vBulletin 5 SQL Injection


You may have already heard about latest version of vBulletin being vulnerable. Released exploit doesn’t pull anything but database’s version. I was surfing internet and I saw this link. I already saw that quote too “It’s a skiddie free version.. another version of the exploit exists, but isn’t going to become available anytime soon.“. What’s going on here? is the vulnerable place specified or not? The MySQL injection hole is public now and the exploit pulling data no longer means. Before anything, have a glance at this exploit:

It firstly does log-in operation, secondly sends following string in order to gather database name:

It’s such a complicated query. I’ve seen it in many webpages, it’s obvious that authors have extracted this query from SQLMap. This happenings made me download and install latest vBulletin’s version and after that I realized two notes:

1. There must not be log-in sequence, the hole also exists with unauthorized session
2. There is no obligation to use the difficult injection queries. The simpler your query is, The more enjoyable it is.

SQLMap simply can pull all data, no exploit is required:

Result:

Have fun 😉