Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
Reply 

Tutorial How To Hack vBulletin 4.1.10 Admin Control Panel

11-20-2012, 09:22 PM
Post: #1


Before I start here. I want everyone to know that I'm not the type that hacks into websites for reputation, respect, or to harm others. My sole job for income is protecting websites, being a penetration tester. So please do not get the wrong impression on me, this is simply a tutorial that I have decided to share with you all.*****************************
******************************************


vBulletin 4.1.10 Vulnerability description:
When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache.

.This vulnerability affects /admincp
.The impact of this vulnerability
.Possible sensitive information disclosure


Now I Will Tell You How To Hack Admin Cp


Password type input named
Code:
vb_login_password
from form named loginform with
Code:
action ../login.php?do=login
has autocomplete enabled.

IN That Way You Could Do Sql Injection

Other Vulnerabilty Found Also


The HTML comments of this page contain configuration information for Microsoft Frontpage Server Extensions. The configuration information includes the Frontpage version and may help an attacker to learn more about his target.
This vulnerability affects
Code:
/_vti_inf.html.

To Attack It

Code:
example.com/admincp/_vti_inf.html

Or Use That Way

Code:
example.com/_vti_inf.html
Enjoy!

More Tutorials Waiting For You!

This link is hidden from you. If you want to see it you have to register on this board.

Reply

Hide My Ass

11-20-2012, 09:35 PM
Post: #2
Please explain more about how we would login when we get to admincp page. What we would put for login and what we would put for password.

[Image: deWzz.gif]

Reply
11-20-2012, 09:37 PM
Post: #3


Well with the first vulnerability, you will have access to the webmasters' database. Doing this method is called SQL injection, the act in illegally breaching the MySQL database of the website. In a websites' database, you can read sensitive data and basically control the given site.

This link is hidden from you. If you want to see it you have to register on this board.

Reply
11-20-2012, 09:39 PM
Post: #4


Nice share man! Good job and I like these tutorials!

No Signature allowed -Staff

Reply
11-20-2012, 09:43 PM
Post: #5


@Carnis

Compliments much appreciated. Wink
Working for the 'Awesome' award. Maybe I'll be an awesome member hahaa.

This link is hidden from you. If you want to see it you have to register on this board.

Reply
11-20-2012, 09:57 PM
Post: #6
Well I did not understand. When I go to admincp login page, what login and password do I write?

[Image: deWzz.gif]

Reply
11-22-2012, 02:43 AM
Post: #7
Brilliant tutorial Woah.
You've impressed me again xD
Reply
05-14-2013, 04:20 PM
Post: #8
doesn't work on version 3.8.7 Sad
Reply
06-11-2013, 04:29 PM
Post: #9
This is awesome info just can you please tell me how should i apply this Injection method so i can penetrate in the MySQL of a certain forum from Bulgaria... Thank you in advance...
Reply
08-12-2013, 09:04 PM (This post was last modified: 08-12-2013 09:24 PM by langman.)
Post: #10
How do I find out login/password to login admincp? What steps I need to do. Please explain in more details.

(11-20-2012 09:37 PM)Limitless# Wrote: This link is hidden from you. If you want to see it you have to register on this board.Well with the first vulnerability, you will have access to the webmasters' database. Doing this method is called SQL injection, the act in illegally breaching the MySQL database of the website. In a websites' database, you can read sensitive data and basically control the given site.

Hi,

Thank you for sharing. Hope I can learn from this tutorial and do some practices to see how it work!!!!!!!!!!!

Hi,

I'm a newbie... can you please show me how to do sql injection or what steps I need to do to find out login/password.

Thanks.
Reply

Reply 


Thread Options


User(s) browsing this thread: 1 Guest(s)

Hide My Ass

Proudly run by MyBB, © 2002-2014 MyBB Group