vBSHOUT 2.1 Vulnerability!!

Red Flag · 05-20-2007, 10:10 AM

Quote:

So yesterday some unregistered wrote in my shoutbox that he'll take my site down, first, i didnt know how his shouting and second i said him to go **** himself.

5 Min after i couldn't log on, my nick was changed, all mods and admins deleted, no access to site anymore. So i had to suspend my account (hosting) and restore backup.

How he did that.

In vbshout folder sb which is chmoded to 777 he puts some script, with that script he browset to my config.php file, saw db name, username and password, with same script logged to mysql, downloaded tables which contains my password in md5 hash, with same script converted md5 to plain text and finaly logged to my admin acc on forum, you know the rest.

I dont't know if i can do this, so please admins or mods delete this if you think it's not right.

I have installed one forum to my localhost and its accessible from internet, also i have putt there that hackers script so if anybody wants to test it please pm me so i dont put link here. I hope this isn't spamm because link doesnt take to my website, it takes to test forum which is empty, i hope you'll find this helpfull

Quote:

I'll test it out...
It's most likely a C99 shell.

PM me the link, and I'll check it out and see how he broke in.

EDIT: I have not seen a C99 shell of this caliber before... this if off the scale.

Format Box
Bypass PHP Safe Mode
Kernel Attack Built-in
View Open Ports
View Logged in Users
View Files such as /etc/passwd

Boy.. this is a hilarious new amount of features...

Yeah, this program can get into your FTP and AdminCP, all from vBshout 2.1

Nick R · 05-21-2007, 09:49 AM

It's impossible to "un-md5" a hash so to speak. On the other hand you can build a hash pretty easily and enter it into the db if you have ftp access.

The main issue your pointing out is being able to inject code into the shoutbox which can then do anything; upload files, run queries, erase the hard drive.

I'll check with zero tolerance about this tonight.

rishabh_sood_best · 05-21-2007, 04:16 PM

This Is Possible Due to RFI! you Must be having any vuln.. file on you ftp which he used to reach you config.php

Red Flag · 05-24-2007, 06:10 PM

What should I CHMOD my files too? 755?

sodhi · 05-25-2007, 01:17 PM

CHMODing it to 744 should do the trick I assume. I haven't looked into the issue, however..

conexn · 05-30-2007, 06:50 AM

Can you put show me the code that allows him to do this? I am trying to learn a bit about this mess so I can prevent it from happening again. I was also running this and lastnight I had a guest in a admin section only, I had even un-installed the program but I guess it left something behind and would also like some help on how to get it completely out.

B34ST · 05-30-2007, 08:48 PM

Quote:

Originally Posted by Nick R

It's impossible to "un-md5" a hash so to speak.

You'd better not be to sure about that. I dont know myself how to decrypt a md5 + salt pass (yes you need the salt too

), though I know 2 different people that hack complete user databases (usernames & passwords) in a time of 10-20 minutes. Just for your information.

pokemon · 06-03-2007, 10:34 AM

does anyone has solved the problem was occured? I have the same problem..hacker defaced our website by using shell to read config.php. They captured our admin user and password very easy... Pleae share your information how to prevent this from happening. Thanks in advanced

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
vBshout 2.1 question	Balla	General vBulletin Support	17	09-16-2007 01:18 PM
Disable AJAX on vBShout 2.1	Unforgiv3N	General vBulletin Support	0	04-12-2007 09:07 AM
VBshout 2.1 not working on Firefox	friscogal	General vBulletin Discussion	14	12-04-2006 01:50 PM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)