(adsbygoogle = window.adsbygoogle || []).push({});

How To Hack VBulletin Forums ver 4.x - 4.1.3

Okay Ladies, shall we begin?

Part 1: The Beginning

First you are going to need some tools. You don't need to download any gay cracking/hacking software.
Just two little programs that anyone that is into web development should already have:

You must login or register to view this content. I use it for firefox cause I.E. is lame, and if your using I.E. you should probably just You must login or register to view this content.
You must login or register to view this content. Another firefox add-on
Okay these both I think are for firefox so if your using another browser (which you shouldn't be) then try to find a program that does the same as these.


Part 2: Is your mom asleep yet?

Now that you have made sure your parents are in bed, and you have installed the above software we need to find a site. What we are looking for is any VBulletin© <-- LoLz Site ver 4.x-4.1.3.
Once you have located your target you need to go to the community tab on the forum page, and then select groups (or just type in [url]www.yourvulnerablesite.com/group.php[/url]) *Note some sites
you will have to register to see their groups*. Okay so you have finally located the groups section, peeked out your door to make sure your mom was still asleep, and refilled your mountain dew.
Now locate an actual group:

You must login or register to view this content.

So now I choose the chinese group, why you ask? I don't know...secretly no one really likes them, j/k no flaming it was a joke. Okay now the issue is, we need the actual group id, and we are not getting
it by hovering over the name of the group. This is where firebug comes in handy, now I know there are gagillion ways of doing this, but again I'm making this for the complete noob. What you want to do is
right click the group name "chinese", then click 'Inspect Element' on the pop-up dialog. Now what we are looking for is the line underneath the header for the group.

    <ul class="controls">

<li>

<a class="textcontrol" href="https://www.nextgenupdate.com/forums/group.php?groupid=1173&do=join" rel="nofollow">

You can see from the "ul class" that the groupid is 1173

You must login or register to view this content.

Part 3: I Always Feel Like Somebody's Watching Me

Now that you have looked out of the crack in the blinds for the feds, and muted that Miley Cyrus song so you can listen for black helicopters we need to left click on the name of the group "chinese" and find a post that they have made. If no post exists for the group, find another group, or join that one and make a post. Once you see a post that they have made, or you have created note the title of the post/thread. Now we want to go to the search area of the forum, and click single search, then select Group Messages, and for Keywords copy and paste the thread title that you created in the group, or the one that the group had already created:

You must login or register to view this content.

Now before you get all excited and bust one off in your scooby-doo tighties, we need to open up Live HTTP Headers, if there is a bunch of mumbo jumbo there we need to hit the clear button, once it's clear, go ahead and click back on the forum, and hit the search button, I know you have been waiting to do it ever since you typed in those keywords. Now click back on your Live HTTP Headers, and you will notice a $hit load of crap that is written in some form of alien technology that only a super elite nerd would understand. That's okay though, trust me, it's going to make since in a second...**Warning Technical Content** This type of injection is a post injection, we are taking advantage of an error in the script of VBulletin and we are going to append some information to the search query, by posting a extra query to the database**
What you are looking for in the Live HTTP Headers section is the post area for the site you were on:

You must login or register to view this content.

Now you may notice 2-3-1,000,000 different post sections but we want the one that says : query on the last line. Which is usually around the top part of Live HTTP Headers. Once you have located that select that row, and click the Replay button on Live HTTP Headers....woah woah woah...what's all this then? Well that's a good question, this is the query that was sent to retrieve the information we searched for, so what we are going to do is add our own little code (muhahaha) and then let it replay (muhahaha). Now that you have it open for editing in the replay mode do what you tricks do best and copy and pastah this code (note, i did not say "my code" as it's not my code, so stfu about it, we all get stuff from other sources).

    &messagegroupid[0]=YOURGROUPID ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt  ) FROM user WHERE userid=1#

Replace YOURGROUPID with the groupid we snagged earlier:

    &messagegroupid[0]=1773 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt  ) FROM user WHERE userid=1#

That's it, we just paste that at the end of the replay and hit the replay button:

You must login or register to view this content.

When you paste in your code, and change out the groupid with the proper id, and hit replay, you will notice the page reload, and next to your search result will be the user name/email/pass/salt .. you can change the userid=1# to whatever user you want to h4x0r i.e. userid=1234# etc.

A few notes :
1. Some sites have not indexed their search tables properly, and you will not be able to use this method *cough* ngu *cough*
2. You have to yield a proper search result for this to work, not a generic page full of possible results. You will notice the search is broken by looking at your keywords used in your search, for this example I will use NGU and search for a post a and you will see the EPiC FAiL :

You must login or register to view this content.

Now judging by that post, you would think that I'm some flamer looking for "guys" on here, when in fact the actual search keywords were "Come on guys".

3. If you run into these issues don't give up on h4x1n and run back to play Ecco on your sega genesis just yet, there is still hope.

Part 4: All By Myself

Now that you have eaten a bottle of pills and chased them with that drain-o under the kitchen sink because you have EPiCally FAiLed at h4x0r1ng we need to act fast because you don't have much time. So put on your favorite Celine Dion album and listen up. What you want to do, is find another user group, note their name, then run over to the search box, and do a search. This time we want to do the "Multiple Content Types" search, and tick the box for Groups, then for the keyword, put in your groups name. Now repeat the process of opening up Live HTTP Headers, and clearing out any data that is there, then hit the search button on the forum. Now you can bring up your Live HTTP Headers again and find the appropriate post field, and hit replay. Once you are in replay mode, append this code to the end of the post:

    &cat[0]=1) UNION SELECT concat_ws(0x3a,username,password,salt,email) FROM user limit 1,1#

Again we can change out the limit 1,1 to however many users we want to h4x0r.

What Can I Do With Hash(s) and Salt(s)?

Okay you can visit your favorite place to get software and look for passwordspro, then you can add the hash and salt to be cracked and select the md5(md5($pass).($salt)) option *not sure about the context there, feel free to flame me on that one*, then select the type of attack you want to do i.e. bruteforce etc etc. There is a settings menu that lets you adjust the variables for each attack type against the password. That is just one of 1,000's of ways of cracking the password, so feel free to google away on how to crack vbulletin hash's.

Final Thoughts: The moment of truth

Okay guys, this is what I have learned from various sources, too many to quote. No one has compiled a tute like this that I have been able to find. I don't want to hear about how you googled certain content from my post and found a piece here or a piece there. All I can reply to that is "no $hit" it's going to happen, as I did not create nor find this exploit, some 7 yr old in asia found it I'm sure. If you need further help executing this exploit successfully please feel free to PM me. I will not provide help here, as I don't babysit my threads. I hope you guys enjoyed my PERSONAL tute on how to work out this exploit. I tried to make it as basic as possible but I know that some will still have some difficulty with it, and that's fine, I'm here to help.

Flamers, trolls, keep moving past this one, it's not for you. Lets try to keep at least one thread clean from some a$$hole that has nothing better to do than point out this or that instead of taking his 1337 a$$ to the forums and creating his own helpful thread.

Thanks again,
And Remember,
RalphieRocks

*Side Note*

You can use a google dork to find vulnerable sites, basically search google for " Powered by vBulletin 4.1.3 " or something like that, and you can find what your looking for.
And yes, you can try out your own injection techniques here, it's not limited to the two different examples I showed you, be creative and see what you can fetch.
The second example uses a different injection string, as you can clearly see, you are free to research these and edit them to fit your needs, and vBulletins setup.

Here is a YouTube Vid for those still having trouble with this one:


If your having issues with fetching the wrong data from the database, then you really need to google union selecting, and vbulletin databases. I cannot do everything, this is just to help get your foot in the door.

Originally posted by ralphierocks

How To Hack VBulletin Forums ver 4.x - 4.1.3

What you choose to do with this is up to you :: I did not create nor find this exploit on my own
I am only putting it into layman's terms since a lot of people don't understand injecting
This is a noob tutorial and assumes you have no prior knowledge of the exploit, or injection methods

Okay Ladies, shall we begin?

Part 1: The Beginning

First you are going to need some tools. You don't need to download any gay cracking/hacking software.
Just two little programs that anyone that is into web development should already have:

You must login or register to view this content. I use it for firefox cause I.E. is lame, and if your using I.E. you should probably just You must login or register to view this content.
You must login or register to view this content. Another firefox add-on
Okay these both I think are for firefox so if your using another browser (which you shouldn't be) then try to find a program that does the same as these.


Part 2: Is your mom asleep yet?

Now that you have made sure your parents are in bed, and you have installed the above software we need to find a site. What we are looking for is any VBulletin© <-- LoLz Site ver 4.x-4.1.3.
Once you have located your target you need to go to the community tab on the forum page, and then select groups (or just type in [url]www.yourvulnerablesite.com/group.php[/url]) *Note some sites
you will have to register to see their groups*. Okay so you have finally located the groups section, peeked out your door to make sure your mom was still asleep, and refilled your mountain dew.
Now locate an actual group:

You must login or register to view this content.

So now I choose the chinese group, why you ask? I don't know...secretly no one really likes them, j/k no flaming it was a joke. Okay now the issue is, we need the actual group id, and we are not getting
it by hovering over the name of the group. This is where firebug comes in handy, now I know there are gagillion ways of doing this, but again I'm making this for the complete noob. What you want to do is
right click the group name "chinese", then click 'Inspect Element' on the pop-up dialog. Now what we are looking for is the line underneath the header for the group.

    <ul class="controls">

<li>

<a class="textcontrol" href="https://www.nextgenupdate.com/forums/group.php?groupid=1173&do=join" rel="nofollow">

You can see from the "ul class" that the groupid is 1173

You must login or register to view this content.

Part 3: I Always Feel Like Somebody's Watching Me

Now that you have looked out of the crack in the blinds for the feds, and muted that Miley Cyrus song so you can listen for black helicopters we need to left click on the name of the group "chinese" and find a post that they have made. If no post exists for the group, find another group, or join that one and make a post. Once you see a post that they have made, or you have created note the title of the post/thread. Now we want to go to the search area of the forum, and click single search, then select Group Messages, and for Keywords copy and paste the thread title that you created in the group, or the one that the group had already created:

You must login or register to view this content.

Now before you get all excited and bust one off in your scooby-doo tighties, we need to open up Live HTTP Headers, if there is a bunch of mumbo jumbo there we need to hit the clear button, once it's clear, go ahead and click back on the forum, and hit the search button, I know you have been waiting to do it ever since you typed in those keywords. Now click back on your Live HTTP Headers, and you will notice a $hit load of crap that is written in some form of alien technology that only a super elite nerd would understand. That's okay though, trust me, it's going to make since in a second...**Warning Technical Content** This type of injection is a post injection, we are taking advantage of an error in the script of VBulletin and we are going to append some information to the search query, by posting a extra query to the database**
What you are looking for in the Live HTTP Headers section is the post area for the site you were on:

You must login or register to view this content.

Now you may notice 2-3-1,000,000 different post sections but we want the one that says : query on the last line. Which is usually around the top part of Live HTTP Headers. Once you have located that select that row, and click the Replay button on Live HTTP Headers....woah woah woah...what's all this then? Well that's a good question, this is the query that was sent to retrieve the information we searched for, so what we are going to do is add our own little code (muhahaha) and then let it replay (muhahaha). Now that you have it open for editing in the replay mode do what you tricks do best and copy and pastah this code (note, i did not say "my code" as it's not my code, so stfu about it, we all get stuff from other sources).

    &messagegroupid[0]=YOURGROUPID ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

Replace YOURGROUPID with the groupid we snagged earlier:

    &messagegroupid[0]=1773 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

That's it, we just paste that at the end of the replay and hit the replay button:

You must login or register to view this content.

When you paste in your code, and change out the groupid with the proper id, and hit replay, you will notice the page reload, and next to your search result will be the user name/email/pass/salt .. you can change the userid=1# to whatever user you want to h4x0r i.e. userid=1234# etc.

A few notes :
1. Some sites have not indexed their search tables properly, and you will not be able to use this method *cough* ngu *cough*
2. You have to yield a proper search result for this to work, not a generic page full of possible results. You will notice the search is broken by looking at your keywords used in your search, for this example I will use NGU and search for a post a and you will see the EPiC FAiL :

You must login or register to view this content.

Now judging by that post, you would think that I'm some flamer looking for "guys" on here, when in fact the actual search keywords were "Come on guys".

3. If you run into these issues don't give up on h4x1n and run back to play Ecco on your sega genesis just yet, there is still hope.

Part 4: All By Myself

Now that you have eaten a bottle of pills and chased them with that drain-o under the kitchen sink because you have EPiCally FAiLed at h4x0r1ng we need to act fast because you don't have much time. So put on your favorite Celine Dion album and listen up. What you want to do, is find another user group, note their name, then run over to the search box, and do a search. This time we want to do the "Multiple Content Types" search, and tick the box for Groups, then for the keyword, put in your groups name. Now repeat the process of opening up Live HTTP Headers, and clearing out any data that is there, then hit the search button on the forum. Now you can bring up your Live HTTP Headers again and find the appropriate post field, and hit replay. Once you are in replay mode, append this code to the end of the post:

    &cat[0]=1) UNION SELECT concat_ws(0x3a,username,password,salt,email) FROM user limit 1,1#

Again we can change out the limit 1,1 to however many users we want to h4x0r.

What Can I Do With Hash(s) and Salt(s)?

Okay you can visit your favorite place to get software and look for passwordspro, then you can add the hash and salt to be cracked and select the md5(md5($pass).$(salt)) option *not sure about the context there, feel free to flame me on that one*, then select the type of attack you want to do i.e. bruteforce etc etc. There is a settings menu that lets you adjust the variables for each attack type against the password. That is just one of 1,000's of ways of cracking the password, so feel free to google away on how to crack vbulletin hash's.

Final Thoughts: The moment of truth

Okay guys, this is what I have learned from various sources, too many to quote. No one has compiled a tute like this that I have been able to find. I don't want to hear about how you googled certain content from my post and found a piece here or a piece there. All I can reply to that is "no $hit" it's going to happen, as I did not create nor find this exploit, some 7 yr old in asia found it I'm sure. If you need further help executing this exploit successfully please feel free to PM me. I will not provide help here, as I don't babysit my threads. I hope you guys enjoyed my PERSONAL tute on how to work out this exploit. I tried to make it as basic as possible but I know that some will still have some difficulty with it, and that's fine, I'm here to help.

Flamers, trolls, keep moving past this one, it's not for you. Lets try to keep at least one thread clean from some a$$hole that has nothing better to do than point out this or that instead of taking his 1337 a$$ to the forums and creating his own helpful thread.

Thanks again,
And Remember,
RalphieRocks

OMFG I have been setup and running forums for over 2 years. And I haven't found something for vB 4x yet. I Love your (no homo).

No prob mate...This is a way of doing things without using Havij or other tools to inject. I hope more people branch away from using software to do all the work for them. This way people can have an understanding of what's going on, and have the opportunity to learn something new, that they can mold and shape into something custom to fit their own needs.

inb4 Noobs try to hack NextGenUpdate :dumb:

Haha, I bet you tried it :dumb:

You all fail.




On topic; nice tutorial, very understandably set out.

Already knew about it though

In the video, which one is the hash and which one is the salt?

---------- Post added at 01:38 PM ---------- Previous post was at 01:37 PM ----------



In the video, which one is the hash and which one is the salt?

hash first salt second separated by a :

I database error, Me no :megusta: HELP ? :happycry: