vBulletin Version 3.7.0 exploits
EMOKID wrote: im not asking for someone to go and test it for exploits etc. just want to know if anyone knows any or has any ideas of ones i should try, and whats wrong with asking for help??
Nothing is wrong with asking for help… but, you asked a very open-ended question. Boiled down, it looks like this:
"How can I hack vBulletin version 3.7?"
Asking if anyone has any ideas for what you could try is like asking how many different attack vectors there are for a web application.
A good place to start, when starting out, is to scope all of the available inputs for a site. Then, classify them based upon what you perceive to be the most open-ended; inputs that seem to allow more freedom of content (such as allowing BBCode or limited HTML) should be the first ones you test. Also, GET variables should go at the top of the list. Then, aim for inputs that seem less likely to be sanitized because of static content or limitations (such as text fields that have a size limit set or select fields that have a limited number of options). Attempt various injection techniques upon the fields according to the perceived type; SQL and blind SQL injections for all inputs that are likely to end up in a query, HTML injections for inputs that are likely to be displayed on the page in some fashion, etc. Try invalid or broken data in inputs in an attempt to expose helpful error messages that might give you insight as to the database structure or expected values (i.e., applied functions to inputs on the server-side).
Basically, apply the concepts that you will learn of on this site (and hopefully read more about in articles here or elsewhere) in a methodical and organized fashion. Take the attempt seriously, and you will reap rewards whether you compromise the web app or not.