Results 1 to 2 of 2

Thread: Try to hack this VBulletin

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts

    Try to hack this VBulletin

    Yo all,

    just noticed this strange "Test" guy and had a bad feel about the forum security, as if he needed a thread to test some exploits or something. I googled some VB exploits and immediately found something.

    Fixed stuff:

    1) https://www.exploit-db.com/exploits/37815/

    Memcached is by default configured to only accept requests from localhost, but VBulletin allows users to e.g. reference images by URL. A malicious user can then just craft an URL like http://localhost:11211/someMemCacheCommands... and memcached would execute that.

    2) https://www.exploit-db.com/exploits/40751/

    forumrunner stuff, got rid of whole folder

    3) https://packetstormsecurity.com/file...Injection.html

    Removed visitormessage.php, since it's connected to a MySQL injection and those "visitor messages" are pretty useless nonetheless.

    4) https://packetstormsecurity.com/file...Injection.html (./includes/api/4/breadcrumbs_create.php)

    Changed line to $conceptId = intval( $vbulletin->GPC['conceptid'] );

    -----

    But yea, if anybody has fun to try to hack this forum, you are allowed to. If you got something interest, please discuss via Steam or PM. If functionality is crucial, I will keep it, otherwise just get rid of such potential security issues.
    timescale 0.01

  2. The Following 4 Users Say Thank You to kung foo man For This Useful Post:

    kubislav23 (16th November 2017),Lonsofore (16th November 2017),maxdamage99 (16th November 2017),YuriJurek (16th November 2017)

  3. #2
    Private Lonsofore's Avatar
    Join Date
    Oct 2016
    Posts
    86
    Thanks
    82
    Thanked 38 Times in 25 Posts
    Good job, kung

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •