Menu

Improved exploit search engine. Try it out

"MyBB Bans List 1.0 - Cross-Site Scripting"

Author

0xB9

Platform

php

Release date

2019-02-11

Release Date Title Type Platform Author
2019-05-24 "Opencart 3.0.3.2 - 'extension/feed/google_base' Denial of Service PoC" webapps php "Todor Donev"
2019-05-23 "Nagios XI 5.6.1 - SQL injection" webapps php JameelNabbo
2019-05-22 "Horde Webmail 5.2.22 - Multiple Vulnerabilities" webapps php InfinitumIT
2019-05-21 "WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities" webapps php "Simone Quatrini"
2019-05-21 "Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting" webapps php "Dionach Ltd"
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-20 "eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution" webapps php liquidsky
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-17 "Interspire Email Marketer 6.20 - 'surveys_submit.php' Remote Code Execution" webapps php "numan türle"
2019-05-16 "DeepSound 1.0.4 - SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-15 "CommSy 8.6.5 - SQL injection" webapps php "Jens Regel_ Schneider_ Wulf"
2019-05-14 "PasteShr 1.6 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-05-14 "Sales ERP 8.1 - Multiple SQL Injection" webapps php "Mehmet EMIROGLU"
2019-05-14 "PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)" remote php AkkuS
2019-05-13 "OpenProject 5.0.0 - 8.3.1 - SQL Injection" webapps php "SEC Consult"
2019-05-13 "XOOPS 2.5.9 - SQL Injection" webapps php "felipe andrian"
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-05-09 "Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting" webapps php "Ibrahim Raafat"
2019-05-06 "PHPads 2.0 - 'click.php3?bannerID' SQL Injection" webapps php "felipe andrian"
2019-05-03 "Wordpress Plugin Social Warfare < 3.5.3 - Remote Code Execution" webapps php hash3liZer
2019-05-03 "Instagram Auto Follow - Authentication Bypass" webapps php Veyselxan
2019-04-30 "Agent Tesla Botnet - Information Disclosure" webapps php n4pst3r
2019-04-30 "Hyvikk Fleet Manager - Shell Upload" webapps php saxgy1331
2019-04-30 "Joomla! Component JiFile 2.3.1 - Arbitrary File Download" webapps php "Mr Winst0n"
2019-04-30 "HumHub 1.3.12 - Cross-Site Scripting" webapps php "Kağan EĞLENCE"
2019-04-30 "Joomla! Component ARI Quiz 3.7.4 - SQL Injection" webapps php "Mr Winst0n"
Release Date Title Type Platform Author
2019-03-19 "MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting" webapps php 0xB9
2019-02-15 "MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery" webapps php 0xB9
2019-02-14 "LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)" webapps php 0xB9
2019-02-15 "VSCO 1.1.1.0 - Denial of Service (PoC)" dos windows 0xB9
2019-02-12 "LayerBB 1.1.2 - Cross-Site Scripting" webapps php 0xB9
2019-02-11 "MyBB Bans List 1.0 - Cross-Site Scripting" webapps php 0xB9
2019-01-28 "MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting" webapps php 0xB9
2019-01-28 "Smart VPN 1.1.3.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-18 "FastTube 1.0.1.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-18 "VPN Browser+ 1.1.0.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-18 "7 Tik 1.0.1.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-18 "Eco Search 1.0.2.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-18 "One Search 1.1.0.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-18 "Watchr 1.1.0.0 - Denial of Service (PoC)" dos windows 0xB9
2019-01-07 "MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting" webapps php 0xB9
2019-01-07 "LayerBB 1.1.1 - Persistent Cross-Site Scripting" webapps php 0xB9
2018-09-12 "MyBB 1.8.17 - Cross-Site Scripting" webapps php 0xB9
2018-08-20 "MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery" webapps php 0xB9
2018-08-10 "MyBB Like Plugin 3.0.0 - Cross-Site Scripting" webapps php 0xB9
2018-07-19 "MyBB New Threads Plugin 1.1 - Cross-Site Scripting" webapps php 0xB9
2018-08-10 "MyBB Thank You/Like Plugin 3.0.0 - Cross-Site Scripting" webapps php 0xB9
2018-06-05 "MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting" webapps php 0xB9
2018-05-29 "MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting" webapps php 0xB9
2018-05-25 "MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Scripting" webapps php 0xB9
2018-05-16 "MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery" webapps php 0xB9
2018-05-10 "MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting" webapps php 0xB9
2018-04-26 "MyBB Threads to Link Plugin 1.3 - Cross-Site Scripting" webapps php 0xB9
2018-04-26 "October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting" webapps php 0xB9
2018-04-05 "MyBB Plugin Downloads 2.0.3 - Cross-Site Scripting" webapps php 0xB9
2018-03-23 "MyBB Plugin Last User's Threads in Profile Plugin 1.2 - Persistent Cross-Site Scripting" webapps php 0xB9
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46347/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46347/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46347/40824/mybb-bans-list-10-cross-site-scripting/download/", "exploit_id": "46347", "exploit_description": "\"MyBB Bans List 1.0 - Cross-Site Scripting\"", "exploit_date": "2019-02-11", "exploit_author": "0xB9", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Exploit Title: MyBB Bans List - Cross Site Scripting
# Date: 7/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=423
# Version: 1.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-14724


1. Description:
Adds bans.php page, showing a list of banned users and the reason of ban. 

Any forum user that's a mod can ban users and input a payload into the ban reason which gets executed on the bans.php page.
 

2. Proof of Concept:

- Have a mod account
- Ban a user
- Input the following for reason of the ban   <script>alert('XSS')</script>
- Anyone to view page will execute payload