Our company (Rehabilitation clinic for people with drug addiction) has a forum which may have been compromised.
We're running Vbulletin Version 4.1.2 which is vulnerable and exploitable.
What we're looking for is SQL Injection expert to do penetentrion testing on our website. What we looking from sql expert is to see what the hackers could of done.
We're affraid that hacker might of gotten mysql dump, or changed any of the passwords for vbulletin in mysql.
Our company takes security very seriously and we cannot afford to have any of our customers/visitors information stolen.
We are offering 500 USD for someone who is able to extract mysql dump from our website, or UPDATE any of the mysql passwords.
For example this is the SQL query which is executed -
SELECT [url removed, login to view]
FROM socialgroupcategory AS socialgroupcategory
WHERE [url removed, login to view] IN (-99) union select username from user where userid=1 and row(1,1)>(select count(*),concat( (select [url removed, login to view]) ,0x3a,floor(rand(0)*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- /* );
So bassicly it returns to -
"#1062 - Duplicate entry 'admin:1' for key 1"
as "admin" being "username" record in database, field user.
We are not really that worries if hackers are not able to do anything more than extracting rows one-by-one.
BUT IF ALL MYSQL DUMP CAN BE LEAKED OR ANY PASSWORDS OR OTHER MYSQL DETEILS CAN BE CHANGED (UPDATE) This is risk.
So, if you're able to do anything more than "showing records one-by-one" please let us know.
WE OFFER 500 USD FOR SUCCESSFUL PENETRATION TESTING.
If you're ready to start testing/executing vulnabulity. Please send me messege, and I'll send you link to our forum, and where vulnability exists.
This is 100% legal. You'll be doing testing on our website, with our permission. We can proof that forum you're working on is OURs