
MyBB login page (v1.8.x). No patch, no CVE, pure chaos. I’m dropping this here cuz their admin’s asleep, and I’m feeling generous. DB’s wide open.

Steps to Pwn:

  1. Hit
    You do not have permission to view the link please Log in or Register
    with a crafted POST request to the login form.
  2. Inject payload in username field: admin' OR 1=1; -- (tweak it, you know the drill).
  3. Snag session cookies, escalate to admin panel. Tables mybb_users and mybb_sessions are juicy.
  4. Use the Python tool below to test or dump DB. Hashes crack easy (MD5, no salt).
Python Tool (save as bitbreach_sqli.py, run with python bitbreach_sqli.py)
You must reply to see the hidden content. Consider upgrading your account to increase your reply limit.



Run: python bitbreach_sqli.py -t
You do not have permission to view the link please Log in or Register
-p "admin' OR 1=1; --"
 
You must log in or register to reply here.

Similar threads

D@rk3r
What Other Decimal Smart Contracts Vuln In Web3 Wallets Are Out There
Replies
0
Views
671
D@rk3r
Exploits & Vulnerabilities
D@rk3r
R
Apache remote vulnerability 0day - httpd 2.4.57
Replies
27
Views
11K
S
Exploits & Vulnerabilities
serg3nt79
G
SQLi Vuln URL #4 | Hashed | 5K
Replies
0
Views
641
G
Exploits & Vulnerabilities
Guyam
G
SQLi Vuln URL #2 | Hashed | 26K
Replies
7
Views
1K
frax
Exploits & Vulnerabilities
frax
G
SQLi Vuln URL #1 | Hashed | 13K
Replies
4
Views
666
L
Exploits & Vulnerabilities
Leo35A
Top
Back