Plugin:http://www.vbulletin.org/forum/showthread.php?t=299490 Version: <= 0.2 (latest)
The mistake in this plugin is that the author did not add any checks in the connecter file, he doesn't check if the user is currently logged in as an administrator.
We can simply exploit this by making a .html file and by pointing all URL references to the admincp of a forum with this plugin.
Proof of concept:
This will establish a connection to the vulnerable host and will pop-up the file manager.
You can now download/upload/delete anything you want and browse through all of the files.
Plugin:http://www.vbulletin.org/forum/showthread.php?t=254336 Version: <= 4.6.4 (latest)
The vulnerability resides in the microsupport.php file.
Not a single variable is sanitized and directly used in the SQL queries, at all places.
An easy way to extract information out of the database is by abusing the checkchatcall_request part in the php file, which looks like this:
Proof of concept: http://example.com/microsupport.php?requester=checkchatcall_request&adminsID=1 UNION SELECT null, concat(1, 0x3a, username, 0x3a, password, 0x3a, salt), null, null, null FROM user where userid = 1
Note that the first field in the concat function must be a number since the function checks if the usersUID is bigger than 0, which is the first column in the result.