Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PR to fix two modules for CVE-2020-12720 not properly handling vBulletin table prefixes #13553

Merged
merged 1 commit into from
Jun 4, 2020
Merged

PR to fix two modules for CVE-2020-12720 not properly handling vBulletin table prefixes #13553

merged 1 commit into from
Jun 4, 2020

Conversation

Zenofex
Copy link
Contributor

@Zenofex Zenofex commented Jun 3, 2020
edited by wvu
Loading

This PR fixes a bug disclosed to me about my 2 modules leveraging CVE-2020-12720 (gather/vbulletin_getindexablecontent_sqli & multi/http/vbulletin_getindexablecontent) . Specifically in the functionality used to determine the table prefixes for the vBulletin install. The fix supplied in this PR removes the guard clause outside of the get_table_prefix function, which is actually semi-redundant in that the results of the SQLi attack are checked within the get_table_prefix method.

Verification

Testing Exploit Module

  • Start msfconsole
  • use exploit/multi/http/vbulletin_getindexablecontent
  • set RHOSTS [IP]
  • set VHOST [HOSTNAME]
  • set TARGETURI [PATH]
  • check
  • Verify target is marked as vulnerable
  • run
  • Verify shell is spawned

Testing Auxillary Module

  • Start msfconsole
  • use auxiliary/gather/vbulletin_getindexablecontent_sqli
  • set RHOSTS [IP]
  • set VHOST [HOSTNAME]
  • set TARGETURI [PATH]
  • run
  • Verify user table data is dumped to disk

@Zenofex
A user reported that the CVE-2020-12720 modules were not properly han…
8f587e4 
…dling cases where a table prefix was not used, this guard clauses was redundant in that the one inside the get_table_prefix method is already checking the result of the SQL injection performed.
@Zenofex Zenofex changed the title A user reported that the CVE-2020-12720 modules were not properly han… PR to fix two modules for CVE-2020-12720 not properly handling vBulletin table prefixes Jun 3, 2020
@wvu wvu requested a review from smcintyre-r7 June 3, 2020 00:46
@wvu wvu self-assigned this Jun 3, 2020
@wvu wvu merged commit 464c157 into rapid7:master Jun 4, 2020
@wvu
Copy link
Contributor

wvu commented Jun 4, 2020
edited by tperry-r7
Loading

Release Notes

This fixes redundant guard clauses in the auxiliary/gather/vbulletin_getindexablecontent_sqli and exploit/multi/http/vbulletin_getindexablecontent modules. There is no impact to functionality.

@tperry-r7 tperry-r7 added the rn-fix release notes fix label Jun 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@wvu wvu

Labels
bug module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Zenofex @wvu @smcintyre-r7 @tperry-r7