Results 1 to 2 of 2

Thread: Try to hack this VBulletin

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    1,887
    Thanks
    1,782
    Thanked 1,027 Times in 710 Posts

    Try to hack this VBulletin

    Yo all,

    just noticed this strange "Test" guy and had a bad feel about the forum security, as if he needed a thread to test some exploits or something. I googled some VB exploits and immediately found something.

    Fixed stuff:

    1) https://www.exploit-db.com/exploits/37815/

    Memcached is by default configured to only accept requests from localhost, but VBulletin allows users to e.g. reference images by URL. A malicious user can then just craft an URL like http://localhost:11211/someMemCacheCommands... and memcached would execute that.

    2) https://www.exploit-db.com/exploits/40751/

    forumrunner stuff, got rid of whole folder

    3) https://packetstormsecurity.com/file...Injection.html

    Removed visitormessage.php, since it's connected to a MySQL injection and those "visitor messages" are pretty useless nonetheless.

    4) https://packetstormsecurity.com/file...Injection.html (./includes/api/4/breadcrumbs_create.php)

    Changed line to $conceptId = intval( $vbulletin->GPC['conceptid'] );

    -----

    But yea, if anybody has fun to try to hack this forum, you are allowed to. If you got something interest, please discuss via Steam or PM. If functionality is crucial, I will keep it, otherwise just get rid of such potential security issues.
    timescale 0.01

  2. The Following 4 Users Say Thank You to kung foo man For This Useful Post:

    kubislav23 (16th November 2017),Lonsofore (16th November 2017),maxdamage99 (16th November 2017),YuriJurek (16th November 2017)

  3. #2
    Private Lonsofore's Avatar
    Join Date
    Oct 2016
    Posts
    74
    Thanks
    77
    Thanked 26 Times in 19 Posts
    Good job, kung

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •