رنج IP بدید مثلا :

<files index.php>
order allow,deny
allow from 198.168

اخیرا آسیب پذیری جدید برای پلاگین AJAX FS پابلیک شده که SQLI میباشد .

نفوذ گر با استفاده از این آسیب پذیری میتواند اطلاعات مدیریت را از دیتابیس استخراح نماید مثل یوزر و پسورد مدیریت :


# Mybb Ajaxfs Plugin Sql Injection vulnerability


# Exploit Title : Mybb Ajaxfs Plugin Sql Injection vulnerability
# Author : Iranian Exploit DataBase
# Discovered By : IeDb
# Email : [email protected]  -  [email protected]
# Home : http://iedb.ir   -   http://iedb.ir/acc
# Fb Page : https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
# Software Link : http://mods.mybb.com/download/ajax-forum-stat-v-2
# Security Risk : High
# Tested on : Linux
# Dork : inurl:ajaxfs.php
    $query_post = $db->query ("SELECT * FROM ".TABLE_PREFIX."posts WHERE pid='$pid'");
    $query_user = $db->query ("SELECT * FROM ".TABLE_PREFIX."users WHERE uid='$uid'");
    1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Google DORK : inurl:ajaxfs.php
# Exploit :
# http://site.com/mybb/ajaxfs.php?tooltip=[sql]
# http://site.com/mybb/ajaxfs.php?usertooltip=[sql]
# Tnx To : All Member In Iedb.ir/acc & Iranian Hackers

هر چند از ثبت کننده این آسیب پذیری خیلی خوشم نمیاد اما آسیب پذیری هست که پابلیک شده و وظیفه ما ایجاب میکنه برای وبسایت های ایرانی اطلاع رسانی انجام بدیم .

لینک پلاگین از سایت مرجع :


لینک اکسپلویت در سایت Exploit-DB :


دموی نفوذ به وبسایت از طریق این آسیب پذیری :


از جمله از وبسایت هایی که از این پلاگین استفاده میکنند و آسیب پذیر میباشند :

و .....

اگر صفحات لاگین باز باشد با استخراج یوزر و پسورد هکر میتوانید با کرک کردن هش به سایت دسترسی پیدا کند . و البته از طریق اینجکشن میشه کل دیتابیس را Dump کرد .

جهت پیشگیری از این حملات فعلا این پلاگین تا ارائه نسخه جدید غیر فعال شود دوستانی هم که احتیاج دارند بهش میتونند توی پیام خصوصی اعلام کنند تا آسیب پذیری براشون پچ بشه .

یا حق
دوستانی که آسیب پذیری XSS در search.php آنها شناسایی شد .

پچ زیر را replace کنند :

بنده تست کردم مشکل برطرف شد ولی در هر صورتی مشکل پا بر جا بود با ما از طریق پیام خصوصی در ارتباط باشید :

* MyBB 1.6
* Copyright 2014 MyBB Group, All Rights Reserved
* Website: http://mybb.com
* License: http://mybb.com/about/license
* $Id$

define("IN_MYBB", 1);
define("IGNORE_CLEAN_VARS", "sid");
define('THIS_SCRIPT', 'search.php');

$templatelist = "search,forumdisplay_thread_gotounread,search_results_threads_thread,search_results_threads,search_results_posts,search_results_posts_post";
$templatelist .= ",multipage_nextpage,multipage_page_current,multipage_page,multipage_start,multipage_end,multipage,forumdisplay_thread_multipage_more,forumdisplay_thread_multipage_page,forumdisplay_thread_multipage";
$templatelist .= ",search_results_posts_inlinecheck,search_results_posts_nocheck,search_results_threads_inlinecheck,search_results_threads_nocheck,search_results_inlinemodcol,search_results_posts_inlinemoderation_custom_tool";
$templatelist .= ",search_results_posts_inlinemoderation_custom,search_results_posts_inlinemoderation,search_results_threads_inlinemoderation_custom_tool,search_results_threads_inlinemoderation_custom,search_results_threads_inlinemoderation,search_orderarrow,search_moderator_options";
$templatelist .= ",forumdisplay_thread_attachment_count,forumdisplay_threadlist_inlineedit_js,search_threads_inlinemoderation_selectall,search_posts_inlinemoderation_selectall,multipage_prevpage";

require_once "./global.php";

require_once MYBB_ROOT."inc/functions_post.php";
require_once MYBB_ROOT."inc/functions_search.php";
require_once MYBB_ROOT."inc/class_parser.php";
$parser = new postParser;

// Load global language phrases

add_breadcrumb($lang->nav_search, "search.php");

    case "results":

if($mybb->usergroup['cansearch'] == 0)

$now = TIME_NOW;
$mybb->input['keywords'] = trim($mybb->input['keywords']);

$limitsql = "";
if(intval($mybb->settings['searchhardlimit']) > 0)
    $limitsql = "ORDER BY t.lastpost DESC LIMIT ".intval($mybb->settings['searchhardlimit']);

if($mybb->input['action'] == "results")
    $sid = $db->escape_string(implode($mybb->input['sid']));
    $sid = $db->escape_string($mybb->input['sid']);
    $query = $db->simple_select("searchlog", "*", "sid='$sid'");
    $search = $db->fetch_array($query);



    // Decide on our sorting fields and sorting order.
    $order = my_strtolower(htmlspecialchars_uni($mybb->input['order']));
    $sortby = my_strtolower(htmlspecialchars_uni($mybb->input['sortby']));

        case "replies":
            $sortfield = "t.replies";
        case "views":
            $sortfield = "t.views";
        case "subject":
            if($search['resulttype'] == "threads")
                $sortfield = "t.subject";
                $sortfield = "p.subject";
        case "forum":
            $sortfield = "t.fid";
        case "starter":
            if($search['resulttype'] == "threads")
                $sortfield = "t.username";
                $sortfield = "p.username";
        case "lastpost":
            if($search['resulttype'] == "threads")
                $sortfield = "t.lastpost";
                $sortby = "lastpost";
                $sortfield = "p.dateline";
                $sortby = "dateline";
    if($order != "asc")
        $order = "desc";
        $oppsortnext = "asc";
        $oppsort = $lang->asc;
        $oppsortnext = "desc";
        $oppsort = $lang->desc;        
        $mybb->settings['threadsperpage'] = 20;

    // Work out pagination, which page we're at, as well as the limits.
    $perpage = $mybb->settings['threadsperpage'];
    $page = intval($mybb->input['page']);
    if($page > 0)
        $start = ($page-1) * $perpage;
        $start = 0;
        $page = 1;
    $end = $start + $perpage;
    $lower = $start+1;
    $upper = $end;
    // Work out if we have terms to highlight
    $highlight = "";
        if($mybb->settings['seourls'] == "yes" || ($mybb->settings['seourls'] == "auto" && $_SERVER['SEO_SUPPORT'] == 1))
            $highlight = "?highlight=".urlencode($search['keywords']);
            $highlight = "&amp;highlight=".urlencode($search['keywords']);

    $sorturl = "search.php?action=results&amp;sid={$sid}";
    $thread_url = "";
    $post_url = "";
    eval("\$orderarrow['$sortby'] = \"".$templates->get("search_orderarrow")."\";");

    // Read some caches we will be using
    $forumcache = $cache->read("forums");
    $icon_cache = $cache->read("posticons");

    $threads = array();

    if($mybb->user['uid'] == 0)
        // Build a forum cache.
        $query = $db->query("
            SELECT fid
            FROM ".TABLE_PREFIX."forums
            WHERE active != 0
            ORDER BY pid, disporder
        $forumsread = my_unserialize($mybb->cookies['mybb']['forumread']);
        // Build a forum cache.
        $query = $db->query("
            SELECT f.fid, fr.dateline AS lastread
            FROM ".TABLE_PREFIX."forums f
            LEFT JOIN ".TABLE_PREFIX."forumsread fr ON (fr.fid=f.fid AND fr.uid='{$mybb->user['uid']}')
            WHERE f.active != 0
            ORDER BY pid, disporder

    while($forum = $db->fetch_array($query))
        if($mybb->user['uid'] == 0)
                $forum['lastread'] = $forumsread[$forum['fid']];
        $readforums[$forum['fid']] = $forum['lastread'];
    $fpermissions = forum_permissions();
    // Inline Mod Column for moderators
    $inlinemodcol = $inlinecookie = '';
    $is_mod = $is_supermod = false;
        $is_supermod = true;
    if($is_supermod || is_moderator())
        eval("\$inlinemodcol = \"".$templates->get("search_results_inlinemodcol")."\";");
        $inlinecookie = "inlinemod_search".$sid;
        $inlinecount = 0;
        $is_mod = true;
        $return_url = 'search.php?'.htmlspecialchars_uni($_SERVER['QUERY_STRING']);

    // Show search results as 'threads'
    if($search['resulttype'] == "threads")
        $threadcount = 0;
        // Moderators can view unapproved threads
        $query = $db->simple_select("moderators", "fid", "(id='{$mybb->user['uid']}' AND isgroup='0') OR (id='{$mybb->user['usergroup']}' AND isgroup='1')");
        if($mybb->usergroup['issupermod'] == 1)
            // Super moderators (and admins)
            $unapproved_where = "t.visible>-1";
            // Normal moderators
            $moderated_forums = '0';
            while($forum = $db->fetch_array($query))
                $moderated_forums .= ','.$forum['fid'];
            $unapproved_where = "(t.visible>0 OR (t.visible=0 AND t.fid IN ({$moderated_forums})))";
            // Normal users
            $unapproved_where = 't.visible>0';
        // If we have saved WHERE conditions, execute them
        if($search['querycache'] != "")
            $where_conditions = $search['querycache'];
            $query = $db->simple_select("threads t", "t.tid", $where_conditions. " AND {$unapproved_where} AND t.closed NOT LIKE 'moved|%' {$limitsql}");
            while($thread = $db->fetch_array($query))
                $threads[$thread['tid']] = $thread['tid'];
            // Build our list of threads.
            if($threadcount > 0)
                $search['threads'] = implode(",", $threads);
            // No results.
            $where_conditions = "t.tid IN (".$search['threads'].")";
        // This search doesn't use a query cache, results stored in search table.
            $where_conditions = "t.tid IN (".$search['threads'].")";
            $query = $db->simple_select("threads t", "COUNT(t.tid) AS resultcount", $where_conditions. " AND {$unapproved_where} AND t.closed NOT LIKE 'moved|%' {$limitsql}");
            $count = $db->fetch_array($query);

            $threadcount = $count['resultcount'];
        $permsql = "";
        $onlyusfids = array();
        // Check group permissions if we can't view threads not started by us
        $group_permissions = forum_permissions();
        foreach($group_permissions as $fid => $forum_permissions)
            if($forum_permissions['canonlyviewownthreads'] == 1)
                $onlyusfids[] = $fid;
            $permsql .= "AND ((t.fid IN(".implode(',', $onlyusfids).") AND t.uid='{$mybb->user['uid']}') OR t.fid NOT IN(".implode(',', $onlyusfids)."))";
        $unsearchforums = get_unsearchable_forums();
            $permsql .= " AND t.fid NOT IN ($unsearchforums)";
        $inactiveforums = get_inactive_forums();
            $permsql .= " AND t.fid NOT IN ($inactiveforums)";
        // Begin selecting matching threads, cache them.
        $sqlarray = array(
            'order_by' => $sortfield,
            'order_dir' => $order,
            'limit_start' => $start,
            'limit' => $perpage
        $query = $db->query("
            SELECT t.*, u.username AS userusername, p.displaystyle AS threadprefix
            FROM ".TABLE_PREFIX."threads t
            LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=t.uid)
            LEFT JOIN ".TABLE_PREFIX."threadprefixes p ON (p.pid=t.prefix)
            WHERE $where_conditions AND {$unapproved_where} {$permsql} AND t.closed NOT LIKE 'moved|%'
            ORDER BY $sortfield $order
            LIMIT $start, $perpage
        $thread_cache = array();
        while($thread = $db->fetch_array($query))
            $thread_cache[$thread['tid']] = $thread;
        $thread_ids = implode(",", array_keys($thread_cache));

        // Fetch dot icons if enabled
        if($mybb->settings['dotfolders'] != 0 && $mybb->user['uid'] && $thread_cache)
            $query = $db->simple_select("posts", "DISTINCT tid,uid", "uid='".$mybb->user['uid']."' AND tid IN(".$thread_ids.")");
            while($thread = $db->fetch_array($query))
                $thread_cache[$thread['tid']]['dot_icon'] = 1;

        // Fetch the read threads.
        if($mybb->user['uid'] && $mybb->settings['threadreadcut'] > 0)
            $query = $db->simple_select("threadsread", "tid,dateline", "uid='".$mybb->user['uid']."' AND tid IN(".$thread_ids.")");
            while($readthread = $db->fetch_array($query))
                $thread_cache[$readthread['tid']]['lastread'] = $readthread['dateline'];

            $mybb->settings['maxmultipagelinks'] = 5;

        foreach($thread_cache as $thread)
            $bgcolor = alt_trow();
            $folder = '';
            $prefix = '';
            // Unapproved colour
                $bgcolor = 'trow_shaded';

                $thread['username'] = $thread['userusername'];
            $thread['profilelink'] = build_profile_link($thread['username'], $thread['uid']);
            // If this thread has a prefix, insert a space between prefix and subject
            if($thread['prefix'] != 0)
                $thread['threadprefix'] .= '&nbsp;';
            $thread['subject'] = $parser->parse_badwords($thread['subject']);
            $thread['subject'] = htmlspecialchars_uni($thread['subject']);

                $posticon = $icon_cache[$thread['icon']];
                $icon = "<img src=\"".$posticon['path']."\" alt=\"".$posticon['name']."\" />";
                $icon = "&nbsp;";
                $prefix = $lang->poll_prefix;
            // Determine the folder
            $folder = '';
            $folder_label = '';
                $folder = "dot_";
                $folder_label .= $lang->icon_dot;
            $gotounread = '';
            $isnew = 0;
            $donenew = 0;
            $last_read = 0;
            if($mybb->settings['threadreadcut'] > 0 && $mybb->user['uid'])
                $forum_read = $readforums[$thread['fid']];
                $read_cutoff = TIME_NOW-$mybb->settings['threadreadcut']*60*60*24;
                if($forum_read == 0 || $forum_read < $read_cutoff)
                    $forum_read = $read_cutoff;
                $forum_read = $forumsread[$thread['fid']];
            if($mybb->settings['threadreadcut'] > 0 && $mybb->user['uid'] && $thread['lastpost'] > $forum_read)
                    $last_read = $thread['lastread'];
                    $last_read = $read_cutoff;
                $last_read = my_get_array_cookie("threadread", $thread['tid']);
            if($forum_read > $last_read)
                $last_read = $forum_read;

            if($thread['lastpost'] > $last_read && $last_read)
                $folder .= "new";
                $new_class = "subject_new";
                $folder_label .= $lang->icon_new;
                $thread['newpostlink'] = get_thread_link($thread['tid'], 0, "newpost").$highlight;
                eval("\$gotounread = \"".$templates->get("forumdisplay_thread_gotounread")."\";");
                $unreadpost = 1;
                $new_class = 'subject_old';
                $folder_label .= $lang->icon_no_new;

            if($thread['replies'] >= $mybb->settings['hottopic'] || $thread['views'] >= $mybb->settings['hottopicviews'])
                $folder .= "hot";
                $folder_label .= $lang->icon_hot;
            if($thread['closed'] == 1)
                $folder .= "lock";
                $folder_label .= $lang->icon_lock;
            $folder .= "folder";
                $mybb->settings['postperpage'] = 20;

            $thread['pages'] = 0;
            $thread['multipage'] = '';
            $threadpages = '';
            $morelink = '';
            $thread['posts'] = $thread['replies'] + 1;
                $thread['posts'] += $thread['unapprovedposts'];
            if($thread['posts'] > $mybb->settings['postsperpage'])
                $thread['pages'] = $thread['posts'] / $mybb->settings['postsperpage'];
                $thread['pages'] = ceil($thread['pages']);
                if($thread['pages'] > $mybb->settings['maxmultipagelinks'])
                    $pagesstop = $mybb->settings['maxmultipagelinks'] - 1;
                    $page_link = get_thread_link($thread['tid'], $thread['pages']).$highlight;
                    eval("\$morelink = \"".$templates->get("forumdisplay_thread_multipage_more")."\";");
                    $pagesstop = $thread['pages'];
                for($i = 1; $i <= $pagesstop; ++$i)
                    $page_link = get_thread_link($thread['tid'], $i).$highlight;
                    eval("\$threadpages .= \"".$templates->get("forumdisplay_thread_multipage_page")."\";");
                eval("\$thread['multipage'] = \"".$templates->get("forumdisplay_thread_multipage")."\";");
                $threadpages = '';
                $morelink = '';
                $thread['multipage'] = '';
            $lastpostdate = my_date($mybb->settings['dateformat'], $thread['lastpost']);
            $lastposttime = my_date($mybb->settings['timeformat'], $thread['lastpost']);
            $lastposter = $thread['lastposter'];
            $thread['lastpostlink'] = get_thread_link($thread['tid'], 0, "lastpost");
            $lastposteruid = $thread['lastposteruid'];
            $thread_link = get_thread_link($thread['tid']);

            // Don't link to guest's profiles (they have no profile).
            if($lastposteruid == 0)
                $lastposterlink = $lastposter;
                $lastposterlink = build_profile_link($lastposter, $lastposteruid);

            $thread['replies'] = my_number_format($thread['replies']);
            $thread['views'] = my_number_format($thread['views']);

                $thread['forumlink'] = "<a href=\"".get_forum_link($thread['fid'])."\">".$forumcache[$thread['fid']]['name']."</a>";
                $thread['forumlink'] = "";

            // If this user is the author of the thread and it is not closed or they are a moderator, they can edit
            if(($thread['uid'] == $mybb->user['uid'] && $thread['closed'] != 1 && $mybb->user['uid'] != 0 && $fpermissions[$thread['fid']]['caneditposts'] == 1) || is_moderator($thread['fid'], "caneditposts"))
                $inline_edit_class = "subject_editable";
                $inline_edit_class = "";
            $load_inline_edit_js = 1;

            // If this thread has 1 or more attachments show the papperclip
            if($thread['attachmentcount'] > 0)
                if($thread['attachmentcount'] > 1)
                    $attachment_count = $lang->sprintf($lang->attachment_count_multiple, $thread['attachmentcount']);
                    $attachment_count = $lang->attachment_count;

                eval("\$attachment_count = \"".$templates->get("forumdisplay_thread_attachment_count")."\";");
                $attachment_count = '';

            $inline_edit_tid = $thread['tid'];
            // Inline thread moderation
            $inline_mod_checkbox = '';
            if($is_supermod || is_moderator($thread['fid']))
                eval("\$inline_mod_checkbox = \"".$templates->get("search_results_threads_inlinecheck")."\";");
                eval("\$inline_mod_checkbox = \"".$templates->get("search_results_threads_nocheck")."\";");

            eval("\$results .= \"".$templates->get("search_results_threads_thread")."\";");
            if($load_inline_edit_js == 1)
                eval("\$inline_edit_js = \"".$templates->get("forumdisplay_threadlist_inlineedit_js")."\";");
        $multipage = multipage($threadcount, $perpage, $page, "search.php?action=results&amp;sid=$sid&amp;sortby=$sortby&amp;order=$order&amp;uid=".$mybb->input['uid']);
        if($upper > $threadcount)
            $upper = $threadcount;
        // Inline Thread Moderation Options
            // If user has moderation tools available, prepare the Select All feature
            $lang->page_selected = $lang->sprintf($lang->page_selected, count($thread_cache));
            $lang->all_selected = $lang->sprintf($lang->all_selected, intval($threadcount));
            $lang->select_all = $lang->sprintf($lang->select_all, intval($threadcount));
            eval("\$selectall = \"".$templates->get("search_threads_inlinemoderation_selectall")."\";");
            $customthreadtools = '';
                case "pgsql":
                case "sqlite":
                    $query = $db->simple_select("modtools", "tid, name", "type='t' AND (','||forums||',' LIKE '%,-1,%' OR forums='')");
                    $query = $db->simple_select("modtools", "tid, name", "type='t' AND (CONCAT(',',forums,',') LIKE '%,-1,%' OR forums='')");
            while($tool = $db->fetch_array($query))
                eval("\$customthreadtools .= \"".$templates->get("search_results_threads_inlinemoderation_custom_tool")."\";");
            // Build inline moderation dropdown
                eval("\$customthreadtools = \"".$templates->get("search_results_threads_inlinemoderation_custom")."\";");
            eval("\$inlinemod = \"".$templates->get("search_results_threads_inlinemoderation")."\";");
        eval("\$searchresults = \"".$templates->get("search_results_threads")."\";");
    else // Displaying results as posts
        $postcount = 0;
        // Moderators can view unapproved threads
        $query = $db->simple_select("moderators", "fid", "(id='{$mybb->user['uid']}' AND isgroup='0') OR (id='{$mybb->user['usergroup']}' AND isgroup='1')");
        if($mybb->usergroup['issupermod'] == 1)
            // Super moderators (and admins)
            $p_unapproved_where = "visible >= 0";
            $t_unapproved_where = "visible < 0";
            // Normal moderators
            $moderated_forums = '0';
            while($forum = $db->fetch_array($query))
                $moderated_forums .= ','.$forum['fid'];
                $test_moderated_forums[$forum['fid']] = $forum['fid'];
            $p_unapproved_where = "visible >= 0";
            $t_unapproved_where = "visible < 0 AND fid NOT IN ({$moderated_forums})";
            // Normal users
            $p_unapproved_where = 'visible=1';
            $t_unapproved_where = 'visible < 1';
        $post_cache_options = array();
        if(intval($mybb->settings['searchhardlimit']) > 0)
            $post_cache_options['limit'] = intval($mybb->settings['searchhardlimit']);
        if(strpos($sortfield, 'p.') !== false)
            $post_cache_options['order_by'] = str_replace('p.', '', $sortfield);
            $post_cache_options['order_dir'] = $order;

        $tids = array();
        $pids = array();
        // Make sure the posts we're viewing we have permission to view.
        $query = $db->simple_select("posts", "pid, tid", "pid IN(".$db->escape_string($search['posts']).") AND {$p_unapproved_where}", $post_cache_options);
        while($post = $db->fetch_array($query))
            $pids[$post['pid']] = $post['tid'];
            $tids[$post['tid']][$post['pid']] = $post['pid'];
            $temp_pids = array();

            // Check the thread records as well. If we don't have permissions, remove them from the listing.
            $query = $db->simple_select("threads", "tid", "tid IN(".$db->escape_string(implode(',', $pids)).") AND ({$t_unapproved_where} OR closed LIKE 'moved|%')");
            while($thread = $db->fetch_array($query))
                if(array_key_exists($thread['tid'], $tids) != false)
                    $temp_pids = $tids[$thread['tid']];
                    foreach($temp_pids as $pid)
        // Declare our post count
        $postcount = count($pids);
        // And now we have our sanatized post list
        $search['posts'] = implode(',', array_keys($pids));
        $tids = implode(",", array_keys($tids));
        // Read threads
        if($mybb->user['uid'] && $mybb->settings['threadreadcut'] > 0)
            $query = $db->simple_select("threadsread", "tid, dateline", "uid='".$mybb->user['uid']."' AND tid IN(".$db->escape_string($tids).")");
            while($readthread = $db->fetch_array($query))
                $readthreads[$readthread['tid']] = $readthread['dateline'];

        $dot_icon = array();
        if($mybb->settings['dotfolders'] != 0 && $mybb->user['uid'] != 0)
            $query = $db->simple_select("posts", "DISTINCT tid,uid", "uid='".$mybb->user['uid']."' AND tid IN(".$db->escape_string($tids).")");
            while($post = $db->fetch_array($query))
                $dot_icon[$post['tid']] = true;

        $query = $db->query("
            SELECT p.*, u.username AS userusername, t.subject AS thread_subject, t.replies AS thread_replies, t.views AS thread_views, t.lastpost AS thread_lastpost, t.closed AS thread_closed, t.uid as thread_uid
            FROM ".TABLE_PREFIX."posts p
            LEFT JOIN ".TABLE_PREFIX."threads t ON (t.tid=p.tid)
            LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid=p.uid)
            WHERE p.pid IN (".$db->escape_string($search['posts']).")
            ORDER BY $sortfield $order
            LIMIT $start, $perpage
        while($post = $db->fetch_array($query))
            $bgcolor = alt_trow();
                $bgcolor = 'trow_shaded';
                $post['username'] = $post['userusername'];
            $post['profilelink'] = build_profile_link($post['username'], $post['uid']);
            $post['subject'] = $parser->parse_badwords($post['subject']);
            $post['thread_subject'] = $parser->parse_badwords($post['thread_subject']);
            $post['thread_subject'] = htmlspecialchars_uni($post['thread_subject']);

                $posticon = $icon_cache[$post['icon']];
                $icon = "<img src=\"".$posticon['path']."\" alt=\"".$posticon['name']."\" />";
                $icon = "&nbsp;";

                $post['forumlink'] = "<a href=\"".get_forum_link($post['fid'])."\">".$forumcache[$post['fid']]['name']."</a>";
                $post['forumlink'] = "";
            // Determine the folder
            $folder = '';
            $folder_label = '';
            $gotounread = '';
            $isnew = 0;
            $donenew = 0;
            $last_read = 0;
            $post['thread_lastread'] = $readthreads[$post['tid']];

            if($mybb->settings['threadreadcut'] > 0 && $mybb->user['uid'])
                $forum_read = $readforums[$post['fid']];
                $read_cutoff = TIME_NOW-$mybb->settings['threadreadcut']*60*60*24;
                if($forum_read == 0 || $forum_read < $read_cutoff)
                    $forum_read = $read_cutoff;
                $forum_read = $forumsread[$post['fid']];

            if($mybb->settings['threadreadcut'] > 0 && $mybb->user['uid'] && $post['thread_lastpost'] > $forum_read)
                $cutoff = TIME_NOW-$mybb->settings['threadreadcut']*60*60*24;
                if($post['thread_lastpost'] > $cutoff)
                        $last_read = $post['thread_lastread'];
                        $last_read = 1;

                $folder = "dot_";
                $folder_label .= $lang->icon_dot;

                $readcookie = $threadread = my_get_array_cookie("threadread", $post['tid']);
                if($readcookie > $forum_read)
                    $last_read = $readcookie;
                elseif($forum_read > $mybb->user['lastvisit'])
                    $last_read = $forum_read;
                    $last_read = $mybb->user['lastvisit'];

            if($post['thread_lastpost'] > $last_read && $last_read)
                $folder .= "new";
                $folder_label .= $lang->icon_new;
                eval("\$gotounread = \"".$templates->get("forumdisplay_thread_gotounread")."\";");
                $unreadpost = 1;
                $folder_label .= $lang->icon_no_new;

            if($post['thread_replies'] >= $mybb->settings['hottopic'] || $post['thread_views'] >= $mybb->settings['hottopicviews'])
                $folder .= "hot";
                $folder_label .= $lang->icon_hot;
            if($post['thread_closed'] == 1)
                $folder .= "lock";
                $folder_label .= $lang->icon_lock;
            $folder .= "folder";

            $post['thread_replies'] = my_number_format($post['thread_replies']);
            $post['thread_views'] = my_number_format($post['thread_views']);

                $post['forumlink'] = "<a href=\"".get_forum_link($post['fid'])."\">".$forumcache[$post['fid']]['name']."</a>";
                $post['forumlink'] = "";

                $post['subject'] = $post['message'];
            if(my_strlen($post['subject']) > 50)
                $post['subject'] = htmlspecialchars_uni(my_substr($post['subject'], 0, 50)."...");
                $post['subject'] = htmlspecialchars_uni($post['subject']);
            // What we do here is parse the post using our post parser, then strip the tags from it
            $parser_options = array(
                'allow_html' => 0,
                'allow_mycode' => 1,
                'allow_smilies' => 0,
                'allow_imgcode' => 0,
                'filter_badwords' => 1
            $post['message'] = strip_tags($parser->parse_message($post['message'], $parser_options));
            if(my_strlen($post['message']) > 200)
                $prev = my_substr($post['message'], 0, 200)."...";
                $prev = $post['message'];
            $posted = my_date($mybb->settings['dateformat'], $post['dateline']).", ".my_date($mybb->settings['timeformat'], $post['dateline']);
            $thread_url = get_thread_link($post['tid']);
            $post_url = get_post_link($post['pid'], $post['tid']);
            // Inline post moderation
            $inline_mod_checkbox = '';
            if($is_supermod || is_moderator($post['fid']))
                eval("\$inline_mod_checkbox = \"".$templates->get("search_results_posts_inlinecheck")."\";");
                eval("\$inline_mod_checkbox = \"".$templates->get("search_results_posts_nocheck")."\";");

            eval("\$results .= \"".$templates->get("search_results_posts_post")."\";");
        $multipage = multipage($postcount, $perpage, $page, "search.php?action=results&amp;sid=".htmlspecialchars_uni($mybb->input['sid'])."&amp;sortby=$sortby&amp;order=$order&amp;uid=".$mybb->input['uid']);
        if($upper > $postcount)
            $upper = $postcount;
        // Inline Post Moderation Options
            // If user has moderation tools available, prepare the Select All feature
            $num_results = $db->num_rows($query);
            $lang->page_selected = $lang->sprintf($lang->page_selected, intval($num_results));
            $lang->select_all = $lang->sprintf($lang->select_all, intval($postcount));
            $lang->all_selected = $lang->sprintf($lang->all_selected, intval($postcount));
            eval("\$selectall = \"".$templates->get("search_posts_inlinemoderation_selectall")."\";");
            $customthreadtools = $customposttools = '';
                case "pgsql":
                case "sqlite":
                    $query = $db->simple_select("modtools", "tid, name, type", "type='p' AND (','||forums||',' LIKE '%,-1,%' OR forums='')");
                    $query = $db->simple_select("modtools", "tid, name, type", "type='p' AND (CONCAT(',',forums,',') LIKE '%,-1,%' OR forums='')");
            while($tool = $db->fetch_array($query))
                eval("\$customposttools .= \"".$templates->get("search_results_posts_inlinemoderation_custom_tool")."\";");
            // Build inline moderation dropdown
                eval("\$customposttools = \"".$templates->get("search_results_posts_inlinemoderation_custom")."\";");
            eval("\$inlinemod = \"".$templates->get("search_results_posts_inlinemoderation")."\";");

        eval("\$searchresults = \"".$templates->get("search_results_posts")."\";");
elseif($mybb->input['action'] == "findguest")
    $where_sql = "uid='0'";

    $unsearchforums = get_unsearchable_forums();
        $where_sql .= " AND fid NOT IN ($unsearchforums)";
    $inactiveforums = get_inactive_forums();
        $where_sql .= " AND fid NOT IN ($inactiveforums)";
    $permsql = "";
    $onlyusfids = array();

    // Check group permissions if we can't view threads not started by us
    $group_permissions = forum_permissions();
    foreach($group_permissions as $fid => $forum_permissions)
        if($forum_permissions['canonlyviewownthreads'] == 1)
            $onlyusfids[] = $fid;
        $where_sql .= " AND fid NOT IN(".implode(',', $onlyusfids).")";
    $options = array(
        'order_by' => 'dateline',
        'order_dir' => 'desc'

    // Do we have a hard search limit?
    if($mybb->settings['searchhardlimit'] > 0)
        $options['limit'] = intval($mybb->settings['searchhardlimit']);

    $pids = '';
    $comma = '';
    $query = $db->simple_select("posts", "pid", "{$where_sql}", $options);
    while($pid = $db->fetch_field($query, "pid"))
            $pids .= $comma.$pid;
            $comma = ',';

    $tids = '';
    $comma = '';
    $query = $db->simple_select("threads", "tid", $where_sql);
    while($tid = $db->fetch_field($query, "tid"))
            $tids .= $comma.$tid;
            $comma = ',';

    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => TIME_NOW,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => $db->escape_string($tids),
        "posts" => $db->escape_string($pids),
        "resulttype" => "posts",
        "querycache" => '',
        "keywords" => ''
    $db->insert_query("searchlog", $searcharray);
    redirect("search.php?action=results&sid=".$sid, $lang->redirect_searchresults);
elseif($mybb->input['action'] == "finduser")
    $where_sql = "uid='".intval($mybb->input['uid'])."'";
    $unsearchforums = get_unsearchable_forums();
        $where_sql .= " AND fid NOT IN ($unsearchforums)";
    $inactiveforums = get_inactive_forums();
        $where_sql .= " AND fid NOT IN ($inactiveforums)";
    $permsql = "";
    $onlyusfids = array();

    // Check group permissions if we can't view threads not started by us
    $group_permissions = forum_permissions();
    foreach($group_permissions as $fid => $forum_permissions)
        if($forum_permissions['canonlyviewownthreads'] == 1)
            $onlyusfids[] = $fid;
        $where_sql .= "AND ((fid IN(".implode(',', $onlyusfids).") AND uid='{$mybb->user['uid']}') OR fid NOT IN(".implode(',', $onlyusfids)."))";

    $options = array(
        'order_by' => 'dateline',
        'order_dir' => 'desc'

    // Do we have a hard search limit?
    if($mybb->settings['searchhardlimit'] > 0)
        $options['limit'] = intval($mybb->settings['searchhardlimit']);

    $pids = '';
    $comma = '';
    $query = $db->simple_select("posts", "pid", "{$where_sql}", $options);
    while($pid = $db->fetch_field($query, "pid"))
            $pids .= $comma.$pid;
            $comma = ',';

    $tids = '';
    $comma = '';
    $query = $db->simple_select("threads", "tid", $where_sql);
    while($tid = $db->fetch_field($query, "tid"))
            $tids .= $comma.$tid;
            $comma = ',';

    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => TIME_NOW,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => $db->escape_string($tids),
        "posts" => $db->escape_string($pids),
        "resulttype" => "posts",
        "querycache" => '',
        "keywords" => ''
    $db->insert_query("searchlog", $searcharray);
    redirect("search.php?action=results&sid=".$sid, $lang->redirect_searchresults);
elseif($mybb->input['action'] == "finduserthreads")
    $where_sql = "t.uid='".intval($mybb->input['uid'])."'";

    $unsearchforums = get_unsearchable_forums();
        $where_sql .= " AND t.fid NOT IN ($unsearchforums)";
    $inactiveforums = get_inactive_forums();
        $where_sql .= " AND t.fid NOT IN ($inactiveforums)";
    $permsql = "";
    $onlyusfids = array();

    // Check group permissions if we can't view threads not started by us
    $group_permissions = forum_permissions();
    foreach($group_permissions as $fid => $forum_permissions)
        if($forum_permissions['canonlyviewownthreads'] == 1)
            $onlyusfids[] = $fid;
        $where_sql .= "AND ((t.fid IN(".implode(',', $onlyusfids).") AND t.uid='{$mybb->user['uid']}') OR t.fid NOT IN(".implode(',', $onlyusfids)."))";

    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => TIME_NOW,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => '',
        "posts" => '',
        "resulttype" => "threads",
        "querycache" => $db->escape_string($where_sql),
        "keywords" => ''
    $db->insert_query("searchlog", $searcharray);
    redirect("search.php?action=results&sid=".$sid, $lang->redirect_searchresults);
elseif($mybb->input['action'] == "getnew")
    $where_sql = "t.lastpost >= '".$mybb->user['lastvisit']."'";

        $where_sql .= " AND t.fid='".intval($mybb->input['fid'])."'";
    else if($mybb->input['fids'])
        $fids = explode(',', $mybb->input['fids']);
        foreach($fids as $key => $fid)
            $fids[$key] = intval($fid);
            $where_sql .= " AND t.fid IN (".implode(',', $fids).")";
    $unsearchforums = get_unsearchable_forums();
        $where_sql .= " AND t.fid NOT IN ($unsearchforums)";
    $inactiveforums = get_inactive_forums();
        $where_sql .= " AND t.fid NOT IN ($inactiveforums)";
    $permsql = "";
    $onlyusfids = array();

    // Check group permissions if we can't view threads not started by us
    $group_permissions = forum_permissions();
    foreach($group_permissions as $fid => $forum_permissions)
        if($forum_permissions['canonlyviewownthreads'] == 1)
            $onlyusfids[] = $fid;
        $where_sql .= "AND ((t.fid IN(".implode(',', $onlyusfids).") AND t.uid='{$mybb->user['uid']}') OR t.fid NOT IN(".implode(',', $onlyusfids)."))";

    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => TIME_NOW,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => '',
        "posts" => '',
        "resulttype" => "threads",
        "querycache" => $db->escape_string($where_sql),
        "keywords" => ''

    $db->insert_query("searchlog", $searcharray);
    redirect("search.php?action=results&sid=".$sid, $lang->redirect_searchresults);
elseif($mybb->input['action'] == "getdaily")
    if($mybb->input['days'] < 1)
        $days = 1;
        $days = intval($mybb->input['days']);
    $datecut = TIME_NOW-(86400*$days);

    $where_sql = "t.lastpost >='".$datecut."'";

        $where_sql .= " AND t.fid='".intval($mybb->input['fid'])."'";
    else if($mybb->input['fids'])
        $fids = explode(',', $mybb->input['fids']);
        foreach($fids as $key => $fid)
            $fids[$key] = intval($fid);
            $where_sql .= " AND t.fid IN (".implode(',', $fids).")";
    $unsearchforums = get_unsearchable_forums();
        $where_sql .= " AND t.fid NOT IN ($unsearchforums)";
    $inactiveforums = get_inactive_forums();
        $where_sql .= " AND t.fid NOT IN ($inactiveforums)";
    $permsql = "";
    $onlyusfids = array();

    // Check group permissions if we can't view threads not started by us
    $group_permissions = forum_permissions();
    foreach($group_permissions as $fid => $forum_permissions)
        if($forum_permissions['canonlyviewownthreads'] == 1)
            $onlyusfids[] = $fid;
        $where_sql .= "AND ((t.fid IN(".implode(',', $onlyusfids).") AND t.uid='{$mybb->user['uid']}') OR t.fid NOT IN(".implode(',', $onlyusfids)."))";

    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => TIME_NOW,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => '',
        "posts" => '',
        "resulttype" => "threads",
        "querycache" => $db->escape_string($where_sql),
        "keywords" => ''

    $db->insert_query("searchlog", $searcharray);
    redirect("search.php?action=results&sid=".$sid, $lang->redirect_searchresults);
elseif($mybb->input['action'] == "do_search" && $mybb->request_method == "post")

    // Check if search flood checking is enabled and user is not admin
    if($mybb->settings['searchfloodtime'] > 0 && $mybb->usergroup['cancp'] != 1)
        // Fetch the time this user last searched
            $conditions = "uid='{$mybb->user['uid']}'";
            $conditions = "uid='0' AND ipaddress='".$db->escape_string($session->ipaddress)."'";
        $timecut = TIME_NOW-$mybb->settings['searchfloodtime'];
        $query = $db->simple_select("searchlog", "*", "$conditions AND dateline > '$timecut'", array('order_by' => "dateline", 'order_dir' => "DESC"));
        $last_search = $db->fetch_array($query);
        // Users last search was within the flood time, show the error
            $remaining_time = $mybb->settings['searchfloodtime']-(TIME_NOW-$last_search['dateline']);
            if($remaining_time == 1)
                $lang->error_searchflooding = $lang->sprintf($lang->error_searchflooding_1, $mybb->settings['searchfloodtime']);
                $lang->error_searchflooding = $lang->sprintf($lang->error_searchflooding, $mybb->settings['searchfloodtime'], $remaining_time);
    if($mybb->input['showresults'] == "threads")
        $resulttype = "threads";
        $resulttype = "posts";

    $search_data = array(
        "keywords" => $mybb->input['keywords'],
        "author" => $mybb->input['author'],
        "postthread" => $mybb->input['postthread'],
        "matchusername" => $mybb->input['matchusername'],
        "postdate" => $mybb->input['postdate'],
        "pddir" => $mybb->input['pddir'],
        "forums" => $mybb->input['forums'],
        "findthreadst" => $mybb->input['findthreadst'],
        "numreplies" => $mybb->input['numreplies'],
        "threadprefix" => $mybb->input['threadprefix']
    if(is_moderator() && !empty($mybb->input['visible']))
        if($mybb->input['visible'] == 1)
            $search_data['visible'] = 1;
            $search_data['visible'] = 0;

    if($db->can_search == true)
        if($mybb->settings['searchtype'] == "fulltext" && $db->supports_fulltext_boolean("posts") && $db->is_fulltext("posts"))
            $search_results = perform_search_mysql_ft($search_data);
            $search_results = perform_search_mysql($search_data);
    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => $now,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => $search_results['threads'],
        "posts" => $search_results['posts'],
        "resulttype" => $resulttype,
        "querycache" => $search_results['querycache'],
        "keywords" => $db->escape_string($mybb->input['keywords']),

    $db->insert_query("searchlog", $searcharray);

    if(my_strtolower($mybb->input['sortordr']) == "asc" || my_strtolower($mybb->input['sortordr'] == "desc"))
        $sortorder = $mybb->input['sortordr'];
        $sortorder = "desc";
    $sortby = htmlspecialchars_uni($mybb->input['sortby']);
    redirect("search.php?action=results&sid=".$sid."&sortby=".$sortby."&order=".$sortorder, $lang->redirect_searchresults);
else if($mybb->input['action'] == "thread")
    // Fetch thread info
    $thread = get_thread($mybb->input['tid']);
    if(!$thread['tid'] || (($thread['visible'] == 0 && !is_moderator($thread['fid'])) || $thread['visible'] < 0))

    // Get forum info
    $forum = get_forum($thread['fid']);

    $forum_permissions = forum_permissions($forum['fid']);

    if($forum['open'] == 0 || $forum['type'] != "f")
    if($forum_permissions['canview'] == 0 || $forum_permissions['canviewthreads'] != 1)


    // Check if search flood checking is enabled and user is not admin
    if($mybb->settings['searchfloodtime'] > 0 && $mybb->usergroup['cancp'] != 1)
        // Fetch the time this user last searched
            $conditions = "uid='{$mybb->user['uid']}'";
            $conditions = "uid='0' AND ipaddress='".$db->escape_string($session->ipaddress)."'";
        $timecut = TIME_NOW-$mybb->settings['searchfloodtime'];
        $query = $db->simple_select("searchlog", "*", "$conditions AND dateline > '$timecut'", array('order_by' => "dateline", 'order_dir' => "DESC"));
        $last_search = $db->fetch_array($query);

        // We shouldn't show remaining time if time is 0 or under.
        $remaining_time = $mybb->settings['searchfloodtime']-(TIME_NOW-$last_search['dateline']);
        // Users last search was within the flood time, show the error.
        if($last_search['sid'] && $remaining_time > 0)
            if($remaining_time == 1)
                $lang->error_searchflooding = $lang->sprintf($lang->error_searchflooding_1, $mybb->settings['searchfloodtime']);
                $lang->error_searchflooding = $lang->sprintf($lang->error_searchflooding, $mybb->settings['searchfloodtime'], $remaining_time);

    $search_data = array(
        "keywords" => $mybb->input['keywords'],
        "postthread" => 1,
        "tid" => $mybb->input['tid']

    if($db->can_search == true)
        if($mybb->settings['searchtype'] == "fulltext" && $db->supports_fulltext_boolean("posts") && $db->is_fulltext("posts"))
            $search_results = perform_search_mysql_ft($search_data);
            $search_results = perform_search_mysql($search_data);
    $sid = md5(uniqid(microtime(), 1));
    $searcharray = array(
        "sid" => $db->escape_string($sid),
        "uid" => $mybb->user['uid'],
        "dateline" => $now,
        "ipaddress" => $db->escape_string($session->ipaddress),
        "threads" => $search_results['threads'],
        "posts" => $search_results['posts'],
        "resulttype" => 'posts',
        "querycache" => $search_results['querycache'],
        "keywords" => $db->escape_string($mybb->input['keywords'])

    $db->insert_query("searchlog", $searcharray);

    redirect("search.php?action=results&sid=".$sid, $lang->redirect_searchresults);
    $srchlist = make_searchable_forums("", $fid);
    $prefixselect = build_prefix_select('all', 'any', 1);
    $rowspan = 5;
        $rowspan += 2;
        eval("\$moderator_options = \"".$templates->get("search_moderator_options")."\";");
    eval("\$search = \"".$templates->get("search")."\";");


سپس از قسمت Search System در قسمت پیکربندی حالت جستجو را از Standard به Full Text تغییر دهید .
سلام بر عزیزان

در ابتدا مروری داریم از آسیب پذیری که در POST جستجو شناسایی شده بود :

Exploit-Title: MyBB 1.6.12 POST XSS 0day
Google-Dork: inurl:index.php intext:Powered By MyBB
Date: Februrary 2nd of 2014
Bug Discovered and Exploit Author: Osanda Malith Jayathissa
Vendor Homepage: http://www.mybb.com
Software Link: http://resources.mybb.com/downloads/mybb_1612.zip
Version: 1.6.12 (older versions might be vulnerbale)
Tested on: Windows 8 64-bit
Video: https://www.youtube.com/watch?v=67MfgixmWgo
Original write-up: http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day
CVE: CVE-2014-1840
<form name="exploit" action="http://localhost/mybb_1612/Upload/search.php"
<input type="hidden" name="action" value="do_search" />
<input type="hidden" name="keywords"


" />
<script>document.exploit.submit(); </script>

برای پنتست این آسیب پذیری میتونید اکسپلویت رو به صورت HTML ذخیره کنید در قسمت action="http://yourmybb.com/search.php" به جای Yourmybb آدرس سایت خود را قرار دهید .

یکی از تیم های امنیتی Big Grin که البته اسمشم نمیگم اومد این پچ رو خراب کنه ما هم یه عکس قرار میدیم خاطراتی براش زنده بشه . مجدد متذکر میشم اگر مراحل بصورت کامل انجام شود آسیب پذیری رفع میشود .

[تصویر:  preview?size=large]
تقدیم با عشق

آسیب پذیری XSS از نوع High از پلاگین Extended Useradmininfo انجمن ساز مای بی بی

# Exploit Title: Extended Useradmininfo MyBB Plugin 1.2.1 - Cross Site
# Google Dork: N/A
# Date: 09.02.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage: http://forum.mybboard.de/user-9022.html
# Software Link: http://mods.mybb.com/view/extended-useradmininfo
# Version: 1.2.1
# Tested on: PHP

This plugin shows advanced Informations about a user, such as last IP, User
Agent, Browser and Operating System. The information will be shown in a
user profile and visible only  for people who are able to see the
adminoptions on user profiles.

Proof of Concept
1. Create a user account.
2. Change your user-agent to "Mozilla<script>alert(1)</script>".
3. Login and then... logout.

* The script will be executed whenever the administrator view your profile.

Replace the content of "inc/plugins/extendeduseradmininfos.php" with this

رفع آسیب پذیری :

Replace the content of "inc/plugins/extendeduseradmininfos.php" with this

دموی آسیب پذیری در آپارات :


آسیب پذیری :


لینک مرجع پلاگین :

قابل توجه دوستان عده ای افراد غیر فنی شایعاتی در مورد آسیب پذیر بودن پچ پخش کرده اند . که البته مدتی قبل توسط همین آسیب پذیری کوکی کاربرانشان سرقت و در نهایت هک شدند .

بنده خاطر نشان میکنم که پچ مورد نظر بدون مشکل میباشد و توسط بخش فنی MYBB مورد تایید قرار گرفته است .

عزیزانی که آسیب پذیری XSS در search.php آنها شناسایی شده است میتوانند این آسیب پذیری را با جایگزین کردن کد بالا پچ نمایند .

هر یک از عزیزان مشکلی در این رابطه داشتند از طریق پیام خصوصی با ما در ارتباط باشند .
منتظر آموزش های بعدی شما هستیم Wink
سلام دوستان عزیز

طی بررسی های اخیر به خطای زیر رسیدیم :

کد php:

این خطا در تمامی نسخه ها MYBB قرار دارد و پایه خطا به علت تعریف نشدن صحیح آرایه ها و فانشن mysqli_real_escape_string میباشد .

ابتدا ما این خطا را از لحاظ SQLI تست نمودیم ولی بعد از بررسی دقیق تر متوجه شدیم فقط خطا هست اما جهت امنیت بیشتر بهتر است رفع گردد . سایتهای زیادی این خطا را دارا هستند (باز هم تحت بررسی میباشد بهتر است پچ نمائید ) نمونه :

[تصویر:  mybb_sqli_error.png]

Exploit :


Demo :


Error :

Warning [2] mysqli_real_escape_string() expects parameter 2 to be string, array given - Line: 874 - File: inc/db_mysqli.php PHP 5.4.19-1~dotdeb.1 (Linux)

کد php:
Exm :

http://my- bb.ir/search.php?action=results&sid[0]=9afaea732cb32f06fa34b1888bd237e2&sortby=&order=

راه حل و روش پچ :

فایل search.php را ویرایش و لاین 59 یا خط زیر را پیدا کنید :

$sid = $db->escape_string($mybb->input['sid']);

سپس خط بالا را با کد زیر تعویض نمائید :

    $sid = $db->escape_string(implode($mybb->input['sid']));
    $sid = $db->escape_string($mybb->input['sid']);

اگر دوستان علاقه داشتند در مورد این فانشن و خطا بیشتر بدانند به لینک زیر مراجعه نمایند :


البته سایت بالا به کاربرانش توصیه کرده است بجای استفاده از فانشن mysql_escape_string از mysql_real_escape_string () استفاده نماید . تفاوت این دو بیشتر در سرعت خواندن از دیتابیس هست . این فانشن امنیتی میباشد که باعث جلوگیری از ورود مقادیری همانند کاراکتر ها \x00, \n, \r, \, ', " and \x1a. و در نهایت جلوگیری از SQL Injection میباشد .

با تشکر از دوستان عزیز MojiRider و Mohammad-Za بخاطر همکاری و بررسی در این موضوع
MR.XpR عزیز اگر لطف کنید و یک لیست از پلاگین های اسیب پذیر و دارای باگ را معرفی کنید ممنون میشم
بزودی لیستی که قولشو دادم قرار میدم Farhoodi عزیز
دوست عزیز شما از این قسمت میتونید لیست پلاگین ها و آسیب پذیری های مربوط به MYBB رو به همراه اکسپلویت ببینی :


پلاگین های فعلی بیشتر از آسیب پذیری های XSS و SQLI یا RCE میباشند .

مثل پلاگین برچسب ها

(۱۳۹۲/۱۲/۸، ۱۱:۳۱:۰۰ صبح)MR.XpR نوشته است: [ -> ]پلاگین های فعلی بیشتر از آسیب پذیری های XSS و SQLI یا RCE میباشند .

مثل پلاگین برچسب ها


راهی برای رفع اسیب پذیری پلاگین برچسب ها نیست؟
