ANTICHAT — форум по информационной безопасности, OSINT и технологиям

Code:
vBulletin 4.0.0-4.0.2 YaAS (yet another award system) XSS Vulnerability=======================================================================
vBulletin 4.0.0-4.0.2 YaAS (yet another award system) XSS Vulnerability
=======================================================================

# Exploit Title: vBulletin 4.0.0-4.0.2 YaAS 4.0.0 (yet another award system) XSS

# Date: 2010-05-13

# Author: Un-Dead

# Team: eX.ploit ( http://ex.ploit.net )

# Software Link: http://www.vbulletin.org/forum/showthread.php?t=232684&highlight=yet+another+award+system

# Google Dork: inurl: recommend_award.php?award_id=1

# Version: vBulletin 4.0.0 thru 4.0.2 using YaAS v4.0.0 (This has now been updated too 4.0.1 and does not work on the updated version)

# Tested on: Windows XP SP3, KDE3.5 vBulletin with HTML turned off

# Usage: XSS

# Code:

This will only work if the administrator has opted to set the ?recommend this award? to create a new poll somewhere in the forum (admin area is even better for cookie stealing J)

Again this will not work on the latest update of YaAS but it will work on YaAS 4.0.0

Click awards tab, chose recommend this award. In the member name just type something doesent really matter.

In the body put your xss

<script>alert(‘xss’);</script>

The infected page will be the poll that was created.

If the admin does not have the ?create new poll? enabled this eX.ploit is useless.

# Inj3ct0r.com [2010-05-13]var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}